In every cloud security assessment we perform, we find misconfigurations. Not sometimes โ every time. The cloud providers have built secure platforms, but the responsibility model means that configuration is the customer's job. And configuration at scale, across hundreds of services and thousands of resources, is where things go wrong.
Here are the ten misconfigurations we find most frequently across AWS, Azure, and GCP environments.
1. Over-Permissioned IAM Roles The most common and most dangerous. We consistently find service accounts and IAM roles with administrator-level permissions that only need read access to a specific bucket. The blast radius of a compromised over-permissioned role is the entire cloud environment.
2. Publicly Accessible Storage Buckets S3 buckets, Azure Blob containers, and GCP Cloud Storage buckets exposed to the internet. Often containing backups, logs, or application data that was never intended to be public.
3. Missing Encryption at Rest Data stored without encryption โ or with encryption keys managed insecurely. We test both the encryption configuration and the key management practices.
4. Overly Permissive Security Groups / Firewall Rules Network security groups allowing inbound traffic from 0.0.0.0/0 on management ports (SSH, RDP, database ports). We map every inbound rule and test for unnecessary exposure.
5. Missing or Insufficient Logging CloudTrail, Azure Activity Log, or Cloud Audit Logs disabled or not forwarded to a central monitoring system. Without logs, you can't detect or investigate a breach.
6. Unrotated Access Keys and Secrets Long-lived access keys that haven't been rotated in months or years. We check rotation policies and test for keys embedded in code repositories.
7. Container and Kubernetes Misconfigurations Privileged containers, exposed Kubernetes dashboards, overly permissive pod security policies, and secrets stored as environment variables instead of secret managers.
8. Missing Network Segmentation Flat network architectures where a compromised workload can reach every other workload. We map lateral movement paths and test segmentation controls.
9. Default Credentials on Managed Services Database instances, caching layers, and message queues deployed with default credentials. Automated scanners check for this, but we also test for weak credentials and credential reuse across services.
10. Insufficient Backup and Recovery Testing Not a vulnerability in the traditional sense, but we assess whether backup configurations would survive a ransomware attack โ are backups immutable? Are they in a separate account? Have recovery procedures been tested?
Our Approach
We combine automated configuration scanning against CIS benchmarks with manual attack-path tracing. The automation finds the misconfigurations; the manual testing shows how an attacker would chain them to achieve a meaningful compromise. The combination is what gives enterprises a real understanding of their cloud risk.