Skip to main content

New Cloud Storage Bucket Created

This alert occurs when Lacework detects a new Cloud Storage bucket was created within a project.

Related policy: LW_AT_RESOURCE_173: Cloud Storage Bucket Created

Why this alert is important

New buckets can potentially store sensitive data. Therefore, it is important to ensure they are properly secured from the start. By detecting the creation of a new bucket, you can automatically enforce security policies such as access control and data encryption.

Investigation

Follow these steps to investigate the alert:

  1. Check the name of the new bucket to ensure that it is legitimate. Malicious actors often create buckets with names that resemble legitimate ones to trick users into uploading data.
  2. Check the Audit Logs to determine who created the new bucket. If the user is unfamiliar or unauthorized, it may indicate malicious activity.
  3. Check the bucket's permissions to ensure that they are configured correctly. Malicious actors may exploit misconfigured permissions to gain unauthorized access to data.
  4. Check the contents of the new bucket for any unusual data or files. Malicious actors may store malware or other malicious files using the new bucket.
  5. Check for suspicious activity in your Google Cloud project, such as unusual logins or API requests. Malicious actors may have accessed your project and created the new bucket from there.
  6. If you suspect the new bucket creation was malicious, immediately report the incident to your organization's security team or Google Cloud Support. They can guide how to mitigate the issue and prevent it from happening.

Resolution

Use the following steps to resolve an unauthorized new Cloud Storage bucket:

  1. Delete the bucket immediately to prevent further unauthorized access and data theft. You can do this by navigating to the bucket in the Google Cloud console and selecting Delete.
  2. Revoke any access to the bucket that was granted to the unauthorized user, and review and modify the access control settings to ensure that the bucket is properly secured.
  3. Investigate further to determine the extent of the damage and whether any data was compromised. Review the logs and audit trails to determine what actions were taken on the bucket and who may have accessed it.
  4. Implement additional security measures to prevent future malicious activity. For example, you can enable Cloud Storage bucket creation logging, implement more restrictive IAM policies, or consider using data encryption to protect sensitive data.