Skip to content
Threat Feed
medium advisory

GCP Storage Bucket Configuration Modification

This rule detects modifications to Google Cloud Platform (GCP) storage bucket configurations, potentially indicating an adversary attempting to weaken security controls for unauthorized access or data exfiltration.

This detection rule identifies modifications to Google Cloud Platform (GCP) storage bucket configurations. Attackers may alter these configurations to weaken security controls, enabling unauthorized access or data exfiltration. The rule focuses on identifying successful configuration changes via audit logs. It is essential for defenders to monitor these changes because misconfigured storage buckets can lead to data breaches, compliance violations, and reputational damage. The rule leverages GCP audit logs to detect storage.buckets.update events, indicating a change in bucket configuration. The rule was initially created in 2020 and updated in April 2026.

Attack Chain

  1. An attacker gains initial access to a GCP account, possibly through compromised credentials or a misconfigured IAM role.
  2. The attacker enumerates existing storage buckets to identify potential targets.
  3. The attacker attempts to modify the configuration of a target storage bucket using the storage.buckets.update API.
  4. Specifically, the attacker may attempt to modify the bucket's access control list (ACL) to grant unauthorized access.
  5. Alternatively, the attacker may disable versioning or logging to cover their tracks and prevent detection.
  6. If successful, the attacker gains unauthorized access to the storage bucket's contents.
  7. The attacker exfiltrates sensitive data from the bucket.
  8. The attacker attempts to delete or further modify the bucket to disrupt operations or cover their tracks.

Impact

Successful exploitation can lead to unauthorized access to sensitive data stored in GCP storage buckets. This can result in data breaches, compliance violations, and reputational damage. The number of affected buckets and the severity of the impact depend on the attacker's objectives and the sensitivity of the data stored in the targeted buckets. Depending on the data stored within a compromised bucket, an organization can face regulatory fines, legal action, and loss of customer trust.

Recommendation

  • Deploy the Sigma rule "GCP Storage Bucket Configuration Modification" to your SIEM, ensuring you are ingesting GCP audit logs (filebeat-* or logs-gcp*) as defined in the rule [index].
  • Investigate any alerts generated by the Sigma rule, focusing on the user or service account responsible for the configuration change [rule].
  • Review the bucket's configuration for any unexpected or unauthorized changes to access controls, versioning, or logging [rule].
  • Implement strict IAM policies and regularly audit access controls to minimize the risk of unauthorized access [rule].
  • Correlate alerts with other security events to identify potential patterns of malicious behavior [rule].

Detection coverage 2

GCP Storage Bucket Configuration Modification

medium

Detects modifications to GCP storage bucket configurations, potentially indicating an attempt to weaken security controls.

sigma tactics: defense_evasion techniques: T1578.005 sources: webserver, linux

GCP Storage Bucket Configuration Modification via gcloud

medium

Detects modifications to GCP storage bucket configurations using the gcloud command-line tool.

sigma tactics: defense_evasion techniques: T1578.005 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →