Skip to main content

Anonymous GCP API Hack Attempts against Cloud Storage & Other Resources

  • March 6, 2026
  • 4 replies
  • 83 views
tonymet
Forum|alt.badge.img+1

Using Log Manager & The Alerting Platform I’ve noticed over the past year or so continuous enumeration and penetration attack attempts from anonymous sources.   These commonly show up as unauthenticated API calls e.g. `storage.objects.list`, `storage.buckets.get` with known bucket names, “Docker-HeadManifest” (to enumerate artifact registry), IAM GetProject, IAM GetResourceBillingInfo to enumerate project names, billing accounts etc.

Ideally I would like to immediately block this traffic and have the ability to automatically detect and block anomalies like this.

My Attempts to Fix this:

  1. Followed best practices e.g. no SA keys, RBAC, continuous audits, alerting on the attack attempts
  2. Reported the issue to Google Cloud Platform -- I was told it wasn’t a support issue
  3. Reported frequent IPs using the Abuse contact at the Source IP ISP provider (discovered via WHOIS)

 Questions for the Community

  1.  Do other customers see anonymous enumeration attacks like these in their logs?
  2. What other defenses do you recommend?

Desired Tools

These are tools that I wish I had to respond to these attacks.

  1. WAF-level control for Google API calls. e.g. block by IP, anomaly detection & blocking (e.g. Fail2Ban on the API level)
  2. Report abuse IP to Google Cloud
  3. Report Abuse to Source IP Provider

How to Find Suspicious Attack Attempts In Your Account

  1. Enable Admin-Read & Admin-Write Audit Logging
  2. Use this query pattern in Logs Explorer or Alerts Manager to discover this traffic.  
SEARCH("permission")
SEARCH("denied") OR "anonymous caller"

 

 

 

Sample Logs

protoPayload.authorizationInfo.permission	protoPayload.authorizationInfo.permissionType	protoPayload.authorizationInfo.resourceAttributes.name	protoPayload.authorizationInfo.resourceAttributes.service	protoPayload.authorizationInfo.resourceAttributes.type	protoPayload.metadata.noTLS	protoPayload.methodName	protoPayload.requestMetadata.callerIp	protoPayload.requestMetadata.callerSuppliedUserAgent	protoPayload.requestMetadata.destinationAttributes	protoPayload.requestMetadata.requestAttributes.auth	protoPayload.requestMetadata.requestAttributes.time	protoPayload.resourceLocation.currentLocations	protoPayload.serviceName	protoPayload.status.code	protoPayload.status.details	protoPayload.status.message	receiveLocation	receiveTimestamp	resource.labels.location	resource.labels.method	resource.labels.service	resource.type	severity	timestamp	
["storage.objects.list"]	[null]	[null]	[null]	[null]	TRUE	storage.objects.list	86.87.170.53	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36,gzip(gfe)			2026-03-06T12:20:20.431772238Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-03-06T12:20:20.895410759Z	us-central1			gcs_bucket	ERROR	2026-03-06T12:20:20.424370648Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]		storage.objects.list	154.13.221.237	aws-sdk-go-v2/1.26.1 os/linux lang/go#1.22.3 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.2,gzip(gfe)			2026-02-28T14:19:58.786557184Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-28T14:20:00.392682828Z	us-central1			gcs_bucket	ERROR	2026-02-28T14:19:58.780979494Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]		storage.objects.list	154.13.221.237	aws-sdk-go-v2/1.26.1 os/linux lang/go#1.22.3 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.2,gzip(gfe)			2026-02-28T14:19:58.345627330Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-28T14:19:59.125396921Z	us-central1			gcs_bucket	ERROR	2026-02-28T14:19:58.337372880Z	
["storage.buckets.get","storage.buckets.getIamPolicy"]	[null,null]	[null,null]	[null,null]	[null,null]		storage.buckets.get	154.13.221.237	aws-sdk-go-v2/1.26.1 os/linux lang/go#1.22.3 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.2,gzip(gfe)			2026-02-28T14:19:57.894607822Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist).		2026-02-28T14:19:58.469122423Z	us-central1			gcs_bucket	ERROR	2026-02-28T14:19:57.888475278Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]		storage.objects.list	154.13.221.237	aws-sdk-go-v2/1.26.1 os/linux lang/go#1.22.3 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.2,gzip(gfe)			2026-02-28T14:19:57.439773919Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-28T14:19:58.608939242Z	us-central1			gcs_bucket	ERROR	2026-02-28T14:19:57.432363149Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]	TRUE	storage.objects.list	2a01:4f8:222:1853::2	Go-http-client/1.1,gzip(gfe)			2026-02-28T07:36:23.000690618Z	["us-west1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-28T07:36:23.797876386Z	us-west1			gcs_bucket	ERROR	2026-02-28T07:36:22.995305348Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]	TRUE	storage.objects.list	2a01:4f8:222:1853::2	Go-http-client/1.1,gzip(gfe)			2026-02-28T07:05:57.478100687Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-28T07:05:58.342882874Z	us-central1			gcs_bucket	ERROR	2026-02-28T07:05:57.471170488Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]		storage.objects.list	144.91.106.14	Go-http-client/1.1,gzip(gfe)			2026-02-27T21:05:40.594209923Z	["us-west1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-27T21:05:40.893398615Z	us-west1			gcs_bucket	ERROR	2026-02-27T21:05:40.588212673Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]		storage.objects.list	144.91.106.14	Go-http-client/1.1,gzip(gfe)			2026-02-27T19:51:47.781729526Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-27T19:51:49.135938281Z	us-central1			gcs_bucket	ERROR	2026-02-27T19:51:47.771852046Z

