Top 15 Cloud Misconfigurations That Lead to Data Breaches
Cloud misconfigurations are the leading cause of cloud data breaches — ahead of vulnerabilities, stolen credentials, and insider threats. Research shows that 80% of organizations have experienced at least one cloud security incident caused by misconfiguration. Here are the fifteen most dangerous misconfigurations and how to detect them.
Why Cloud Misconfigurations Are So Dangerous
Cloud infrastructure is defined by configuration — IAM policies, security group rules, encryption settings, logging settings, and network architecture. A single misconfigured setting can expose an entire database to the internet. Unlike software vulnerabilities that require exploitation, many misconfigurations create immediate, unauthenticated access to sensitive data.
of organizations experienced a cloud misconfiguration incident
of data breaches are cloud-based, a number growing year over year
average time for attackers to discover a newly exposed S3 bucket
The 15 Most Dangerous Cloud Misconfigurations
Publicly Accessible Storage Buckets
S3 buckets, GCS buckets, or Azure Blob containers with public read or write access. The most common source of large-scale data exposures.
Open Security Groups / Firewall Rules
Inbound rules allowing 0.0.0.0/0 on SSH (22), RDP (3389), database ports (3306, 5432, 27017), or all ports.
Missing MFA on Root / Admin Accounts
Root or admin accounts without multi-factor authentication. A compromised password gives full account access.
Unencrypted Data at Rest
EBS volumes, RDS instances, S3 buckets, and database storage without encryption enabled. Violates PCI DSS, HIPAA, and SOC 2.
Overprivileged IAM Roles and Policies
IAM policies with Action: * or Resource: * wildcards. A compromised service with admin rights can access everything.
Publicly Accessible Databases
RDS, Cloud SQL, or Cosmos DB instances with public endpoints and no network restrictions.
Disabled Audit Logging
CloudTrail, Cloud Audit Logs, or Azure Activity Log disabled. Breaches go undetected without audit trails.
Default VPC and Subnets
Resources deployed in default VPCs with permissive routing and no network segmentation.
No Network Segmentation
Flat network architecture where all resources can communicate with each other. Enables lateral movement.
Exposed Management Ports
SSH, RDP, and management console ports open to the internet instead of behind VPN or bastion hosts.
Missing Encryption in Transit
Services communicating over HTTP instead of HTTPS, or missing TLS for database connections.
No Key Rotation
KMS keys, access keys, and service account keys without automatic rotation policies.
Stale Credentials and Unused Accounts
Access keys unused for 90+ days, service accounts for decommissioned services, or ex-employee accounts.
Missing Resource Tags
Resources without ownership, environment, or compliance tags — making it impossible to audit or attribute costs.
Disabled Security Monitoring
GuardDuty, Security Command Center, or Azure Defender disabled. No automated threat detection.
How to Detect and Prevent Misconfigurations
CSPM Scanning
Cloud Security Posture Management tools continuously scan your cloud accounts against CIS Benchmarks, detecting misconfigurations automatically and alerting on drift.
Policy as Code
Define security policies in code (OPA/Rego, Sentinel) and enforce them in CI/CD. Prevent misconfigurations from being deployed in the first place.
Drift Detection
Monitor for configuration changes that deviate from the defined IaC state. Detect manual console changes that bypass code review.
Detect Cloud Misconfigurations with TigerGate
TigerGate scans AWS, GCP, Azure, Oracle Cloud, and Kubernetes against 900+ security checks and 38+ compliance frameworks. Find and fix misconfigurations before they become breaches.