Live Active security incident? Get immediate response
MITRE ATT&CK® Data Component

DC0022: Cloud Storage Deletion

Cloud Storage Deletion refers to the removal or destruction of cloud storage infrastructure, such as buckets, containers, or directories, within a cloud environment. Monitoring this activity is critical to detecting potential unauthorized or malicious actions, such as data destruction by adversaries or accidental deletions that may lead to data loss. Examples:

- AWS S3 Bucket Deletion: An AWS user deletes an S3 bucket using the `DeleteBucket` API call. - Azure Blob Storage Container Deletion: A user deletes a container in Azure Blob Storage using the `Delete Container` operation. - Google Cloud Storage Bucket Deletion: A Google Cloud user deletes a bucket using the `storage.buckets.delete` API. - OpenStack Swift Container Deletion: A user deletes a container in OpenStack Swift using the `DELETE` method.

This data component can be collected through the following measures:

Enable Logging for Cloud Storage Services

- AWS S3: Enable AWS CloudTrail to log DeleteBucket API actions. - Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs to capture Delete Container operations. Use Azure Event Grid to capture and trigger alerts for container deletion. - Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.delete API calls. - OpenStack Swift: Configure Swift logging to capture DELETE requests for containers.

Centralized Logging and Analysis

- Use platforms like Splunk or native SIEMs to forward and analyze logs for anomalies in cloud storage deletions.

EnterpriseDC0022Data ComponentObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Cloud Storage Deletion is evidence that cloud storage structures such as buckets, containers, or directories were removed. For leaders, this matters because deletion events can represent routine administration, accidental data loss, or destructive activity that affects availability, recovery, legal hold, and audit confidence. The decision value is not just whether deletion is possible, but whether the organization can quickly prove who deleted what, from where, and whether the action was expected.

Executive priority

Prioritize this data component where cloud storage supports critical operations, regulated data retention, backups, or incident recovery. Executives should ask whether deletion events are logged centrally, reviewed promptly, and tied to accountable identities. This evidence supports resilience planning, incident triage, compliance readiness, and cloud control validation, especially when business continuity depends on object storage or container-based data services.

Technical view

SOC, cloud security, and IR teams should validate that cloud storage deletion events are collected from relevant cloud services and routed to central analysis. The supplied ATT&CK description highlights examples such as AWS CloudTrail DeleteBucket, Azure Monitor/Diagnostic Logs and Event Grid for Delete Container, Google Cloud Audit Logs Data Access events for storage.buckets.delete, and OpenStack Swift DELETE requests. Because no ATT&CK detection logic or related techniques were supplied, teams should build local detections around administrative deletion events, identity context, asset criticality, and change-management expectations.

Likely telemetry

  • Cloud provider audit logs for storage deletion API calls or operations
  • AWS CloudTrail events for S3 DeleteBucket activity, where AWS S3 is in scope
  • Azure Monitor and Diagnostic Logs for Blob Storage Delete Container operations, where Azure Blob Storage is in scope
  • Azure Event Grid events for container deletion alerting, where configured
  • Google Cloud Audit Logs Data Access records for storage.buckets.delete, where Google Cloud Storage is in scope

Detection direction

  • Confirm that storage deletion logging is enabled before relying on detections; missing data access or diagnostic logging is a common blind spot.
  • Tune alerts against business context: approved maintenance, infrastructure-as-code changes, lifecycle policies, and decommissioning workflows can produce legitimate deletions.
  • Prioritize high-signal conditions such as deletion of critical buckets or containers, deletion by unusual identities, deletion outside expected change windows, or deletion from unexpected source context.
  • Correlate deletion events with identity activity and change records to distinguish authorized administration from accidental or unauthorized removal.
  • Validate central forwarding to a SIEM or native analytics platform so responders can investigate deletion activity across cloud accounts, subscriptions, projects, or environments.

Mitigation priorities

  • Enable the relevant cloud storage audit and diagnostic logging first, because detection and incident reconstruction depend on it.
  • Centralize logs and preserve enough retention to support incident response, compliance evidence, and post-incident root-cause analysis.
  • Restrict delete permissions to appropriate identities and operational roles using least privilege and change-control practices.
  • Require operational review for deletion of critical storage infrastructure, especially where it affects backups, regulated data, production services, or recovery points.
  • Test response procedures for accidental or unauthorized deletion, including escalation paths and evidence collection from cloud audit sources.
Analyst notes and limits

ATT&CK provides this as a data component, not a technique. The supplied object has no tactics, platforms, official detection text, or relationship context, so this take focuses on defensive evidence value and collection validation. The named cloud services and API operations are taken from the official description examples.

Local environment details are required to determine critical storage assets, expected deletion patterns, applicable retention requirements, and alert thresholds. This object does not by itself indicate adversary intent, active exploitation, impact, or detection coverage.

Official MITRE ATT&CK definition

Cloud Storage Deletion

Cloud Storage Deletion refers to the removal or destruction of cloud storage infrastructure, such as buckets, containers, or directories, within a cloud environment. Monitoring this activity is critical to detecting potential unauthorized or malicious actions, such as data destruction by adversaries or accidental deletions that may lead to data loss. Examples:

- AWS S3 Bucket Deletion: An AWS user deletes an S3 bucket using the `DeleteBucket` API call. - Azure Blob Storage Container Deletion: A user deletes a container in Azure Blob Storage using the `Delete Container` operation. - Google Cloud Storage Bucket Deletion: A Google Cloud user deletes a bucket using the `storage.buckets.delete` API. - OpenStack Swift Container Deletion: A user deletes a container in OpenStack Swift using the `DELETE` method.

This data component can be collected through the following measures:

Enable Logging for Cloud Storage Services

- AWS S3: Enable AWS CloudTrail to log DeleteBucket API actions. - Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs to capture Delete Container operations. Use Azure Event Grid to capture and trigger alerts for container deletion. - Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.delete API calls. - OpenStack Swift: Configure Swift logging to capture DELETE requests for containers.

Centralized Logging and Analysis

- Use platforms like Splunk or native SIEMs to forward and analyze logs for anomalies in cloud storage deletions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
ded293b45ddcaea5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle ded293b45ddc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DC0022
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use