ThreatModel - Actions¶
This document provides detailed descriptions for each column in Appendix 2 - List of all Actions and their details. The table maps individual CSP service API operations to corresponding feature classes, IAM permissions, and event metadata.
It serves as a reference for threat modeling, access control evaluation, and feature classification.
Summary - Table Explained¶
| Column | AWS Example Value | GCP Example Value | Azure Example Value | Explanation |
|---|---|---|---|---|
| Id | S3.A5 |
BigQuery.A5 |
AzureStorage.A3 |
Unique identifier for the action entry. Format: <Service>.<A#> |
| Description | Creates a new bucket. | Creates a new, empty table in the dataset. | List blob services | Human-readable summary of what the action does. |
| Feature Class ID | S3.FC1 |
BigQuery.FC1 |
AzureStorage.FC2 |
Logical grouping or category the API action belongs to. Format: <Service>.<FC#> |
| IAM Permission | s3:CreateBucket |
bigquery.tables.create |
Microsoft.Storage/storageAccounts/blobServices/read |
Permission or policy action required to perform the API call. |
| Event | Data-AWS::S3::Object-PutObject / CreateBucket |
google.cloud.bigquery.v2.TableService.InsertTable |
Microsoft.Storage/storageAccounts/write |
Event name as it appears in the provider’s audit logs . |
| API | CreateBucket |
bigquery.jobs.insert |
Listblobs |
API operation name used by the service. |
Column Descriptions¶
1. Id¶
A unique identifier given to each service action.
- Format:
<Service>.<A#><Service>: The short name of the service (e.g., S3, BigQuery, Storage).<A#>: A sequential numeric identifier.
- Purpose: Provides a compact reference key for internal tracking or cross-referencing across documents, diagrams, or databases.
- Example:
| Provider | Example |
|---|---|
| AWS | S3.A3 |
| GCP | BigQuery.A2 |
| Azure | AzureStorage.A5 |
2. Description¶
A description of the action, with a summary describing what the action does within the service.
- Format: Plain text description.
- Purpose: Offers a human-readable explanation of the action’s intent and function.
- Usage: Useful for documentation, risk assessments, and understanding API functionality without needing to refer to CSP API docs.
-
Example:
Provider Example AWS Creates a new bucket.GCP Create new table snapshots.Azure Returns the result of put blob service properties.
3. Feature Class ID¶
The feature class to which the action belongs.
- Format:
<Service>.<FC#><Service>: The short name of the service (e.g., S3, BigQuery, AzureStorage).<FC#>: Feature Class ID
- Purpose: Used for feature classification, allowing logical grouping of APIs with related purposes (e.g., bucket management, object operations, access control).
- Example:
| Provider | Examples |
|---|---|
| AWS | S3.FC1,S3.FC5,S3.FC17 |
| GCP | BigQuery.FC1, BigQuery.FC2, BigQuery.FC7 |
| Azure | Storage.FC1, Storage.FC4 , Storage.FC8 |
4. IAM Permission¶
Specifies the permission or policy action required to invoke the API.
- Format:
- AWS:
<service>:<operation> - GCP:
<service>.<resource>.<verb> - Azure:
<provider>/<resource-hierarchy>/<operation>
- AWS:
- Purpose: Defines the permission syntax used in IAM (AWS), IAM roles (GCP), or RBAC (Azure) to control access to the operation.
- Example:
| Provider | Example |
|---|---|
| AWS | s3:PutObject |
| GCP | bigquery.jobs.create |
| Azure | Microsoft.Storage/storageAccounts/blobServices/containers/write |
5. Event¶
The event name that is logged in the logging service.
Specifies how the operation appears in the provider’s audit or activity logs.
This field identifies the exact event name used in AWS CloudTrail, GCP Cloud Audit Logs, and Azure Activity Logs / Diagnostic Logs.
