← Back to Blog Cloud Security

5 Cloud Security Mistakes That Are Putting Your Data at Risk

During a recent cloud security assessment for an Idaho-based e-commerce company, we found an S3 bucket containing 14,000 customer order records - names, addresses, and partial card data - set to public read. It had been misconfigured for eight months.

Cloud providers are secure by design. Cloud configurations made by humans under deadline pressure are frequently not. Here are the five mistakes we encounter most often - and how to fix them.

Mistake 1: Publicly Exposed Storage Buckets (OWASP A01 - Broken Access Control)

The most common finding by far. The e-commerce bucket was created during a rushed sprint and never locked down before going to production. An automated attacker would have found it within hours using public bucket enumeration tools.

# Check if your S3 bucket is publicly accessible
aws s3api get-public-access-block --bucket your-bucket-name

# Fix: block all public access
aws s3api put-public-access-block   --bucket your-bucket-name   --public-access-block-configuration   "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

# Check if your S3 bucket is publicly accessible
aws s3api get-public-access-block --bucket your-bucket-name

# Fix: block all public access
aws s3api put-public-access-block   --bucket your-bucket-name   --public-access-block-configuration   "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

Mistake 2: Overprivileged IAM Roles

Lambda functions and EC2 instances with AdministratorAccess attached - because it was "easier" during development. If that function is compromised, the attacker controls your entire AWS account.

# Find IAM roles with administrator access attached
aws iam list-roles --query "Roles[].RoleName" --output text |   xargs -I{{}} aws iam list-attached-role-policies --role-name {{}}   --query "AttachedPolicies[?PolicyName=='AdministratorAccess'].PolicyName"

# Find IAM roles with administrator access attached
aws iam list-roles --query "Roles[].RoleName" --output text |   xargs -I{{}} aws iam list-attached-role-policies --role-name {{}}   --query "AttachedPolicies[?PolicyName=='AdministratorAccess'].PolicyName"

Mistake 3: Secrets in Code or Environment Variables

API keys and database passwords committed to GitHub (even private repos) are discovered and exploited within minutes by automated scanners.

# Don't do this  -  plaintext in environment variables or .env files committed to git
DB_PASSWORD=SuperSecretPassword123

# Do this  -  reference from AWS Secrets Manager at runtime
import boto3, json
secret = json.loads(
    boto3.client('secretsmanager')
    .get_secret_value(SecretId='prod/db/password')['SecretString']
)
db_password = secret['password']

# Don't do this  -  plaintext in environment variables or .env files committed to git
DB_PASSWORD=SuperSecretPassword123

# Do this  -  reference from AWS Secrets Manager at runtime
import boto3, json
secret = json.loads(
    boto3.client('secretsmanager')
    .get_secret_value(SecretId='prod/db/password')['SecretString']
)
db_password = secret['password']

Mistake 4: No CloudTrail / Audit Logging

Multiple clients have asked us to reconstruct an incident timeline - and CloudTrail was either disabled or never enabled. You cannot investigate what you did not record. Enable it. Ship logs to S3. Set retention to 90 days minimum.

Mistake 5: Security Groups Open to 0.0.0.0/0 on SSH/RDP

# Find security groups with SSH or RDP open to the entire internet
aws ec2 describe-security-groups   --filters "Name=ip-permission.from-port,Values=22,3389"   --query "SecurityGroups[?IpPermissions[?IpRanges[?CidrIp=='0.0.0.0/0']]].[GroupId,GroupName]"
# Fix: restrict to specific IPs or use a VPN/bastion  -  never expose directly

# Find security groups with SSH or RDP open to the entire internet
aws ec2 describe-security-groups   --filters "Name=ip-permission.from-port,Values=22,3389"   --query "SecurityGroups[?IpPermissions[?IpRanges[?CidrIp=='0.0.0.0/0']]].[GroupId,GroupName]"
# Fix: restrict to specific IPs or use a VPN/bastion  -  never expose directly