Skip to content

Hide Navigation Hide TOC

Cloud Storage Metadata (e214eb6d-de8f-4154-9015-6d47915fbed1)

Cloud Storage Metadata provides contextual information about cloud storage infrastructure and its associated activity. This data may include attributes such as storage name, size, owner, permissions, creation date, region, and activity metadata. It is essential for monitoring, auditing, and identifying anomalies in cloud storage environments. Examples:

  • AWS S3 Bucket Metadata: Metadata about an S3 bucket includes the bucket name, region, creation date, owner, storage class, and permissions.
  • Azure Blob Storage Metadata: Metadata for an Azure Blob container includes container name, access level (e.g., private or public), size, and tags.
  • Google Cloud Storage Metadata: Metadata includes bucket name, storage class, location, labels, lifecycle policies, and versioning status.
  • OpenStack Swift Metadata: Metadata for a Swift container includes name, access level, quota, and custom attributes.

This data component can be collected through the following measures:

Enable Logging for Metadata Collection

  • AWS S3: Use AWS CloudTrail to log GetBucketAcl, GetBucketPolicy, and HeadBucket API calls.
  • Azure Blob Storage: Use Azure Monitor to log container metadata retrieval and updates.
  • Google Cloud Storage: Enable Google Cloud Audit Logs to capture storage.buckets.get and storage.buckets.update.
  • OpenStack Swift: Enable logging of HEAD or GET requests to containers.

Centralized Log Aggregation

  • Use a SIEM solution (e.g., Splunk) to aggregate and analyze metadata retrieval and modification logs.
  • Correlate metadata access with user actions, IP addresses, and other contextual data.

API Polling

  • Use cloud SDKs or APIs to periodically query metadata for analysis:
    • AWS CLI Example: aws s3api get-bucket-acl --bucket company-sensitive-data
    • Azure CLI Example: az storage container show --name customer-records
    • Google Cloud CLI Example: gcloud storage buckets describe user-uploads
Cluster A Galaxy A Cluster B Galaxy B Level
Cloud Storage Metadata (e214eb6d-de8f-4154-9015-6d47915fbed1) mitre-data-component Transfer Data to Cloud Account - T1537 (d4bdbdea-eaec-4071-b4f9-5105e12ea4b6) Attack Pattern 1