Cloud Misconfigurations: The 10 Most Dangerous Security Gaps in AWS and Azure

Q: What does a breach caused by misconfiguration cost?

According to IBM’s Cost of a Data Breach 2024, the average cost is $4.88 million. Cloud misconfigurations cause 15 percent of all breaches. In 2020, Capital One paid an $80 million fine following a breach due to misconfigured AWS resources.

4 min Reading Time

According to the Cloud Security Alliance, misconfigurations have ranked as the number one cloud threat for the second year in a row. IBM reports they cause 15 percent of all data breaches. Palo Alto Unit 42 documents that 76 percent of organizations do not enforce MFA for console users. Meanwhile, 63 percent of publicly accessible storage buckets contain sensitive data. This practical guide outlines the ten most dangerous misconfigurations in AWS and Azure – and how IT security teams can detect and fix them.

TL;DR

🔒 Cloud misconfigurations account for 15 percent of all data breaches, with average costs of $4.88 million (IBM 2024).
⚠️ 76 percent of organizations do not enforce MFA for console users (Palo Alto Unit 42).
🛡️ Cloud intrusions rose by 26 percent in 2024. Valid account abuse is the top initial access vector (CrowdStrike 2025).
📊 61 percent of root accounts lack MFA. 81 percent have neglected public-facing assets (Orca Security 2024).
🔧 CIS benchmarks and CSPM tools make systematic configuration checks automatable.

Why Misconfigurations Rank as the #1 Threat

The Cloud Security Alliance (CSA) has ranked misconfiguration and inadequate change control as the greatest threat to cloud environments since 2024 – for the second year running. IAM vulnerabilities follow in second place. Gartner predicts that by 2025, 99 percent of all cloud security failures will be the customer’s fault, not the cloud provider’s.

IBM underscores the scale in its Cost of a Data Breach Report 2024: Cloud misconfiguration is responsible for 15 percent of all data breaches, on par with phishing. The global average cost per breach hit an all-time high of $4.88 million in 2024. The data is based on 604 organizations across 17 industries and 16 countries.

CrowdStrike’s Global Threat Report 2025 documents a 26 percent increase in cloud intrusions. The most common entry vector? Valid account abuse, accounting for 35 percent of all cloud incidents in the first half of 2024. Attackers don’t rely on zero days. They exploit what IT teams have left exposed.

15 %

of all breaches caused by misconfigurations

$4,88 Mio.

Cost per breach (IBM 2024)

+26 %

Cloud intrusions (CrowdStrike)

Sources: IBM Cost of a Data Breach 2024, CrowdStrike Global Threat Report 2025

The 10 Most Dangerous Misconfigurations

1. Overly permissive IAM permissions. Palo Alto Unit 42 analyzed 680,000 cloud identities and found that 99 percent of all identities – users, roles, and service accounts – hold more permissions than they need. The principle of least privilege is rarely enforced. Every unnecessary permission represents a potential attack vector.

2. Missing MFA for root and admin accounts. Orca Security reports that 61 percent of root accounts or account owners lack multi-factor authentication. Unit 42 confirms that 76 percent of organizations fail to enforce MFA for console users – and 58 percent don’t even require it for root or admin accounts. When combined with adversary-in-the-middle (AiTM) phishing, this becomes an open door. In combination with AiTM phishing, this becomes an open door.

3. Publicly accessible storage buckets. Unit 42 documents that 63 percent of publicly reachable S3 buckets contain sensitive data. The result? Customer records, internal documents, and credentials – all retrievable via a simple URL. In 2019, Capital One lost data from 106 million customers due to a combination of a misconfigured WAF and overly permissive S3 permissions.

4. Disabled or incomplete logging. Without CloudTrail (AWS), Azure Monitor, or GCP Cloud Audit Logs, incident response lacks its foundational layer. If a breach occurs and no logs exist, there’s no forensic trail. According to Unit 42, security teams spend an average of 145 hours resolving security alerts – a timeframe that doubles without logs.

5. Open security groups and NSGs. Orca Security reports that 81 percent of organizations have neglected public-facing assets with open ports (80, 443, 8080, 22, 3389, 5900). Every open port is an entry point. RDP (3389) and SSH (22) on public IP addresses are scanned and attacked within minutes.

