Cloud Storage Enumeration involves retrieving a list of available cloud storage infrastructure, such as buckets, containers, or objects, within a cloud environment. This activity may be performed for legitimate administrative purposes or malicious reconnaissance by adversaries seeking to identify accessible storage resources.Examples:
- AWS S3 Bucket Enumeration: An AWS user lists all buckets using the
ListBuckets API call. - Azure Blob Storage Container Enumeration: A user retrieves a list of all containers within a storage account using the Azure Storage SDK or API.
- Google Cloud Storage Bucket Enumeration: A Google Cloud user lists all buckets within a project using the
storage.buckets.list API. - OpenStack Swift Container Enumeration: A user retrieves a list of containers in OpenStack Swift using the
GET method on the storage endpoint.
This data component can be collected through the following measures:
Enable Logging for Cloud Storage Enumeration
- AWS S3: Enable AWS CloudTrail to capture ListBuckets and ListObjects API calls.
- Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs to capture enumeration operations like List Containers. Use Azure Event Grid to trigger alerts for container enumeration.
- Google Cloud Storage: Enable Audit Logs in Google Cloud to track storage.buckets.list API activity.
- OpenStack Swift: Configure Swift logging to capture GET requests for container enumeration.
Centralized Log Aggregation
- Use platforms like Splunk or native SIEM solutions to collect and analyze enumeration logs.