 

    4 replies

    tonymet
    Forum|alt.badge.img+1
    • tonymet
    • Author
    • New Member
    • March 6, 2026

    @matthewnichols  thanks for cleaning up the post.  I think there was a bug in the publish feature and it published twice.

    hzmndt
    Staff
    Forum|alt.badge.img+11
    • hzmndt
    • Staff
    • March 9, 2026

    @tonymet  From Gemini

     

    It's a common concern to see and want to block unauthorized enumeration and penetration attempts on cloud resources. Based on the information you've provided and internal documentation, here's a breakdown of defenses and how to address this on Google Cloud Platform:

    Recommended Defenses:

    1. VPC Service Controls (VPC SC):

      • This is a powerful tool to create security perimeters around your Google Cloud services (like Cloud Storage and IAM). You can define policies to control how data can be accessed and moved, significantly mitigating data exfiltration risks.
      • You can configure VPC SC to deny access to requests that don't originate from authorized networks (e.g., your on-premise IP ranges or specific VPC networks) or don't meet required access levels. Access levels can be defined based on attributes like IP address, user identity, device security status, etc.
      • By setting up a perimeter and enforcing access levels, you can effectively block anonymous callers and requests from untrusted IPs, as they won't meet the criteria you've defined.

    2. Cloud Storage - Bucket IP Filtering:

      • Google Cloud Storage offers a native feature to filter access to buckets based on IP addresses or VPC networks. This allows you to create an allowlist of IPs or ranges permitted to access your buckets.
      • Caution: Incorrect configuration can lock you out. Always test on non-production resources and ensure you include any necessary IPs for your own access, build systems, or other integrated GCP services. You can grant specific users the storage.buckets.exemptFromIpFilter permission to bypass the filter if needed.

    3. IAM Policies & Least Privilege:

      • Continue to enforce the principle of least privilege. Ensure only authorized identities (service accounts, users, groups) have the minimum necessary permissions.
      • Regularly audit your IAM policies to remove any overly permissive bindings.
      • Avoid using allUsers or allAuthenticatedUsers in IAM bindings on sensitive resources.

    4. Cloud Armor:

      • Cloud Armor is primarily designed to protect applications and services behind Google Cloud Load Balancers, providing DDoS protection and Web Application Firewall (WAF) capabilities.
      • While Cloud Armor can protect backend buckets served through a Load Balancer with Cloud CDN, its ability to directly filter traffic to the raw Google Cloud APIs (e.g., storage.googleapis.com) without a Load Balancer in front is limited.
      • You can use Cloud Armor security policies to allow or deny traffic based on IP addresses, geo-locations, and other request attributes, but this is most effective when combined with a Load Balancer.
    tonymet
    Forum|alt.badge.img+1
    • tonymet
    • Author
    • New Member
    • March 9, 2026

    thanks I have reviewed those suggestions from Gemini, but those are late-funnel remediations .  I’m trying to actively block the suspicious traffic before it has a chance to be processed or authenticated.  IP blocking, additional checkpointing prior to request processing.  I don’t want the attacker to receive any response from the request, and ideally they should be banned from the API altogether.    

    tonymet
    Forum|alt.badge.img+1
    • tonymet
    • Author
    • New Member
    • March 11, 2026

    I’m curious if anyone else sees enumeration attacks like this in the logs
     

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.