1. Home
  2. Data Sources
  3. Cloud Storage

Cloud Storage

Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs[1][2][3]

ID: DS0010
Platform: IaaS
Collection Layer: Cloud Control Plane
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 17 November 2024
Version Permalink

Data Components

Cloud Storage: Cloud Storage Access

Cloud storage access refers to the retrieval or interaction with data stored in cloud infrastructure. This data component includes activities such as reading, downloading, or accessing files and objects within cloud storage systems. Common examples include API calls like GetObject in AWS S3, which retrieves objects from cloud buckets. Examples:

  • AWS S3 Access: An adversary uses the GetObject API to retrieve sensitive data from an AWS S3 bucket.
  • Azure Blob Storage Access: A user accesses a blob in Azure Storage using Get Blob or Get Blob Properties.
  • Google Cloud Storage Access: An adversary uses storage.objects.get to download objects from - OpenStack Swift Storage Access: A user retrieves an object from OpenStack Swift using the GET method.

This data component can be collected through the following measures:

Enable Logging for Cloud Storage Services

  • AWS S3: Enable Server Access Logging to capture API calls like GetObject and store them in a designated S3 bucket.
  • Azure Storage: Enable Azure Storage Logging to capture operations like GetBlob and log metadata.
  • Google Cloud Storage: Enable Data Access audit logs for storage.objects.get API calls.
  • OpenStack Swift: Configure middleware for object logging to capture GET requests.

Centralize and Aggregate Logs

  • Use a centralized logging solution (e.g., Splunk, ELK, or a cloud-native SIEM) to ingest and analyze logs from different cloud providers.
    • AWS Example: Use AWS CloudTrail to collect API activity logs and forward them to your SIEM.
    • Azure Example: Use Azure Monitor and Log Analytics to analyze storage access logs.

Correlate with IAM Logs

  • Combine storage access logs with IAM activity logs to correlate user actions with specific permissions and identities.

Cloud Storage: Cloud Storage Access

Cloud storage access refers to the retrieval or interaction with data stored in cloud infrastructure. This data component includes activities such as reading, downloading, or accessing files and objects within cloud storage systems. Common examples include API calls like GetObject in AWS S3, which retrieves objects from cloud buckets. Examples:

  • AWS S3 Access: An adversary uses the GetObject API to retrieve sensitive data from an AWS S3 bucket.
  • Azure Blob Storage Access: A user accesses a blob in Azure Storage using Get Blob or Get Blob Properties.
  • Google Cloud Storage Access: An adversary uses storage.objects.get to download objects from - OpenStack Swift Storage Access: A user retrieves an object from OpenStack Swift using the GET method.

This data component can be collected through the following measures:

Enable Logging for Cloud Storage Services

  • AWS S3: Enable Server Access Logging to capture API calls like GetObject and store them in a designated S3 bucket.
  • Azure Storage: Enable Azure Storage Logging to capture operations like GetBlob and log metadata.
  • Google Cloud Storage: Enable Data Access audit logs for storage.objects.get API calls.
  • OpenStack Swift: Configure middleware for object logging to capture GET requests.

Centralize and Aggregate Logs

  • Use a centralized logging solution (e.g., Splunk, ELK, or a cloud-native SIEM) to ingest and analyze logs from different cloud providers.
    • AWS Example: Use AWS CloudTrail to collect API activity logs and forward them to your SIEM.
    • Azure Example: Use Azure Monitor and Log Analytics to analyze storage access logs.

Correlate with IAM Logs

  • Combine storage access logs with IAM activity logs to correlate user actions with specific permissions and identities.
Domain ID Name Detects
Enterprise T1619 Cloud Storage Object Discovery

Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set that is allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.
Enterprise T1530 Data from Cloud Storage

Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set and are allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.
Enterprise T1048 Exfiltration Over Alternative Protocol

Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set and are allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.

Analytic 1 - Detecting Suspicious Cloud Storage Exfiltration

(EventCode="PutObject" OR EventCode="FileSharedExternally" OR source="Google_Admin_Logs")| where (file_size > 5000000 OR file_access_count > 10)| stats count by _time, host, user, file_name, action, storage_bucket, file_size| where count >= 5| eval risk_score=case( file_size > 50000000, 9, file_size > 10000000, 8)| where risk_score >= 8| table _time, host, user, file_name, action, storage_bucket, file_size, risk_score

Cloud Storage: Cloud Storage Creation

Cloud Storage Creation refers to the initial creation of a new cloud storage resource, such as buckets, containers, or directories, within a cloud environment. This action is critical to track as it might indicate the legitimate provisioning of resources or unauthorized actions taken by adversaries to stage, store, or exfiltrate data. Examples:

  • AWS S3 Bucket Creation: An AWS user creates a new S3 bucket using the CreateBucket API call.
  • Azure Blob Storage Container Creation: A user creates a new container in Azure Blob Storage using the Create Container operation.
  • Google Cloud Storage Bucket Creation: A Google Cloud user creates a new bucket using storage.buckets.create.
  • OpenStack Swift Container Creation: A user creates a new container in OpenStack Swift using the PUT method.

