Anonymous GCP API Hack Attempts against Cloud Storage & Other Resources

Google Cloud Cloud Foundations & Onboarding
, ,
1

Using Log Manager & The Alerting Platform I’ve noticed over the past year or so continuous enumeration and penetration attack attempts from anonymous sources. These commonly show up as unauthenticated API calls e.g. `storage.objects.list`, `storage.buckets.get` with known bucket names, “Docker-HeadManifest” (to enumerate artifact registry), IAM GetProject, IAM GetResourceBillingInfo to enumerate project names, billing accounts etc.

Ideally I would like to immediately block this traffic and have the ability to automatically detect and block anomalies like this.

My Attempts to Fix this:

  1. Followed best practices e.g. no SA keys, RBAC, continuous audits, alerting on the attack attempts

  2. Reported the issue to Google Cloud Platform – I was told it wasn’t a support issue

  3. Reported frequent IPs using the Abuse contact at the Source IP ISP provider (discovered via WHOIS)

Questions for the Community

  1. Do other customers see anonymous enumeration attacks like these in their logs?

  2. What other defenses do you recommend?

Desired Tools

These are tools that I wish I had to respond to these attacks.

  1. WAF-level control for Google API calls. e.g. block by IP, anomaly detection & blocking (e.g. Fail2Ban on the API level)

  2. Report abuse IP to Google Cloud

  3. Report Abuse to Source IP Provider

How to Find Suspicious Attack Attempts In Your Account

  1. Enable Admin-Read & Admin-Write Audit Logging

  2. Use this query pattern in Logs Explorer or Alerts Manager to discover this traffic.

SEARCH("permission")

SEARCH("denied") OR "anonymous caller"

Sample Logs

protoPayload.authorizationInfo.permission	protoPayload.authorizationInfo.permissionType	protoPayload.authorizationInfo.resourceAttributes.name	protoPayload.authorizationInfo.resourceAttributes.service	protoPayload.authorizationInfo.resourceAttributes.type	protoPayload.metadata.noTLS	protoPayload.methodName	protoPayload.requestMetadata.callerIp	protoPayload.requestMetadata.callerSuppliedUserAgent	protoPayload.requestMetadata.destinationAttributes	protoPayload.requestMetadata.requestAttributes.auth	protoPayload.requestMetadata.requestAttributes.time	protoPayload.resourceLocation.currentLocations	protoPayload.serviceName	protoPayload.status.code	protoPayload.status.details	protoPayload.status.message	receiveLocation	receiveTimestamp	resource.labels.location	resource.labels.method	resource.labels.service	resource.type	severity	timestamp

["storage.objects.list"] [null] [null] [null] [null] TRUE storage.objects.list 86.87.170.53 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36,gzip(gfe) 2026-03-06T12:20:20.431772238Z ["us-central1"] storage.googleapis.com 7 Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). 2026-03-06T12:20:20.895410759Z us-central1 gcs_bucket ERROR 2026-03-06T12:20:20.424370648Z

["storage.objects.list"] [null] [null] [null] [null] storage.objects.list 154.13.221.237 aws-sdk-go-v2/1.26.1 os/linux lang/go#1.22.3 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.2,gzip(gfe) 2026-02-28T14:19:58.786557184Z ["us-central1"] storage.googleapis.com 7 Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). 2026-02-28T14:20:00.392682828Z us-central1 gcs_bucket ERROR 2026-02-28T14:19:58.780979494Z

["storage.objects.list"] [null] [null] [null] [null] storage.objects.list 154.13.221.237 aws-sdk-go-v2/1.26.1 os/linux lang/go#1.22.3 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.2,gzip(gfe) 2026-02-28T14:19:58.345627330Z ["us-central1"] storage.googleapis.com 7 Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). 2026-02-28T14:19:59.125396921Z us-central1 gcs_bucket ERROR 2026-02-28T14:19:58.337372880Z

["storage.buckets.get","storage.buckets.getIamPolicy"] [null,null] [null,null] [null,null] [null,null] storage.buckets.get 154.13.221.237 aws-sdk-go-v2/1.26.1 os/linux lang/go#1.22.3 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.2,gzip(gfe) 2026-02-28T14:19:57.894607822Z ["us-central1"] storage.googleapis.com 7 Anonymous caller does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist). 2026-02-28T14:19:58.469122423Z us-central1 gcs_bucket ERROR 2026-02-28T14:19:57.888475278Z

["storage.objects.list"] [null] [null] [null] [null] storage.objects.list 154.13.221.237 aws-sdk-go-v2/1.26.1 os/linux lang/go#1.22.3 md/GOOS#linux md/GOARCH#amd64 api/s3#1.53.2,gzip(gfe) 2026-02-28T14:19:57.439773919Z ["us-central1"] storage.googleapis.com 7 Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). 2026-02-28T14:19:58.608939242Z us-central1 gcs_bucket ERROR 2026-02-28T14:19:57.432363149Z

["storage.objects.list"] [null] [null] [null] [null] TRUE storage.objects.list 2a01:4f8:222:1853::2 Go-http-client/1.1,gzip(gfe) 2026-02-28T07:36:23.000690618Z ["us-west1"] storage.googleapis.com 7 Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). 2026-02-28T07:36:23.797876386Z us-west1 gcs_bucket ERROR 2026-02-28T07:36:22.995305348Z

["storage.objects.list"] [null] [null] [null] [null] TRUE storage.objects.list 2a01:4f8:222:1853::2 Go-http-client/1.1,gzip(gfe) 2026-02-28T07:05:57.478100687Z ["us-central1"] storage.googleapis.com 7 Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). 2026-02-28T07:05:58.342882874Z us-central1 gcs_bucket ERROR 2026-02-28T07:05:57.471170488Z

["storage.objects.list"] [null] [null] [null] [null] storage.objects.list 144.91.106.14 Go-http-client/1.1,gzip(gfe) 2026-02-27T21:05:40.594209923Z ["us-west1"] storage.googleapis.com 7 Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). 2026-02-27T21:05:40.893398615Z us-west1 gcs_bucket ERROR 2026-02-27T21:05:40.588212673Z

["storage.objects.list"] [null] [null] [null] [null] storage.objects.list 144.91.106.14 Go-http-client/1.1,gzip(gfe) 2026-02-27T19:51:47.781729526Z ["us-central1"] storage.googleapis.com 7 Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). 2026-02-27T19:51:49.135938281Z us-central1 gcs_bucket ERROR 2026-02-27T19:51:47.771852046Z