Last reviewed:
T1530 is unauthorised reads from cloud storage objects: the technique behind the Capital One S3 exfiltration and similar misconfiguration-driven data breaches. T1530 has the largest mapping surface in DCV's catalog, with GuardDuty's Exfiltration:S3/ObjectRead.Unusual as the standout data-access signal and GCP PUBLIC_BUCKET_ACL as the prerequisite-misconfiguration detection. The remediation template wires S3 Block Public Access at account and bucket level, signed URLs, and CloudTrail object-level logging.
Adversaries may access data from cloud storage.
Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform.
In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the Cloud API. In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., Data from Information Repositories).
Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem. There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.
This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.
Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.
Platforms: IaaS, Office Suite, SaaS.
DCV maps 108 detections across 3 cloud providers to T1530. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 36 | 0.79 |
| AWS Security Hub | AWS | 24 | 0.83 |
| AWS Macie | AWS | 14 | 0.90 |
| Azure Policy | Azure | 10 | 0.89 |
| AWS GuardDuty | AWS | 8 | 0.90 |
| Microsoft Defender for Cloud | Azure | 8 | 0.92 |
| Azure Regulatory Compliance | Azure | 4 | 0.95 |
| GCP Security Command Center | GCP | 3 | 0.87 |
| GCP Chronicle | GCP | 1 | 0.90 |
CloudSigma has coverage metadata for 108 T1530 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1530, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1530 is unauthorised reads from cloud storage objects: the technique behind the Capital One S3 exfiltration and similar misconfiguration-driven data breaches. T1530 has the largest mapping surface in DCV's catalog, with GuardDuty's Exfiltration:S3/ObjectRead.Unusual as the standout data-access signal and GCP PUBLIC_BUCKET_ACL as the prerequisite-misconfiguration detection. The remediation template wires S3 Block Public Access at account and bucket level, signed URLs, and CloudTrail object-level logging.
DCV maps 108 cloud-native detections to T1530 across 3 cloud providers, drawn from AWS Config Rules, AWS GuardDuty, AWS Macie, AWS Security Hub, Azure Policy, Azure Regulatory Compliance, GCP Chronicle, GCP Security Command Center and Microsoft Defender for Cloud.
T1530 is part of MITRE ATT&CK TA0009 Collection: How adversaries gather data of interest before exfiltration.
CloudSigma ships 3 validated Sigma rules for T1530 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.