This data component can be collected through the following measures:

Enable Logging for Cloud Storage Services

  • AWS S3: Enable AWS CloudTrail to log CreateBucket API actions.
  • Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs for storage account activity. Use Azure Event Grid to capture Create Container operations.
  • Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.create API calls.
  • OpenStack Swift: Configure Swift logging to capture PUT requests to new containers.

Centralized Logging and Analysis

  • Forward logs to centralized platforms like Splunk or cloud-native SIEM solutions for correlation and analysis.

Cloud Storage: Cloud Storage Creation

Cloud Storage Creation refers to the initial creation of a new cloud storage resource, such as buckets, containers, or directories, within a cloud environment. This action is critical to track as it might indicate the legitimate provisioning of resources or unauthorized actions taken by adversaries to stage, store, or exfiltrate data. Examples:

  • AWS S3 Bucket Creation: An AWS user creates a new S3 bucket using the CreateBucket API call.
  • Azure Blob Storage Container Creation: A user creates a new container in Azure Blob Storage using the Create Container operation.
  • Google Cloud Storage Bucket Creation: A Google Cloud user creates a new bucket using storage.buckets.create.
  • OpenStack Swift Container Creation: A user creates a new container in OpenStack Swift using the PUT method.

This data component can be collected through the following measures:

Enable Logging for Cloud Storage Services

  • AWS S3: Enable AWS CloudTrail to log CreateBucket API actions.
  • Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs for storage account activity. Use Azure Event Grid to capture Create Container operations.
  • Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.create API calls.
  • OpenStack Swift: Configure Swift logging to capture PUT requests to new containers.

Centralized Logging and Analysis

  • Forward logs to centralized platforms like Splunk or cloud-native SIEM solutions for correlation and analysis.
Domain ID Name Detects
Enterprise T1537 Transfer Data to Cloud Account

Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts.

Analytic 1 - Detecting Creation of Storage for Exfiltration

(EventCode="CreateBucket" OR EventCode="StorageAccountCreated" OR source="Google_Admin_Logs")| where (action IN ("create_bucket", "create_storage_account", "create_shared_drive"))| stats count by _time, host, user, action, storage_name| where count >= 3| eval risk_score=case( storage_name LIKE "%backup%" OR storage_name LIKE "%export%", 9, storage_name LIKE "%temp%" OR storage_name LIKE "%new%", 8)| where risk_score >= 8| table _time, host, user, action, storage_name, risk_score

Cloud Storage: Cloud Storage Deletion

Cloud Storage Deletion refers to the removal or destruction of cloud storage infrastructure, such as buckets, containers, or directories, within a cloud environment. Monitoring this activity is critical to detecting potential unauthorized or malicious actions, such as data destruction by adversaries or accidental deletions that may lead to data loss. Examples:

  • AWS S3 Bucket Deletion: An AWS user deletes an S3 bucket using the DeleteBucket API call.
  • Azure Blob Storage Container Deletion: A user deletes a container in Azure Blob Storage using the Delete Container operation.
  • Google Cloud Storage Bucket Deletion: A Google Cloud user deletes a bucket using the storage.buckets.delete API.
  • OpenStack Swift Container Deletion: A user deletes a container in OpenStack Swift using the DELETE method.

This data component can be collected through the following measures:

Enable Logging for Cloud Storage Services

  • AWS S3: Enable AWS CloudTrail to log DeleteBucket API actions.
  • Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs to capture Delete Container operations. Use Azure Event Grid to capture and trigger alerts for container deletion.
  • Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.delete API calls.
  • OpenStack Swift: Configure Swift logging to capture DELETE requests for containers.

Centralized Logging and Analysis

  • Use platforms like Splunk or native SIEMs to forward and analyze logs for anomalies in cloud storage deletions.

