Skip to content

storage.buckets.delete

GCP

storage.buckets.delete

service: GCP - Cloud Storage
techniques:

Event

Permanently deletes a GCP Cloud Storage bucket; the bucket must be empty before deletion.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Destructive deletion of cloud resources can cause significant operational disruption, data loss, and extended recovery times.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco — after running an storage.objects.delete purge against the fantasticlogs-occamy-ingest bucket to empty it (a prerequisite for storage.buckets.delete, which fails if the bucket is non-empty unless force=true is used) — deletes the OCCAMY ingest bucket itself. This bucket holds 30 days of in-flight log data from production pipelines; its loss disrupts ingest, breaks downstream BigQuery views, and destroys forensic source data for the incident response that’s now beginning. The bucket name cannot be reused for 7 days, compounding recovery friction. Note: GCS audit logs use a minimal payload — the request is encoded in the URL path and the response is empty.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.storage.buckets.delete invocation-id/90000000000000000000010000000110 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T18:09:18.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "storage.googleapis.com",
"methodName": "storage.buckets.delete",
"authorizationInfo": [
{
"resource": "projects/_/buckets/fantasticlogs-occamy-ingest",
"permission": "storage.buckets.delete",
"granted": true,
"resourceAttributes": {
"service": "storage.googleapis.com",
"name": "projects/_/buckets/fantasticlogs-occamy-ingest",
"type": "storage.googleapis.com/Bucket"
}
}
],
"resourceName": "projects/_/buckets/fantasticlogs-occamy-ingest",
"resourceLocation": {
"currentLocations": [
"us-central1"
]
}
},
"insertId": "evt010000000110",
"resource": {
"type": "gcs_bucket",
"labels": {
"project_id": "fantasticlogs-prod",
"bucket_name": "fantasticlogs-occamy-ingest",
"location": "us-central1"
}
},
"timestamp": "2026-04-15T18:09:18.123456789Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2026-04-15T18:09:18.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Impact Defense Impairment

Techniques:
  • T1485 — Data Destruction — Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and r...
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...