Skip to content
TheCloud.Events

storage.hmacKeys.create

CSP: GCP
Tactics:
Persistence
Techniques:
T1098.001
Tags:
GCP Cloud Storage

Event

Creates HMAC keys for S3-compatible access to Cloud Storage, providing a persistent access mechanism often missed by defenders.

Security Context

  • HMAC keys provide S3-compatible access to Cloud Storage using access key ID and secret pairs, creating a persistent credential that is separate from standard OAuth tokens and service account keys.
  • Defenders often overlook HMAC keys during credential rotation and incident response because they exist outside the standard IAM key management workflow, making them an effective persistence mechanism.

Log Source

Cloud Audit Logs

Sample Event

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:
  • T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azu...