Cloud Storage: Cloud Storage Deletion

Cloud Storage Deletion refers to the removal or destruction of cloud storage infrastructure, such as buckets, containers, or directories, within a cloud environment. Monitoring this activity is critical to detecting potential unauthorized or malicious actions, such as data destruction by adversaries or accidental deletions that may lead to data loss. Examples:

  • AWS S3 Bucket Deletion: An AWS user deletes an S3 bucket using the DeleteBucket API call.
  • Azure Blob Storage Container Deletion: A user deletes a container in Azure Blob Storage using the Delete Container operation.
  • Google Cloud Storage Bucket Deletion: A Google Cloud user deletes a bucket using the storage.buckets.delete API.
  • OpenStack Swift Container Deletion: A user deletes a container in OpenStack Swift using the DELETE method.

This data component can be collected through the following measures:

Enable Logging for Cloud Storage Services

  • AWS S3: Enable AWS CloudTrail to log DeleteBucket API actions.
  • Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs to capture Delete Container operations. Use Azure Event Grid to capture and trigger alerts for container deletion.
  • Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.delete API calls.
  • OpenStack Swift: Configure Swift logging to capture DELETE requests for containers.

Centralized Logging and Analysis

  • Use platforms like Splunk or native SIEMs to forward and analyze logs for anomalies in cloud storage deletions.
Domain ID Name Detects
Enterprise T1485 Data Destruction

Monitor for unexpected deletion of a cloud storage infrastructure, such as the DeleteDBCluster and DeleteGlobalCluster events in AWS, or a high quantity of data deletion events, such as DeleteBucket. Many of these events within a short period of time may indicate malicious activity.
Enterprise T1490 Inhibit System Recovery

Monitor for unexpected deletion of a cloud storage objects (ex: AWS DeleteObject), especially those associated with cloud backups.

Cloud Storage: Cloud Storage Enumeration

Cloud Storage Enumeration involves retrieving a list of available cloud storage infrastructure, such as buckets, containers, or objects, within a cloud environment. This activity may be performed for legitimate administrative purposes or malicious reconnaissance by adversaries seeking to identify accessible storage resources.Examples:

  • AWS S3 Bucket Enumeration: An AWS user lists all buckets using the ListBuckets API call.
  • Azure Blob Storage Container Enumeration: A user retrieves a list of all containers within a storage account using the Azure Storage SDK or API.
  • Google Cloud Storage Bucket Enumeration: A Google Cloud user lists all buckets within a project using the storage.buckets.list API.
  • OpenStack Swift Container Enumeration: A user retrieves a list of containers in OpenStack Swift using the GET method on the storage endpoint.

This data component can be collected through the following measures:

Enable Logging for Cloud Storage Enumeration

  • AWS S3: Enable AWS CloudTrail to capture ListBuckets and ListObjects API calls.
  • Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs to capture enumeration operations like List Containers. Use Azure Event Grid to trigger alerts for container enumeration.
  • Google Cloud Storage: Enable Audit Logs in Google Cloud to track storage.buckets.list API activity.
  • OpenStack Swift: Configure Swift logging to capture GET requests for container enumeration.

Centralized Log Aggregation

  • Use platforms like Splunk or native SIEM solutions to collect and analyze enumeration logs.

Cloud Storage: Cloud Storage Enumeration

Cloud Storage Enumeration involves retrieving a list of available cloud storage infrastructure, such as buckets, containers, or objects, within a cloud environment. This activity may be performed for legitimate administrative purposes or malicious reconnaissance by adversaries seeking to identify accessible storage resources.Examples:

  • AWS S3 Bucket Enumeration: An AWS user lists all buckets using the ListBuckets API call.
  • Azure Blob Storage Container Enumeration: A user retrieves a list of all containers within a storage account using the Azure Storage SDK or API.
  • Google Cloud Storage Bucket Enumeration: A Google Cloud user lists all buckets within a project using the storage.buckets.list API.
  • OpenStack Swift Container Enumeration: A user retrieves a list of containers in OpenStack Swift using the GET method on the storage endpoint.

This data component can be collected through the following measures:

Enable Logging for Cloud Storage Enumeration

  • AWS S3: Enable AWS CloudTrail to capture ListBuckets and ListObjects API calls.
  • Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs to capture enumeration operations like List Containers. Use Azure Event Grid to trigger alerts for container enumeration.
  • Google Cloud Storage: Enable Audit Logs in Google Cloud to track storage.buckets.list API activity.
  • OpenStack Swift: Configure Swift logging to capture GET requests for container enumeration.

