The vast majority of cloud security incidents are not the result of sophisticated hacking attacks. They stem from misconfigurations. According to the CSA Top Threats Report 2024, “Misconfiguration & Inadequate Change Control” is the greatest threat to cloud environments – ahead of identity management weaknesses and insecure APIs. In March 2024, the NSA published its “Top 10 Cloud Security Mitigation Strategies”, confirming that attackers systematically exploit configuration errors that could be avoided with basic diligence.
The problem is structural. Cloud platforms offer hundreds of configuration options. Anyone who does not actively secure them is effectively running open infrastructure. Here are the ten most common misconfigurations we regularly encounter in assessments.
1. Publicly Accessible Storage Buckets
S3 buckets on AWS, Azure Blob Storage, Google Cloud Storage – all offer public access options that are too easily enabled by default. A single misconfigured ACL or a missing Block Public Access policy is enough to expose confidential data to the internet. AWS has enabled “Block Public Access” as the default since 2023, but existing buckets and manually overridden policies remain a persistent problem.
2. Excessive IAM Permissions
The principle of least privilege is systematically violated in cloud environments. Service accounts with admin rights, wildcard policies such as *:* in AWS IAM, shared credentials between development and production. Every excessive permission is a potential attack vector. The NSA explicitly recommends the regular review and restriction of IAM policies.
3. Missing Multi-Factor Authentication
Cloud consoles without MFA are an open invitation. A single compromised password – through phishing, credential stuffing, or a breach at another service – grants direct access to the entire infrastructure. According to the IBM Cost of a Data Breach Report 2024, breaches involving stolen credentials cost an average of USD 4.81 million. MFA for all privileged accounts is not optional – it is a fundamental requirement.
4. Unencrypted Data
Encryption at rest and in transit must be the standard – not the exception. Many cloud services offer encryption by default, but not all storage and database services enable it automatically. Particularly critical: databases containing sensitive personal data without encryption, backups on unencrypted volumes, and internal communication without TLS.
5. Missing Logging and Monitoring
Without CloudTrail, Azure Monitor, or GCP Cloud Audit Logs, there is no visibility. In the event of an incident, it is impossible to determine what happened or when an attacker gained access. IBM puts the average breach lifecycle at 258 days – those who do not log will notice even later. Logging must be enabled, centrally collected, and actively analysed.
6. Overly Permissive Security Groups
Security groups and firewall rules with inbound rules such as 0.0.0.0/0 on port 22 (SSH) or 3389 (RDP) are alarmingly common. Default security groups often allow more traffic than necessary. Every rule must be specifically restricted to the actually required source IPs and ports.
7. Outdated or Unused Resources
Forgotten VMs running outdated operating systems, unused database instances, test environments that have been running for months – every unmaintained resource is an attack surface. Cloud environments grow organically. Without regular inventory and lifecycle management, technical debt accumulates that attackers will find before you do.
8. Missing Network Segmentation
A flat network architecture in the cloud means that if an attacker compromises one component, they have access to everything. VPCs, subnets, private endpoints, and network policies exist for precisely this purpose – yet they are often not consistently implemented. The NSA/CISA recommendation is clear: network segmentation is among the most important protective measures.
9. No Backup Strategy for Cloud Data
“The cloud is redundant” is not a backup strategy. Ransomware encrypts cloud data just as readily as local data. Accidental deletion by a user with excessive permissions (see point 2) also removes redundant copies. Immutable backups, separate backup accounts, and regular restore tests are mandatory – especially under the shared responsibility model, where data protection clearly falls on the customer.
10. API Keys in Code or Public Repositories
Hardcoded API keys, access tokens, and credentials in source code that ends up on GitHub or GitLab – this problem is so widespread that GitHub has enabled automatic secret scanning for all public repositories since 2023. Yet thousands of secrets are still leaked daily. The solution: secrets managers (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault), environment variables, and automated pre-commit hooks that detect credentials in code.
Understanding the Shared Responsibility Model
The central misconception: “We are in the cloud, so the provider is responsible for security.” Wrong. AWS, Azure, and Google secure the infrastructure of the cloud – data centres, hypervisors, physical security. Everything you configure, operate, and store in the cloud is your responsibility. Each of the ten misconfigurations listed above falls within the customer’s area of responsibility.
Systematic Rather Than Reactive
Fixing individual misconfigurations is not enough. Cloud security requires a systematic approach: Infrastructure as Code with security reviews, automated compliance checks (AWS Config, Azure Policy, GCP Organization Policies), regular audits, and a team that understands the configuration – not just the functionality.
How Zerberos Supports You
We examine cloud environments for precisely these vulnerabilities. As part of our Penetration Testing, we simulate real-world attack scenarios against your cloud infrastructure. With our Vulnerability Scan, we systematically identify misconfigurations. And through our Consulting services, we help you build a secure cloud architecture that withstands audits. Contact us for a no-obligation assessment of your cloud security.
Sources
- NSA: Top 10 Cloud Security Mitigation Strategies (March 2024) – media.defense.gov
- CISA/NSA: Top Ten Cybersecurity Misconfigurations (October 2023) – cisa.gov
- Cloud Security Alliance: Top Threats to Cloud Computing 2024 – cloudsecurityalliance.org
- IBM: Cost of a Data Breach Report 2024 – ibm.com
- OWASP: Cloud Security – owasp.org