Seven Cloud Security Mistakes I See Constantly

in AWS 2 min read

Cloud security mistakes have gotten complicated with all the services, configurations, and attack surfaces to track. As someone who has audited dozens of cloud environments after breaches, I learned everything there is to know about what goes wrong. These patterns cause the majority of incidents I see.

Professional blog header image for article titled: Seven Cloud Security Mistakes I See Constantly. High quality, relevant imagery, clean composition.

Overly Permissive IAM

Probably should have led with this section, honestly, because IAM issues are behind most of the breaches I investigate. When something doesn’t work, adding permissions is easier than debugging. Eventually, service accounts have administrator access to everything. One compromised credential exposes the entire account.

Apply least privilege seriously. Start with no permissions and add only what’s needed. Review permissions regularly and remove what’s unused.

Public S3 Buckets

The defaults have improved, but misconfigured buckets still leak sensitive data regularly. Block public access at the account level unless you have a specific, documented need for public buckets.

Unencrypted Data

Enable encryption by default for everything. S3 buckets, EBS volumes, RDS databases, secrets managers. That’s what makes default encryption policies endearing to us security folks – they eliminate an entire class of mistakes. The performance overhead is negligible. The compliance benefit is significant.

Missing Network Segmentation

Flat networks let attackers move laterally after initial compromise. Segment by function and sensitivity. Your production database shouldn’t be reachable from your development VPC.

Neglected Security Groups

Security groups accumulate rules over time. That temporary SSH access you added for debugging? Still there six months later, open to the internet.

Audit security groups regularly. Remove rules you can’t explain. Restrict sources to the minimum necessary ranges.

Credential Management

Secrets in environment variables, committed to Git, hardcoded in configuration files – all common, all dangerous. Use secrets managers. Rotate credentials automatically.

Missing Logging

Without logs, you can’t detect breaches or investigate incidents. Enable CloudTrail, VPC Flow Logs, and S3 access logging. Store logs in a separate, restricted account.

Jason Michael

Jason Michael

Author & Expert

Jason covers aviation technology and flight systems for FlightTechTrends. With a background in aerospace engineering and over 15 years following the aviation industry, he breaks down complex avionics, fly-by-wire systems, and emerging aircraft technology for pilots and enthusiasts. Private pilot certificate holder (ASEL) based in the Pacific Northwest.

48 Articles
View All Posts

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Get the latest stigcloud updates delivered to your inbox.