Centralized Log Aggregation

  • Use platforms like Splunk or native SIEM solutions to collect and analyze enumeration logs.
Domain ID Name Detects
Enterprise T1580 Cloud Infrastructure Discovery

Monitor cloud logs for API calls and other potentially unusual activity related to cloud data object storage enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.
Enterprise T1619 Cloud Storage Object Discovery

Monitor cloud logs for API calls used for file or object enumeration for unusual activity. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Cloud Storage: Cloud Storage Metadata

Cloud Storage Metadata provides contextual information about cloud storage infrastructure and its associated activity. This data may include attributes such as storage name, size, owner, permissions, creation date, region, and activity metadata. It is essential for monitoring, auditing, and identifying anomalies in cloud storage environments. Examples:

  • AWS S3 Bucket Metadata: Metadata about an S3 bucket includes the bucket name, region, creation date, owner, storage class, and permissions.
  • Azure Blob Storage Metadata: Metadata for an Azure Blob container includes container name, access level (e.g., private or public), size, and tags.
  • Google Cloud Storage Metadata: Metadata includes bucket name, storage class, location, labels, lifecycle policies, and versioning status.
  • OpenStack Swift Metadata: Metadata for a Swift container includes name, access level, quota, and custom attributes.

This data component can be collected through the following measures:

Enable Logging for Metadata Collection

  • AWS S3: Use AWS CloudTrail to log GetBucketAcl, GetBucketPolicy, and HeadBucket API calls.
  • Azure Blob Storage: Use Azure Monitor to log container metadata retrieval and updates.
  • Google Cloud Storage: Enable Google Cloud Audit Logs to capture storage.buckets.get and storage.buckets.update.
  • OpenStack Swift: Enable logging of HEAD or GET requests to containers.

Centralized Log Aggregation

  • Use a SIEM solution (e.g., Splunk) to aggregate and analyze metadata retrieval and modification logs.
  • Correlate metadata access with user actions, IP addresses, and other contextual data.

API Polling

  • Use cloud SDKs or APIs to periodically query metadata for analysis:
    • AWS CLI Example: aws s3api get-bucket-acl --bucket company-sensitive-data
    • Azure CLI Example: az storage container show --name customer-records
    • Google Cloud CLI Example: gcloud storage buckets describe user-uploads

Cloud Storage: Cloud Storage Metadata

Cloud Storage Metadata provides contextual information about cloud storage infrastructure and its associated activity. This data may include attributes such as storage name, size, owner, permissions, creation date, region, and activity metadata. It is essential for monitoring, auditing, and identifying anomalies in cloud storage environments. Examples:

  • AWS S3 Bucket Metadata: Metadata about an S3 bucket includes the bucket name, region, creation date, owner, storage class, and permissions.
  • Azure Blob Storage Metadata: Metadata for an Azure Blob container includes container name, access level (e.g., private or public), size, and tags.
  • Google Cloud Storage Metadata: Metadata includes bucket name, storage class, location, labels, lifecycle policies, and versioning status.
  • OpenStack Swift Metadata: Metadata for a Swift container includes name, access level, quota, and custom attributes.

This data component can be collected through the following measures:

Enable Logging for Metadata Collection

  • AWS S3: Use AWS CloudTrail to log GetBucketAcl, GetBucketPolicy, and HeadBucket API calls.
  • Azure Blob Storage: Use Azure Monitor to log container metadata retrieval and updates.
  • Google Cloud Storage: Enable Google Cloud Audit Logs to capture storage.buckets.get and storage.buckets.update.
  • OpenStack Swift: Enable logging of HEAD or GET requests to containers.

Centralized Log Aggregation

  • Use a SIEM solution (e.g., Splunk) to aggregate and analyze metadata retrieval and modification logs.
  • Correlate metadata access with user actions, IP addresses, and other contextual data.

API Polling

  • Use cloud SDKs or APIs to periodically query metadata for analysis:
    • AWS CLI Example: aws s3api get-bucket-acl --bucket company-sensitive-data
    • Azure CLI Example: az storage container show --name customer-records
    • Google Cloud CLI Example: gcloud storage buckets describe user-uploads
Domain ID Name Detects
Enterprise T1537 Transfer Data to Cloud Account

Periodically baseline cloud storage infrastructure to identify malicious modifications or additions.

Cloud Storage: Cloud Storage Modification

Cloud Storage Modification involves tracking changes made to cloud storage infrastructure, including updates to settings, permissions, or stored data. Examples include modifying object access control lists (ACLs), uploading new objects, or updating bucket policies. Examples:

AWS S3: An object is uploaded or its ACL is modified.- Azure Blob Storage: A blob's metadata or permissions are updated.- Google Cloud Storage: An object's lifecycle policy is updated, or a bucket policy is changed.- OpenStack Swift: Modifications to container settings or uploading of new objects.

This data component can be collected through the following measures:

Enable Logging

  • AWS S3: Enable AWS CloudTrail to log API events like PutObject, PutObjectAcl, and PutBucketPolicy.
  • Azure Blob Storage: Use Azure Monitor to log write and update operations.
  • Google Cloud Storage: Enable Google Cloud Audit Logs to track storage.objects.update and storage.buckets.update.
  • OpenStack Swift: Enable logging for PUT and POST requests to track object uploads and container metadata updates.

