Cloud Storage Access

Cloud storage access refers to the retrieval or interaction with data stored in cloud infrastructure. This data component includes activities such as reading, downloading, or accessing files and objects within cloud storage systems. Common examples include API calls like GetObject in AWS S3, which retrieves objects from cloud buckets. Examples:

• AWS S3 Access: An adversary uses the GetObject API to retrieve sensitive data from an AWS S3 bucket.
• Azure Blob Storage Access: A user accesses a blob in Azure Storage using Get Blob or Get Blob Properties.
• Google Cloud Storage Access: An adversary uses storage.objects.get to download objects from - OpenStack Swift Storage Access: A user retrieves an object from OpenStack Swift using the GET method.

This data component can be collected through the following measures:

Enable Logging for Cloud Storage Services

• AWS S3: Enable Server Access Logging to capture API calls like GetObject and store them in a designated S3 bucket.
• Azure Storage: Enable Azure Storage Logging to capture operations like GetBlob and log metadata.
• Google Cloud Storage: Enable Data Access audit logs for storage.objects.get API calls.
• OpenStack Swift: Configure middleware for object logging to capture GET requests.

Centralize and Aggregate Logs

• Use a centralized logging solution (e.g., Splunk, ELK, or a cloud-native SIEM) to ingest and analyze logs from different cloud providers.
  • AWS Example: Use AWS CloudTrail to collect API activity logs and forward them to your SIEM.
  • Azure Example: Use Azure Monitor and Log Analytics to analyze storage access logs.

Correlate with IAM Logs

• Combine storage access logs with IAM activity logs to correlate user actions with specific permissions and identities.