Cloud Storage Creation

Cloud Storage Creation refers to the initial creation of a new cloud storage resource, such as buckets, containers, or directories, within a cloud environment. This action is critical to track as it might indicate the legitimate provisioning of resources or unauthorized actions taken by adversaries to stage, store, or exfiltrate data. Examples:

• AWS S3 Bucket Creation: An AWS user creates a new S3 bucket using the CreateBucket API call.
• Azure Blob Storage Container Creation: A user creates a new container in Azure Blob Storage using the Create Container operation.
• Google Cloud Storage Bucket Creation: A Google Cloud user creates a new bucket using storage.buckets.create.
• OpenStack Swift Container Creation: A user creates a new container in OpenStack Swift using the PUT method.

This data component can be collected through the following measures:

Enable Logging for Cloud Storage Services

• AWS S3: Enable AWS CloudTrail to log CreateBucket API actions.
• Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs for storage account activity. Use Azure Event Grid to capture Create Container operations.
• Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.create API calls.
• OpenStack Swift: Configure Swift logging to capture PUT requests to new containers.

Centralized Logging and Analysis

• Forward logs to centralized platforms like Splunk or cloud-native SIEM solutions for correlation and analysis.