- Format:
| Cloud | Event Type | Format |
|---|---|---|
| AWS | Management | <EventName> |
| AWS | Data | Data-<ResourceType>-<EventName> |
| GCP | Admin Activity or Data Access | <service>.<method> or google.<domain>.<product>.<version>.<Service>.<Method> |
| Azure | Activity Log | <Provider>/<ResourceType>/<Operation> |
| Azure | Resource log | <Provider>/<ResourceType>/<Subresource>/<Operation> |
- Purpose: Enables traceability and correlation between API operations and their recorded events in the logging service.
- Usage: Used for audit, monitoring, and threat modeling to detect or analyze a service’s activity.
- Example:
| Provider | Event Type | Example |
|---|---|---|
| AWS | Management | CreateBucket, DeleteBucket |
| AWS | Data | Data-AWS::S3::Object-PutObject |
| GCP | Admin Activity or Data Access | google.cloud.bigquery.v2.TableService.DeleteTable |
| Azure | Activity Log | Microsoft.Storage/storageAccounts/write |
| Azure | Resource log | Microsoft.Storage/storageAccounts/blobServices/containers/blob/write |
5.1 - Event name convention for AWS¶
For AWS ThreatModels: Depending on the API type, it can represent either a CloudTrail management event or a CloudTrail data event.
5.1.1 - Management Events¶
Management events record control-plane operations that configure or manage service resources (e.g., creating or deleting buckets, modifying access policies).
- Format:
<EventName> -
Example:
Action CloudTrail Management Event Format CreateBucket CreateBucketDeleteBucket DeleteBucketPutBucketPolicy PutBucketPolicy
These events are always captured under the service namespace (e.g.,s3.amazonaws.com) and do not require specifying a resource selector in CloudTrail.
5.1.2 - Data Events¶
Data events record data-plane operations, and record the actual access to the data or execution surface - very useful for Incident Response (IR), for example - and are not enabled by default, and often generate high-volume logs.
Because these events occur at a resource level (e.g., individual objects), enabling them in CloudTrail requires specifying exact resource ARNs or resource types.
Data events are documented in the following format:
Data-ResourceAsPerDataEvents-EventName
Where:
- Source:
Data— indicates it’s a data event - ResourceAsPerDataEvents: The CloudTrail resource type string (e.g.,
AWS::S3::Object) - EventName: The event name as it appears in CloudTrail logs
All three fields are separated by dashes (-).
Examples of Data Events¶
| Action | CloudTrail Data Event Format | Description |
|---|---|---|
| GetObject | Data-AWS::S3::Object-GetObject |
Triggered when an object is read from a bucket. |
| PutObject | Data-AWS::S3::Object-PutObject |
Triggered when an object is uploaded to a bucket. |
| DeleteObject | Data-AWS::S3::Object-DeleteObject |
Triggered when an object is deleted. |
| CopyObject | Data-AWS::S3::Object-CopyObject |
Triggered when an object is copied within or across buckets. |
| HeadObject | Data-AWS::S3::Object-HeadObject |
Triggered when metadata about an object is retrieved. |
| RestoreObject | Data-AWS::S3::Object-RestoreObject |
Triggered when an archived object is being restored. |
Why This Format¶
Data-clearly identifies the event as a data-plane operation.AWS::<Service>::<ResourceType>matches the exact CloudTrail selector string used when enabling data events.<EventName>is the specific API call recorded in CloudTrail.
With this format, you can:
- Differentiate between management and data events directly from this column.
- Understand how to enable the event in CloudTrail.
- Query and monitor CloudTrail logs without ambiguity.
6. API¶
The API operation name that is associated with an action.
- Format: CamelCase operation name used in AWS SDKs or API requests.
- AWS: PascalCase operation name used in AWS SDKs or API requests
- GCP: Dot-separated
<service>.<resource>.<method> - Azure: PascalCase operation name
- Purpose: Identifies the specific API that performs the action.
- Example:
| Provider | Example |
|---|---|
| AWS | CreateBucket |
| GCP | bigquery.jobs.insert |
| Azure | DeleteBlob |