A newly identified cyberattack technique, termed “bucket hijacking,” enables malicious actors to covertly redirect an organization’s cloud data streams—such as audit logs and telemetry—to storage buckets under their control. This vulnerability affects major cloud service providers, including Google Cloud, Amazon Web Services (AWS), and Microsoft Azure.
The core of this attack lies in the global uniqueness of cloud storage bucket names. In these platforms, each bucket name must be unique across the entire service, not just within a single user’s account. Consequently, the identity of a storage bucket is determined solely by its name, without any inherent link to the account owner.
To execute a bucket hijacking attack, an adversary who has obtained the necessary permissions within a cloud environment can follow these steps:
- Delete the target organization’s active storage bucket.
- Immediately create a new bucket with the same name within an attacker-controlled account.
Once these steps are completed, the original data streams—such as logging sinks, replication rules, or diagnostic exports—continue to function as configured, now directing data into the attacker’s bucket. This process is particularly insidious because it does not generate error messages or alerts, making detection exceedingly difficult.
Security researchers have successfully demonstrated this attack across various services on each major cloud platform:
- Google Cloud: The attack was confirmed on Cloud Logging sinks, Pub/Sub subscriptions with Cloud Storage destinations, and Storage Transfer Service jobs. Required permissions include `storage.buckets.delete` and `storage.objects.delete`.
- AWS: The technique was validated on S3 bucket replication and Amazon Data Firehose pipelines targeting S3 destinations.
- Azure: The attack was demonstrated via Azure Monitor diagnostic settings, though it is limited to the same-tenant scope due to platform-enforced name reuse delays.
One significant concern is that broad storage administration roles commonly assigned in enterprise environments can increase exposure to this attack. For instance, in Google Cloud, the standard Storage Admin role includes the `storage.buckets.delete` permission by default. This allows attackers to reroute data streams without needing to modify stream configurations directly.
To mitigate the risk of bucket hijacking attacks, organizations are advised to implement the following strategies:
- Restrict Deletion Permissions: Limit permissions such as `storage.buckets.delete`, `DeleteBucket`, and `Microsoft.Storage/storageAccounts/delete` to only those administrative roles that absolutely require them.
- Enforce Data Perimeter Controls: Utilize AWS Service Control Policies (SCPs) or Google Cloud VPC Service Controls to prevent writes to storage buckets outside of the organization’s control.
While there have been no reported instances of this attack being exploited in the wild, the potential for undetected data exfiltration underscores the importance of proactive security measures. Organizations should review their cloud storage configurations and access controls to ensure they are not vulnerable to such attacks.
This development highlights the evolving nature of cloud security threats. As cloud services become more integral to business operations, understanding and mitigating risks like bucket hijacking is crucial. Organizations must stay vigilant, regularly audit their cloud environments, and adopt a principle of least privilege to minimize potential attack vectors.
