Cloud Storage Access (58ef998c-f3bf-4985-b487-b1005f5c05d1)
Cloud storage access refers to the retrieval or interaction with data stored in cloud infrastructure. This data component includes activities such as reading, downloading, or accessing files and objects within cloud storage systems. Common examples include API calls like GetObject in AWS S3, which retrieves objects from cloud buckets. Examples:
- AWS S3 Access: An adversary uses the
GetObjectAPI to retrieve sensitive data from an AWS S3 bucket. - Azure Blob Storage Access: A user accesses a blob in Azure Storage using
Get BloborGet Blob Properties. - Google Cloud Storage Access: An adversary uses
storage.objects.getto download objects from - OpenStack Swift Storage Access: A user retrieves an object from OpenStack Swift using theGETmethod.
This data component can be collected through the following measures:
Enable Logging for Cloud Storage Services
- AWS S3: Enable Server Access Logging to capture API calls like
GetObjectand store them in a designated S3 bucket. - Azure Storage: Enable Azure Storage Logging to capture operations like
GetBloband log metadata. - Google Cloud Storage: Enable Data Access audit logs for
storage.objects.getAPI calls. - OpenStack Swift: Configure middleware for object logging to capture GET requests.
Centralize and Aggregate Logs
- Use a centralized logging solution (e.g., Splunk, ELK, or a cloud-native SIEM) to ingest and analyze logs from different cloud providers.
- AWS Example: Use AWS CloudTrail to collect API activity logs and forward them to your SIEM.
- Azure Example: Use Azure Monitor and Log Analytics to analyze storage access logs.
Correlate with IAM Logs
- Combine storage access logs with IAM activity logs to correlate user actions with specific permissions and identities.