T1530 Data from Cloud Storage Mappings

Access Transparency provides visibility into Google's access to customer data in the form of audit logs. This may expose and detect malicious access of data from cloud storage by compromised Google personnel accounts.

Advanced Protection Program enables the use of a security key for multi-factor authentication. Restricting access via MFA provides significant protection against adversaries accessing data objects from cloud storage.

Chrome Enterprise Premium Access Context Manager allows organizations to manage and control access to sensitive content and applications based on user identity, device context, and other factors, essentially acting as a cloud-based content access manager with granular control capabilities.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources such as cloud storage objects by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists). However, since cloud storage objects are located outside the virtual private cloud where Cloud NGFW protect, the mapping is only given a score of Partial.

The cloud service provider's default encryption setting for data stored and written to disk in the cloud may protect against adversary's attempt to access data from improperly secured cloud storage. This technique was rated as significant due to the high protect coverage factor.

Google Security Ops is able to trigger an alert to notify personnel of GCP resources (e.g., storage buckets) that are publicly accessible to unauthenticated users. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_gcs_public_accessible.yaral

Policy Intelligence role recommendations generated by IAM Recommender can compare the permissions that each principal used during the past 90 days with the total permissions the principal has. This can be used to limit the permissions associated with creating and modifying platform images or containers that adversaries may try to access.

Adversaries may attempt to implant cloud or container images with malicious code to gain access to an environment. The IAM audit logs can be used to receive data access and activity logs who has accessed to certain resources.

SCC detect suspicious activity when accessing cloud storage objects (e.g., new IPs accessing storage objects or enumeration from unfamiliar user identities). Because of the real time temporal factor when detecting access to secure storage objects this control was graded as partial.

This control is able to scan cloud storage objects for sensitive data and transform that data into a secure or nonsensitive form. It is able to scan for a variety of common sensitive data types, such as API keys, credentials, or credit card numbers. This control is able to be scheduled daily, weekly, etc and can scan new changes to data. This control is able to scan Google Cloud Storage, BigQuery tables, and Datastore.

This control may mitigate against access to cloud storage objects by limiting access to accounts and services contained within the VPC network perimeter that contains those cloud storage objects.

The following GuardDuty finding types flag events where adversaries may have access data objects from improperly secured cloud storage. UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller

The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data within Amazon Simple Storage Service (S3) storage: "s3-account-level-public-access-blocks", "s3-bucket-level-public-access-prohibited", "s3-bucket-public-read-prohibited", "s3-bucket-policy-not-more-permissive", "cloudfront-origin-access-identity-enabled", and "cloudfront-default-root-object-configured" identify objects that are publicly available or subject to overly permissive access policies; "s3-bucket-blacklisted-actions-prohibited" checks whether bucket policies prohibit disallowed actions for principals from other AWS accounts; and "s3-bucket-policy-grantee-check" checks whether bucket policies appropriately control which AWS principals, federated users, service principals, IP addresses, and VPCs have access. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data from other AWS services: "dms-replication-not-public" for AWS Database Migration Service; "emr-master-no-public-ip" for Amazon Elastic MapReduce (EMR); "rds-cluster-iam-authentication-enabled", "rds-instance-iam-authentication-enabled", "rds-instance-public-access-check" and "rds-snapshots-public-prohibited" for Amazon Relational Database Service; "redshift-cluster-public-access-check" for Amazon Redshift; and "sagemaker-notebook-no-direct-internet-access" for SageMaker. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that cloud storage data are encrypted to prevent malicious access: "dax-encryption-enabled", "dynamodb-table-encrypted-kms", and "dynamodb-table-encryption-enabled" for Amazon DynamoDB table contents; "efs-encrypted-check" for Amazon Elastic File System (EFS) file systems; "elasticsearch-encrypted-at-rest" for Elasticsearch Service (ES) domains; "rds-snapshot-encrypted" and "rds-storage-encrypted" for Amazon Relational Database Service; "s3-bucket-server-side-encryption-enabled" and "s3-default-encryption-kms" for S3 storage; "sns-encrypted-kms" for Amazon Simple Notification Service (SNS); "redshift-cluster-configuration-check" and "redshift-cluster-kms-enabled" for Redshift clusters; "sagemaker-endpoint-configuration-kms-key-configured" and "sagemaker-notebook-instance-kms-key-configured" for SageMaker. These rules provide a wide range of coverage for many AWS services, especially those most significant to procedures for this technique, resulting in an overall score of Significant.

The following AWS IoT Device Defender cloud-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and the Message Queuing Telemetry Transport (MQTT) protocol for unauthorized data transfer from cloud-side data sources: "Source IP" ("aws:source-ip-address") values outside of expected IP address ranges may suggest that a device has been stolen. "Messages sent" ("aws:num-messages-sent"), "Messages received" ("aws:num-messages-received"), and "Message size" ("aws:message-byte-size") values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include data retrieved from cloud storage. The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and the Message Queuing Telemetry Transport (MQTT) protocol for unauthorized data transfer from cloud-side data sources: "Bytes in" ("aws:all-bytes-in"), "Bytes out" ("aws:all-bytes-out"), "Packets in" ("aws:all-packets-in"), and "Packets out" ("aws:all-packets-out") values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include data retrieved from cloud storage. Coverage factor is partial, since these metrics are limited to IoT device-based collection, resulting in an overall score of Partial.

AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources such as cloud storage objects by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists). However, since cloud storage objects are located outside the virtual private cloud where the AWS Network Firewall protects, the mapping is only given a score of Partial.

AWS RDS supports the encryption of the underlying storage for database instances, backups, read replicas, and snapshots using the AES-256 encryption algorithm. This can protect against an adversary from gaining access to a database instance in the event they get access to the underlying system where the database instance is hosted or to S3 where the backups are stored. Furthermore, with AWS RDS, there is a setting that specifies whether or not a database instances is publicly accessible. When public accessibility is turned off, the database instance will not be available outside the VPC in which it was created. As a result, this mapping is given a score of Significant.

S3 provides full control of access via Identity and Access Management (IAM) policies and with its access control lists (ACLs). The S3 Block Public Access feature allows for policies limiting public access to Amazon S3 resources that are enforced regardless of how the resources are created or associated IAM policies. Server-side encryption can be enabled for data at rest and allows for use of S3-managed keys, AWS Key Management Service managed keys, or customer-provided keys.

AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to data in cloud storage. AWS Security Hub provides this detection with the following managed insight. S3 buckets with public write or read permissions AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting improperly secured S3 buckets which could result in them being discovered. AWS Security Hub provides this detection with the following check. 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes This is scored as Partial because it only detects when S3 buckets have public read or write access and doesn't detect improperly secured data in other storage types (e.g., DBs, NFS, etc.).