Cloud security misconfigurations: the top findings from real-world assessments
Cloud compromise almost never starts with a zero-day. It starts with configuration — identities with too much power, storage exposed to the internet, logging that was never turned on. These are the patterns we see repeatedly in AWS, Azure and GCP assessments.
1. Over-privileged identities
The single most consistent finding: human and machine identities carrying permissions nobody remembers granting. One compromised access key with AdministratorAccess is a full-environment breach. Fix: least-privilege redesign, credential rotation, and ruthless deletion of unused roles and keys.
2. Public storage that "was temporary"
Buckets and blobs opened for a launch, a vendor, a debug session — still public years later. Fix: account-level public-access blocks, plus automated detection for the exceptions that need to exist.
3. Missing or unmonitored logs
Half the incident responses we join are blind for the first day because CloudTrail/audit logging was partial, or logs existed but nobody watched them. Fix: centralize logs out of reach of the workloads they monitor, and alert on the events that matter — new admin grants, disabled logging, unusual API patterns.
4. Secrets in code and pipelines
API keys in repositories, credentials in CI variables shared across projects, tokens in container images. Fix: a secrets manager, short-lived credentials, and scanning in the pipeline so new leaks are caught pre-merge.
5. Flat networks and forgotten peering
Once inside, attackers move laterally because everything can reach everything. Fix: segment by trust, restrict east-west traffic, and inventory peering/VPN connections — including the ones to vendors that ended two years ago.
The meta-finding
None of this is sophisticated. It persists because cloud estates change daily and point-in-time reviews decay. The durable answer is guardrails — policies-as-code that prevent misconfigurations — plus continuous posture monitoring, so the fix from last quarter is still true today.
Working through this yourself?
We help companies handle exactly this. A 30-minute conversation costs nothing and usually saves weeks.
Talk to a consultant