Skip to content

storage.setIamPermissions

GCP

storage.setIamPermissions

service: GCP - Cloud Storage
techniques:

Event

Sets the IAM policy on a Cloud Storage bucket or object, controlling which principals can access it.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
  • Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco grants roles/storage.objectViewer on the fantasticlogs-demiguise-models bucket (holds proprietary trained ML model artifacts) to allUsers — making the entire bucket world-readable over the public internet. From this point on, anyone with the bucket name can curl https://storage.googleapis.com/fantasticlogs-demiguise-models/<object> and download model files. The change generates no further GCS audit events for the resulting anonymous reads (anonymous access is below the audit threshold by default), so the exfiltration window is invisible until the public binding is rolled back. Note: GCS uses methodName=storage.setIamPermissions (not setIamPolicy) and emits the change in serviceData.policyDelta rather than request/response.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.storage.buckets.add-iam-policy-binding invocation-id/90000000000000000000010000001001 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T17:25:47.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "storage.googleapis.com",
"methodName": "storage.setIamPermissions",
"authorizationInfo": [
{
"resource": "projects/_/buckets/fantasticlogs-demiguise-models",
"permission": "storage.buckets.setIamPolicy",
"granted": true,
"resourceAttributes": {
"service": "storage.googleapis.com",
"name": "projects/_/buckets/fantasticlogs-demiguise-models",
"type": "storage.googleapis.com/Bucket"
}
}
],
"resourceName": "projects/_/buckets/fantasticlogs-demiguise-models",
"serviceData": {
"@type": "type.googleapis.com/google.iam.v1.logging.AuditData",
"policyDelta": {
"bindingDeltas": [
{
"action": "ADD",
"role": "roles/storage.objectViewer",
"member": "allUsers"
}
]
}
},
"resourceLocation": {
"currentLocations": [
"us-central1"
]
}
},
"insertId": "evt010000001001",
"resource": {
"type": "gcs_bucket",
"labels": {
"project_id": "fantasticlogs-prod",
"bucket_name": "fantasticlogs-demiguise-models",
"location": "us-central1"
}
},
"timestamp": "2026-04-15T17:25:47.123456789Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2026-04-15T17:25:47.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment Privilege Escalation Collection

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...
  • T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.