Skip to main content

Anonymous GCP API Hack Attempts against Cloud Storage & Other Resources

  • March 6, 2026
  • 1 reply
  • 18 views
tonymet
Forum|alt.badge.img

Using Log Manager & The Alerting Platform I’ve noticed over the past year or so continuous enumeration and penetration attack attempts from anonymous sources.   These commonly show up as unauthenticated API calls e.g. `storage.objects.list`, `storage.buckets.get` with known bucket names, “Docker-HeadManifest” (to enumerate artifact registry), IAM GetProject, IAM GetResourceBillingInfo to enumerate project names, billing accounts etc.

Ideally I would like to immediately block this traffic and have the ability to automatically detect and block anomalies like this.

My Attempts to Fix this:

  1. Followed best practices e.g. no SA keys, RBAC, continuous audits, alerting on the attack attempts
  2. Reported the issue to Google Cloud Platform -- I was told it wasn’t a support issue
  3. Reported frequent IPs using the Abuse contact at the Source IP ISP provider (discovered via WHOIS)

 Questions for the Community

  1.  Do other customers see anonymous enumeration attacks like these in their logs?
  2. What other defenses do you recommend?

Desired Tools

These are tools that I wish I had to respond to these attacks.

  1. WAF-level control for Google API calls. e.g. block by IP, anomaly detection & blocking (e.g. Fail2Ban on the API level)
  2. Report abuse IP to Google Cloud
  3. Report Abuse to Source IP Provider

How to Find Suspicious Attack Attempts In Your Account

  1. Enable Admin-Read & Admin-Write Audit Logging
  2. Use this query pattern in Logs Explorer or Alerts Manager to discover this traffic.  
SEARCH("permission")
SEARCH("denied") OR "anonymous caller"

 

 

 

Sample Logs

protoPayload.authorizationInfo.permission	protoPayload.authorizationInfo.permissionType	protoPayload.authorizationInfo.resourceAttributes.name	protoPayload.authorizationInfo.resourceAttributes.service	protoPayload.authorizationInfo.resourceAttributes.type	protoPayload.metadata.noTLS	protoPayload.methodName	protoPayload.requestMetadata.callerIp	protoPayload.requestMetadata.callerSuppliedUserAgent	protoPayload.requestMetadata.destinationAttributes	protoPayload.requestMetadata.requestAttributes.auth	protoPayload.requestMetadata.requestAttributes.time	protoPayload.resourceLocation.currentLocations	protoPayload.serviceName	protoPayload.status.code	protoPayload.status.details	protoPayload.status.message	receiveLocation	receiveTimestamp	resource.labels.location	resource.labels.method	resource.labels.service	resource.type	severity	timestamp	
["storage.objects.list"]	[null]	[null]	[null]	[null]	TRUE	storage.objects.list	86.87.170.53	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36,gzip(gfe)			2026-03-06T12:20:20.431772238Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-03-06T12:20:20.895410759Z	us-central1			gcs_bucket	ERROR	2026-03-06T12:20:20.424370648Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]		storage.objects.list	154.13.221.237	aws-sdk-go-v2/1.26.1 os/linux lang/go#1.22.3 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.2,gzip(gfe)			2026-02-28T14:19:58.786557184Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-28T14:20:00.392682828Z	us-central1			gcs_bucket	ERROR	2026-02-28T14:19:58.780979494Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]		storage.objects.list	154.13.221.237	aws-sdk-go-v2/1.26.1 os/linux lang/go#1.22.3 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.2,gzip(gfe)			2026-02-28T14:19:58.345627330Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-28T14:19:59.125396921Z	us-central1			gcs_bucket	ERROR	2026-02-28T14:19:58.337372880Z	
["storage.buckets.get","storage.buckets.getIamPolicy"]	[null,null]	[null,null]	[null,null]	[null,null]		storage.buckets.get	154.13.221.237	aws-sdk-go-v2/1.26.1 os/linux lang/go#1.22.3 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.2,gzip(gfe)			2026-02-28T14:19:57.894607822Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist).		2026-02-28T14:19:58.469122423Z	us-central1			gcs_bucket	ERROR	2026-02-28T14:19:57.888475278Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]		storage.objects.list	154.13.221.237	aws-sdk-go-v2/1.26.1 os/linux lang/go#1.22.3 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.2,gzip(gfe)			2026-02-28T14:19:57.439773919Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-28T14:19:58.608939242Z	us-central1			gcs_bucket	ERROR	2026-02-28T14:19:57.432363149Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]	TRUE	storage.objects.list	2a01:4f8:222:1853::2	Go-http-client/1.1,gzip(gfe)			2026-02-28T07:36:23.000690618Z	["us-west1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-28T07:36:23.797876386Z	us-west1			gcs_bucket	ERROR	2026-02-28T07:36:22.995305348Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]	TRUE	storage.objects.list	2a01:4f8:222:1853::2	Go-http-client/1.1,gzip(gfe)			2026-02-28T07:05:57.478100687Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-28T07:05:58.342882874Z	us-central1			gcs_bucket	ERROR	2026-02-28T07:05:57.471170488Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]		storage.objects.list	144.91.106.14	Go-http-client/1.1,gzip(gfe)			2026-02-27T21:05:40.594209923Z	["us-west1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-27T21:05:40.893398615Z	us-west1			gcs_bucket	ERROR	2026-02-27T21:05:40.588212673Z	
["storage.objects.list"]	[null]	[null]	[null]	[null]		storage.objects.list	144.91.106.14	Go-http-client/1.1,gzip(gfe)			2026-02-27T19:51:47.781729526Z	["us-central1"]	storage.googleapis.com	7		Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).		2026-02-27T19:51:49.135938281Z	us-central1			gcs_bucket	ERROR	2026-02-27T19:51:47.771852046Z

 

    1 reply

    tonymet
    Forum|alt.badge.img
    • tonymet
    • Author
    • New Member
    • March 6, 2026

    @matthewnichols  thanks for cleaning up the post.  I think there was a bug in the publish feature and it published twice.

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.