GCP Storage Bucket Permissions Modification
Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/21"
3integration = ["gcp"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP)
13storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls
14or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.
15"""
16false_positives = [
17 """
18 Storage bucket permissions may be modified by system administrators. Verify that the configuration change was
19 expected. Exceptions can be added to this rule to filter expected behavior.
20 """,
21]
22index = ["filebeat-*", "logs-gcp*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "GCP Storage Bucket Permissions Modification"
26note = """## Setup
27
28The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = ["https://cloud.google.com/storage/docs/access-control/iam-permissions"]
30risk_score = 47
31rule_id = "2326d1b2-9acf-4dee-bd21-867ea7378b4d"
32severity = "medium"
33tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1222"
46name = "File and Directory Permissions Modification"
47reference = "https://attack.mitre.org/techniques/T1222/"
48
49
50[rule.threat.tactic]
51id = "TA0005"
52name = "Defense Evasion"
53reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
IAM permissions for Cloud Storage Stay organized with collections Save and categorize content based on your preferences. The following tables list the Identity and Access Management (IAM) permissio...
Read More
Related rules
- GCP Storage Bucket Configuration Modification
- GCP Firewall Rule Creation
- GCP Firewall Rule Deletion
- GCP Firewall Rule Modification
- GCP IAM Custom Role Creation