storage.setIamPermissions
Event
Sets the IAM policy on a Cloud Storage bucket or object, controlling which principals can access it.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
- Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
Log Source
Cloud Audit Logs
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion Privilege Escalation Collection
Techniques:
- T1562 — Impair Defenses — Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify...
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage. Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage.