The most expensive security incident your cloud environment will ever have may already be sitting there, fully configured.
Not because someone broke in. Because a door is open: a storage bucket set to public, an IAM role with permissions far beyond its job, a database with no encryption sitting behind a security group that accepts connections from anywhere on the internet. These cloud security misconfiguration risks exist right now across a large share of organisations running on AWS, Azure, and GCP, and most of those teams have no idea.
The numbers back this up. The IBM Cost of a Data Breach Report 2024 puts the average cost of a cloud misconfiguration-related breach at $4.5 million, higher than the average for a phishing breach, a stolen-credential breach, or a social engineering attack (IBM). Gartner has long predicted that through 2025, 99% of cloud security failures will be the customer’s fault rather than the provider’s, with misconfiguration as the leading cause (Gartner).
The shared responsibility model is well understood in principle. Its practical implication is understood far less. When something in your AWS environment is misconfigured, Amazon didn’t make that mistake. You did. Your engineers did. The automated deployment pipeline nobody reviewed did.
This guide covers the misconfigurations that cause the most breaches, why engineering teams keep making them, and a systematic way to find and fix them before a threat actor does it for you.
The Threat Landscape: What’s Getting Exploited
The Highest-Risk Misconfiguration Categories in 2025
Cloud misconfigurations aren’t random. Threat actors, both sophisticated groups and opportunistic automated scanners, go after specific, well-known patterns. Knowing which ones are being actively exploited helps you decide what to fix first.
Overly permissive IAM policies. IAM (Identity and Access Management) is the access-control system for your cloud: it defines who, or what, can do what across your resources. Misconfigured IAM sits behind the majority of serious cloud incidents. The common patterns are roles with wildcard permissions (“Action”: “*”, meaning the role can do anything), service accounts with admin rights used for routine automation, and cross-account trust relationships set up for one project and never reviewed after it ended. This is exactly where a zero-trust, least-privilege approach to access earns its keep.
An ecommerce company we worked with had an IAM role first created for a batch data-processing job (one of our security case studies walks through similar cleanup work). Over 18 months, engineers added permissions bit by bit as the job’s scope grew, until the role effectively had admin access to the entire AWS environment. A single compromised EC2 instance running that job would have handed an attacker the same access.
Publicly accessible storage. A storage bucket or container (AWS S3, Azure Blob, Google Cloud Storage) left open to public read or write has caused some of the largest breaches of the past decade. The pattern is remarkably consistent: a developer creates a bucket for a real purpose, sets it public for easy testing or sharing, and never changes it back. The contents range from harmless to catastrophic: database backups, customer PII, API keys in config files, financial records, healthcare data. Automated scanners search for open storage constantly and index the contents within hours of exposure.
Open security groups and network ACLs. Security groups are your cloud firewalls, defining which traffic can reach your resources. The failure mode is predictable: a developer troubleshooting a connection opens a port to 0.0.0.0/0 (any IP on the internet) as a quick fix, solves the problem, and never locks it back down. The result is database ports, admin interfaces, and internal APIs exposed straight to the internet. SSH (port 22) and RDP (port 3389) left open to any address are consistently among the most exploited entry points in the cloud.
Unencrypted data at rest. Cloud providers offer encryption for most storage services, but it often needs to be switched on rather than being on by default. Unencrypted databases and volumes are both a security risk (data is readable in plaintext if access controls are bypassed) and a compliance risk (GDPR, HIPAA, and PCI DSS all require encryption for sensitive data at rest).
Disabled logging and monitoring. CloudTrail, Azure Monitor, and GCP Cloud Logging record what happens in your environment. When they’re off or incomplete and a breach happens, there’s no audit trail to investigate. Plenty of teams discover their logging was incomplete only when they reach for it during an incident.
Who Gets Targeted, and How Attackers Find You
The uncomfortable truth is that most misconfiguration exploitation isn’t targeted at all. Threat actors run automated tools that scan the entire public internet for exposed cloud resources (open buckets, reachable databases, exposed admin interfaces) around the clock.
You don’t need to be singled out for a misconfiguration to be exploited. You just need one that a scanner can find.
The time from creating a misconfiguration to a scanner spotting it is measured in hours for the highly visible cases (a public bucket shows up in search indexes fast) and days for the quieter ones (an exposed database port may take longer to surface in threat-intelligence feeds). The gap between discovery and an exploitation attempt is shorter still.
Key Takeaways: The Threat Landscape
- Cloud misconfiguration drives an average breach cost of $4.5M, more than phishing or credential theft (IBM, 2024).
- Gartner: through 2025, 99% of cloud security failures are the customer’s fault, mainly misconfiguration.
- Five highest-risk categories: over-permissive IAM, public storage, open network ports, unencrypted data, disabled logging.
- Most exploitation is automated and opportunistic. You don’t need to be targeted to be breached.
- Scanners find exposed resources within hours of a misconfiguration going live.
Why Engineering Teams Keep Making These Mistakes
Understanding why misconfigurations keep happening is the prerequisite for building controls that prevent them.
The Speed vs. Security Trade-off
Cloud misconfiguration is largely a speed problem dressed up as a security problem. Developers under deadline pressure take the path of least resistance. Opening a port to 0.0.0.0/0 fixes the connectivity issue in 30 seconds. Setting up the correct IP allowlist takes 20 minutes and requires understanding the network topology. Under sprint pressure, the 30-second fix wins.
The same logic applies to IAM. Granting broad permissions clears access errors right away. Scoping the exact permissions a function needs means understanding its API calls and testing iteratively, which takes hours and feels like overhead when the feature has to ship.
None of this is a moral failure. It’s a rational response to incentives that reward delivery speed over security hygiene. The fix isn’t to ask engineers to care more. It’s to make the secure option as easy as the insecure one, and to catch misconfigurations before they reach production.
The Infrastructure-as-Code Review Gap
Modern cloud environments are built through Infrastructure-as-Code (IaC) tools like Terraform, CloudFormation, and Azure Bicep. That’s a good thing: configurations become version-controlled and auditable. But it also means a single change can provision hundreds of misconfigured resources at once.
Most teams review application code through pull requests with security linting and automated checks. Most teams don’t apply the same automated scanning to their IaC. A Terraform file that opens a security group to 0.0.0.0/0 or creates a public S3 bucket can pass review, because the reviewer is checking whether the infrastructure does what was intended, not whether it’s securely configured.
The “Someone Else Will Fix It” Assumption
In many organisations, cloud security posture falls into a gap between teams. Engineering owns the infrastructure. Security owns the policies. Operations owns the monitoring. In practice, everyone assumes someone else is reviewing configurations for security implications. A misconfiguration created by engineering for a legitimate purpose, never sent through security review, monitored by operations for uptime but not for posture, can persist for months or years, precisely because no one team owns catching it.
The Defence Framework: Finding and Fixing Misconfigurations
Layer 1: Prevention (Catch Them Before They Deploy)
The cheapest time to catch a misconfiguration is before it reaches your environment, not three months after it’s been running in production.
Add IaC security scanning to your CI/CD pipeline. Open-source tools like Checkov, tfsec, and KICS scan Terraform, CloudFormation, and other IaC files for security issues before deployment. Wired into your pull-request pipeline, they flag public buckets, open security groups, and missing encryption automatically, at the same point your code-quality checks run. For any team managing infrastructure as code, this is the single highest-leverage prevention control. It catches problems at the cheapest possible moment and tightens the feedback loop enough that developers learn from it.
Apply guardrails with cloud-native policy tools. AWS Service Control Policies, Azure Policy, and Google Cloud Organization Policies let you define rules that stop certain configurations from being created at all, whatever an individual engineer does. For example: no S3 bucket may have public access, all EBS volumes must be encrypted, no security group may open port 22 to 0.0.0.0/0. These operate at the infrastructure level and act as your safety net when IaC scanning is bypassed, when someone makes a manual console change, or when a new engineer hasn’t learned the rules yet.
Layer 2: Detection (Find What’s Already Broken)
Prevention catches new misconfigurations. Detection finds the ones that already exist, including those created before you had prevention in place, made through manual console changes, or sitting in accounts your IaC pipeline never covered.
Deploy a Cloud Security Posture Management (CSPM) tool. CSPM tools (Wiz, Orca Security, Prisma Cloud, plus cloud-native options like AWS Security Hub and Microsoft Defender for Cloud) continuously scan your environment against a library of best practices and compliance frameworks (CIS Benchmarks, NIST, SOC 2, PCI DSS). You get a prioritised list of misconfigurations across your whole estate, ranked by severity, with remediation guidance for each. For teams that have been in the cloud without systematic scanning, the first CSPM deployment is usually a discovery exercise. Most find more than they expected.
When evaluating CSPM tools, check whether they:
- Cover all your cloud providers (AWS, Azure, GCP, or a mix).
- Integrate with your alerting and ticketing so findings reach engineering workflows.
- Prioritise with real risk context, not just “this is misconfigured” but “this is exposed to the internet and there’s known exploitation for this pattern.”
- Map findings to compliance frameworks so you can assess posture against SOC 2, PCI DSS, or HIPAA at the same time.
Scan continuously, not quarterly. Cloud environments change with every deployment, update, and manual tweak. A quarterly scan finds what was wrong on scan day. Continuous scanning catches new misconfigurations as they appear and alerts the responsible team right away.
Layer 3: Response (When a Misconfiguration Is Found)
Prioritise by real exploitability, not theoretical severity. CSPM tools generate more findings than any team can fix at once. The prioritisation that produces the best outcomes is: highest exposure (reachable from the internet) plus highest data sensitivity (PII, credentials, financial data) plus active exploitation evidence (patterns being exploited in the wild right now) equals fix first. A public S3 bucket holding production database backups is a fix-now finding. A bucket with loose access controls in a dev account with no sensitive data matters, but it isn’t urgent.
Set a misconfiguration SLA. Define and enforce a maximum time-to-remediation by severity:
- Critical (public exposure of sensitive data or credentials): fix within 24 hours.
- High (significant exposure or compliance violation): fix within 7 days.
- Medium (best-practice violation, no immediate exploitability): fix within 30 days.
- Low (minor hardening): handle in the next infrastructure review.
Track SLA adherence and report on it in engineering reviews. Without an explicit SLA, findings pile up in a backlog nobody works. Once you’re breached, the attacker’s next move is often ransomware deployment, which is exactly why the response clock matters.
Key Takeaways: The Defence Framework
- IaC security scanning (Checkov, tfsec) in CI/CD catches misconfigurations before deployment. Highest-leverage prevention control.
- Cloud-native guardrails (AWS SCPs, Azure Policy) block specific misconfigurations at the infrastructure level, whatever an engineer does.
- CSPM tools (Wiz, Orca, AWS Security Hub) continuously scan for existing misconfigurations across the estate.
- Prioritise remediation by real exploitability: internet exposure plus data sensitivity plus active exploitation evidence.
- Enforce remediation SLAs. Without them, findings accumulate and never get fixed.
Where to Start This Week
With limited engineering capacity, here’s the sequence that cuts the most risk in the least time.
This week: find what’s exposed. Run your provider’s native assessment tool (AWS Trusted Advisor security checks, Azure Advisor security recommendations, or GCP Security Command Center) and look specifically for publicly accessible storage buckets, security groups with 0.0.0.0/0 rules on sensitive ports, and IAM roles with admin permissions attached to compute resources. Those three categories cover the majority of actively exploited misconfigurations.
This month: build prevention into the pipeline. Add Checkov or tfsec to your CI/CD for IaC scanning. It’s typically a half-day task and it shuts down the whole “misconfiguration shipped through the pipeline” class of problem. Then turn on account- or org-level public access blocks (AWS S3 Block Public Access, Azure storage access restrictions), which prevent public-storage mistakes across the whole organisation regardless of individual bucket settings.
This quarter: deploy CSPM and set governance. Evaluate and roll out a CSPM tool suited to your environment and scale. Define your misconfiguration SLAs. Add a recurring misconfiguration review to your weekly engineering process, and assign clear ownership for reviewing findings and driving remediation.
The Bottom Line
Cloud misconfiguration isn’t a sophisticated attack. It needs no advanced threat actor, no zero-day, no social engineering. It needs only an open door, and automated tools are scanning for those doors continuously, at scale, without pause.
The teams that manage this risk well aren’t the ones with the biggest security budgets or the fanciest tools. They’re the ones that made secure configuration the path of least resistance, built automated scanning into the deployment workflow, and set up monitoring that surfaces new misconfigurations as they appear instead of during incident response.
These are solvable problems, and the week-by-week sequence above is a realistic place to start. Fix what’s exposed now. Build prevention into what deploys next. If you’d like a second set of eyes, our security and compliance team can run the first sweep with you.
Not sure what’s currently exposed in your cloud? Book a free cloud exposure review and we’ll show you your highest-risk misconfigurations first.
Frequently Asked Questions
It’s any setting in a cloud environment (a permission, a network rule, an encryption setting, a logging configuration) that departs from security best practice in a way that creates exploitable risk. They’re common for a simple reason: cloud environments are built and changed by engineers under time pressure, provider interfaces make it easy to grant broad permissions quickly, and the consequences are usually invisible until something is exploited. Under the shared responsibility model, the provider secures the underlying infrastructure, but securing what you build on top of it is entirely on you.
It’s any setting in a cloud environment (a permission, a network rule, an encryption setting, a logging configuration) that departs from security best practice in a way that creates exploitable risk. They’re common for a simple reason: cloud environments are built and changed by engineers under time pressure, provider interfaces make it easy to grant broad permissions quickly, and the consequences are usually invisible until something is exploited. Under the shared responsibility model, the provider secures the underlying infrastructure, but securing what you build on top of it is entirely on you.
A Cloud Security Posture Management tool continuously scans your environment for misconfigurations, compares your setup against frameworks like CIS Benchmarks, NIST, and PCI DSS, and gives you a prioritised list of findings with remediation guidance. Whether you need one depends on scale. Teams running a few resources in a single account can get by with cloud-native tools (AWS Security Hub, Azure Defender for Cloud, GCP Security Command Center). Teams running multiple accounts, multiple providers, or complex architectures benefit from a dedicated tool like Wiz or Orca that gives unified visibility and sharper risk prioritisation.
The most effective approach combines three controls: IaC security scanning in CI/CD (Checkov or tfsec flagging issues in Terraform or CloudFormation before deployment), cloud-native guardrails that block specific configurations at the infrastructure level (AWS Service Control Policies, Azure Policy), and developer security training with concrete examples of the patterns to avoid. Of these, pipeline scanning and guardrails are more reliable than training alone, because they work regardless of individual knowledge or attention. The goal is to make the secure configuration the easiest path, not just the required one.
It defines how security responsibility is split between provider and customer. Providers (AWS, Azure, GCP) secure the underlying infrastructure: physical hardware, network fabric, hypervisors, and the platform itself. Customers secure everything they build on top: service configurations, access controls, data encryption, network rules, and application security. Misconfigurations fall entirely in the customer’s zone. When an S3 bucket is set to allow public access, that’s a customer error, not an AWS failure. The provider’s infrastructure is secure; the customer’s configuration of it is not.