“By 2025, 99 percent of all cloud security failures will be the customer’s responsibility, not the cloud provider’s.”
Gartner (cited repeatedly in IBM, CSA, and Unit 42 reports)

6. Publicly exposed databases. Wiz’s Cloud Data Security Report 2025 finds that 72 percent of cloud environments host publicly exposed PaaS databases with no access controls. RDS instances, Cosmos DB, or Cloud SQL running without VPC isolation or IP whitelisting are reachable by anyone.

7. Missing encryption at rest. Data stored in S3, Azure Blob Storage, or GCS without encryption at rest is immediately readable in the event of a breach. AWS has offered SSE-S3 as the default since 2023, but older buckets and self-managed keys are often overlooked. The same applies to EBS volumes and RDS snapshots.

8. Unpatched container images. Unit 42 reports that 63 percent of production codebases contain unpatched vulnerabilities with a CVSS score of 7.0 or higher. Wiz adds that 12 percent of containers are simultaneously publicly exposed and vulnerable to known exploits. Outdated base images are the most common culprit.

9. Missing network segmentation. Flat networks without VPC peering controls or subnet isolation enable lateral movement. Once an attacker compromises a workload, they can access every resource in the same network – unless segmentation is in place. Zero Trust slows lateral movement but doesn’t stop it when attackers possess valid credentials.

10. Default credentials and API keys embedded in code. Hardcoded AWS access keys, Azure service principal secrets, or database passwords in Git repositories. Once pushed, they remain visible in commit history forever. Automated scanners search GitHub in real time for exposed credentials.

99 %

of all cloud identities have overly broad permissions

Source: Palo Alto Unit 42, 680,000 analyzed identities

How IT Security Teams Can Audit Systematically

CIS Benchmarks as a Baseline. The Center for Internet Security publishes free configuration benchmarks for AWS, Azure, and GCP. These define specific checks: Is CloudTrail enabled? Is MFA enforced for root accounts? Are S3 buckets public? AWS Security Hub directly integrates the CIS AWS Foundations Benchmark, while Azure offers the Microsoft Cloud Security Benchmark as its counterpart.

CSPM Tools for Continuous Monitoring. Cloud Security Posture Management (CSPM) automatically checks configurations against policies and compliance frameworks – not just once, but continuously. Every change is evaluated. Drift is detected. Native options include AWS Config Rules, Azure Policy, and GCP Security Command Center. Specialized providers include Wiz, Prisma Cloud, Orca Security, and Microsoft Defender for Cloud.

Infrastructure as Code Scanning. Prevent misconfigurations before they reach production. Tools like Checkov, tfsec, and Bridgecrew scan Terraform, CloudFormation, and ARM templates for security issues. Shift left: Security becomes part of the CI/CD pipeline, not a post-deployment audit.

Conclusion: The Attack Surface Lies in Configuration

Cloud providers deliver secure infrastructure. But configuration is the customer’s responsibility. As long as 76 percent of organizations don’t enforce MFA, 63 percent leave sensitive data in public buckets, and 99 percent of identities have excessive permissions, configuration remains the easiest attack vector. The tools for detection exist. CIS benchmarks are free. CSPM is built into every major cloud platform. What’s missing isn’t technology – it’s discipline.

Frequently Asked Questions

What is a cloud misconfiguration?

A setting in AWS, Azure, or GCP that deviates from a secure default configuration or opens a security gap. Examples include publicly accessible S3 buckets, missing MFA, or overly permissive IAM policies. According to the CSA, it has been the top cloud threat since 2024.

How can I find misconfigurations in my environment?

Use CIS benchmarks as a checklist, CSPM tools (AWS Config, Azure Policy, Wiz, Prisma Cloud) for automated monitoring, and Infrastructure-as-Code scanners (Checkov, tfsec) to prevent issues in the CI/CD pipeline.

What does a breach caused by misconfiguration cost?

According to IBM’s Cost of a Data Breach 2024, the average cost is $4.88 million. Cloud misconfigurations cause 15 percent of all breaches. In 2020, Capital One paid an $80 million fine following a breach due to misconfigured AWS resources.

Which misconfiguration is the most dangerous?

Overly broad IAM permissions. According to Unit 42, 99 percent of all cloud identities have more permissions than necessary. Combined with stolen credentials (valid account abuse, which accounts for 35 percent of all cloud incidents per CrowdStrike), this is the most direct path to sensitive data.

Are native cloud security tools sufficient?

For starters, yes. AWS Security Hub, Azure Defender for Cloud, and GCP Security Command Center cover the basics. For multi-cloud environments, automated remediation, and compliance reporting, specialized CSPM solutions like Wiz, Prisma Cloud, or Orca Security are recommended.