Use Cloud Monitoring Tools

  • Integrate with tools like AWS Config, Azure Security Center, or Google Cloud Monitoring to detect configuration drift or unauthorized changes.

Centralized Log Aggregation

  • Use a SIEM (e.g., Splunk) to aggregate logs across multiple cloud providers for unified monitoring and analysis.

Periodic API Queries

  • AWS CLI Example: Query recent modifications to bucket policies: aws s3api get-bucket-policy --bucket sensitive-data
  • Azure CLI Example: List changes to a blob container: az storage blob show --container-name private-docs
  • Google Cloud CLI Example: Check metadata updates: gcloud storage objects describe gs://user-uploads/document.txt

Cloud Storage: Cloud Storage Modification

Cloud Storage Modification involves tracking changes made to cloud storage infrastructure, including updates to settings, permissions, or stored data. Examples include modifying object access control lists (ACLs), uploading new objects, or updating bucket policies. Examples:

AWS S3: An object is uploaded or its ACL is modified.- Azure Blob Storage: A blob's metadata or permissions are updated.- Google Cloud Storage: An object's lifecycle policy is updated, or a bucket policy is changed.- OpenStack Swift: Modifications to container settings or uploading of new objects.

This data component can be collected through the following measures:

Enable Logging

  • AWS S3: Enable AWS CloudTrail to log API events like PutObject, PutObjectAcl, and PutBucketPolicy.
  • Azure Blob Storage: Use Azure Monitor to log write and update operations.
  • Google Cloud Storage: Enable Google Cloud Audit Logs to track storage.objects.update and storage.buckets.update.
  • OpenStack Swift: Enable logging for PUT and POST requests to track object uploads and container metadata updates.

Use Cloud Monitoring Tools

  • Integrate with tools like AWS Config, Azure Security Center, or Google Cloud Monitoring to detect configuration drift or unauthorized changes.

Centralized Log Aggregation

  • Use a SIEM (e.g., Splunk) to aggregate logs across multiple cloud providers for unified monitoring and analysis.

Periodic API Queries

  • AWS CLI Example: Query recent modifications to bucket policies: aws s3api get-bucket-policy --bucket sensitive-data
  • Azure CLI Example: List changes to a blob container: az storage blob show --container-name private-docs
  • Google Cloud CLI Example: Check metadata updates: gcloud storage objects describe gs://user-uploads/document.txt
Domain ID Name Detects
Enterprise T1485 Data Destruction

Monitor for unexpected use of lifecycle policies. Where lifecycle policies are already in use, monitor for changes to cloud storage configurations and policies, such as buckets configured in the policy or unusually short retention periods. In AWS environments, monitor for PutBucketLifecycle events with a requestParameters.LifecycleConfiguration.Rule.Expiration.Days attribute below expected values.[4]
.001 Lifecycle-Triggered Deletion

Monitor for unexpected use of lifecycle policies. Where lifecycle policies are already in use, monitor for changes to cloud storage configurations and policies, such as buckets configured in the policy or unusually short retention periods. In AWS environments, monitor for PutBucketLifecycle events with a requestParameters.LifecycleConfiguration.Rule.Expiration.Days attribute below expected values.[4]
Enterprise T1486 Data Encrypted for Impact

Monitor for changes made in cloud environments for events that indicate storage objects have been anomalously modified.
Enterprise T1537 Transfer Data to Cloud Account

Monitor for anomalous file transfer activity between accounts and/or to untrusted/unexpected VPCs.

Analytic 1 - Detecting Cloud Storage Permission Changes for Exfiltration

(EventCode="PutBucketPolicy" OR EventCode="ModifyStoragePermissions" OR source="Google_Admin_Logs")| where (action IN ("modify_acl", "change_permissions", "public_read_enabled"))| stats count by _time, host, user, action, storage_name| where count >= 3| eval risk_score=case( action="public_read_enabled", 9, action="modify_acl", 8)| where risk_score >= 8| table _time, host, user, action, storage_name, risk_score

References

  1. Amazon. (n.d.). Amazon S3. Retrieved October 13, 2021.
  2. Microsoft. (n.d.). Azure Blob Storage. Retrieved November 17, 2024.
  1. Google. (n.d.). Cloud Storage. Retrieved October 13, 2021.
  2. Stratus Red Team. (n.d.). CloudTrail Logs Impairment Through S3 Lifecycle Rule. Retrieved September 25, 2024.