Top cloud misconfigurations: A CSPM perspective

Organizations benefit from the speed of the cloud, but with great power comes great responsibility. An inadvertent cloud misconfiguration can leave the door open to bad actors. While cloud configuration issues most often stem from human error or lack of awareness, they are unfortunately a leading cause of data breaches.

Let’s break down the most frequent cloud misconfigurations, explore their impact on security and compliance, and identify practical steps to fix, and/or prevent these issues – including the use of Cloud security posture management (CSPM) tools.

What are cloud misconfigurations?

First, what is a cloud misconfiguration?

Cloud misconfigurations occur when cloud resources are set up incorrectly from a security best practices point of view. This exposes systems, applications, and data to unauthorized access and activity. These errors can happen across any cloud model—IaaS, PaaS, or SaaS—and are a leading driver of cloud security incidents.

In fact, research from the Cloud Security Alliance shows that misconfigurations account for more than 90% of cloud security breaches. The stakes are high – therefore, addressing misconfigurations should be a critical priority for any cloud-forward organization.

Top cloud misconfigurations

Overly permissive IAM policies

Identity and access management (IAM) security misconfigurations are a major risk in cloud environments, often resulting from overly permissive roles, unused credentials, or lack of enforcement of least-privilege access. These gaps allow attackers to escalate privileges, move laterally, and access sensitive resources. Without proper IAM management organizations face increased exposure to breaches, compliance violations, and operational disruptions. 

Addressing these issues requires continuous IAM policy reviews, role-based access controls (RBAC), and security posture management checks to minimize risk and prevent unauthorized access.

Exposed resources due to misconfigured access policies

Misconfigured cloud service access is a frequent source of data breaches. Accidentally exposing a storage bucket or web service publicly creates a significant security risk. Hackers are constantly on the hunt for publicly exposed cloud resources, potentially detecting and exploiting the resource in minutes. These misconfigurations can quickly lead to cloud breaches, allowing attackers to access, exfiltrate, or delete sensitive data.

Organizations should implement strict access controls by default, ensuring that storage buckets and network services are private unless explicitly required. Security groups, firewalls, and virtual private networks (VPNs) can all come into play in order to restrict access. 

Failure to enforce Multi-Factor Authentication (MFA)

Using multiple means of identity verification to access online resources – such as a password combined with a code sent to a mobile phone – has become commonplace. This same type of protection Multi-Factor Authentication (MFA) is critical for secure cloud access as well. Not using MFA increases the risk of unauthorized access to accounts. 

Passwords are too often stolen or obtained by hackers through phishing schemes and even low-level credential compromises can lead to significant damage. An entire industry has exploded on the dark web, dedicated to selling stolen cloud credentials. MFA helps mitigate the risk of compromise due to unauthorized use of your username and password.

To enforce Multi-Factor Authentication (MFA) for cloud accounts, use your cloud provider’s security policy settings to enable the “Require multifactor authentication” option.

Not using encryption

Failing to encrypt data – whether it’s data at rest or in transit – can leave data exposed to unauthorized access. Data encryption is also a key requirement of most compliance frameworks. Should you encounter a breach, the failure to properly encrypt data not only puts your data in the hands of bad actors, it can also lead to regulatory fines and reputational damage.

To ensure proper encryption, configure your cloud provider’s settings to automatically encrypt data at rest and in transit, typically by using customer-managed encryption keys (CMEKs) through a Key Management Service (KMS). This allows you to control and manage the encryption keys for your data, ensuring only authorized users can access it; additionally, implement policies to automatically detect and encrypt any new data that is uploaded to the cloud without encryption already applied.

Lack of network segmentation

Network segmentation – the practice of dividing a computer network into smaller, distinct segments or subnetworks – isolates critical systems and sensitive data and reduces the attack surface. If a breach occurs, segmentation helps contain an attack, limits the spread of malware or ransomware, and prevents lateral movement across the network.

A flat cloud network without proper segmentation increases the risk of widespread compromise. In the cloud, network security groups help control inbound and outbound network traffic. Poor security group management can leave networks vulnerable, allowing attackers to move freely between hosts and services. 

To enforce network segmentation, create separate logical network segments within your cloud environment using tools like subnets, security groups, and network access control lists (ACLs). You should define access rules between these segments based on your security policies to ensure only authorized traffic can flow between them. A best practice is to regularly monitor network activity and conduct audits to maintain segmentation integrity.

Misconfigured logging and monitoring

Logs are essential for detecting and investigating security incidents, but misconfigured (or absent) logging can leave gaps in your visibility. Cloud logs help record activity across cloud resources, such as user actions, system changes, or access attempts. Without these insights, malicious or unexpected activity can be missed and incident response teams will have difficulty identifying the root cause, scope, and impact of an attack, which delays containment.

Ensure logging is enabled for all cloud regions and services, forward logs to centralized monitoring tools, and define retention policies to meet audit requirements. In addition, you’ll want to monitor for any attempts to disable cloud logging capabilities as this is a common activity seen with attackers in an attempt to avoid detection. 

Unpatched or outdated systems

Cloud workloads are not exempt from the need for patching. Unpatched systems are a top entry point for attackers exploiting known vulnerabilities. Outdated systems also may lack compatibility with modern security tools and protocols, limiting the ability to implement robust security measures. In addition, many regulatory frameworks (e.g., GDPR, HIPAA, PCI-DSS) require organizations to maintain up-to-date systems as part of their security controls. Failing to do so opens you up not only to security risk, but also penalties of non-compliance.

To keep on top of this issue in your cloud, you should monitor for outdated software using CSPM and use automated patch management tools to ensure systems are up to date.

Misconfigured, vulnerable, and outdated workloads

Misconfigured workloads and vulnerable images create security risks in the cloud. Organizations often unknowingly use default settings of root permissions, increasing the risk of attackers gaining access to the host system to perform malicious actions. Vulnerabilities in container images and software are common and can be exploited to hijack workloads. 

Scanning for vulnerabilities across the entire workload lifecycle – in development, in registries, and at runtime – on a timely and ongoing basis is key to staying ahead of software supply chain threats. Based on your requirements and standards, you should update vulnerable libraries or components in images and workloads before rolling into production. Unless root permissions are needed, when building your container image, create a non-privileged user with only the permissions required for the application to run.

Unsecured APIs

APIs (Application Programming Interfaces) are used with the cloud to enable applications and services to communicate and share data. Weaknesses in authentication, authorization, and data protection mechanisms can lead to data breaches, unauthorized transactions, and operational disruptions for businesses relying on those APIs. Because they are an easy entry point, APIs need proper configuration and controls just like any other cloud service.

To secure cloud APIs, implement practices like centralizing authentication through an API gateway, encrypting data in transit, and validating input data. Performing regular security testing and following the principle of least privilege to manage access controls will help you maintain a comprehensive security posture across your APIs.

Cloud misconfiguration management with CSPM

For most organizations, manually reviewing and adjusting cloud infrastructure settings to ensure security compliance is simply not feasible. The process would be too time-consuming, prone to human error, and difficult to maintain. This is where Cloud security posture management (CSPM) tools come into play. They exist to help organizations continuously monitor cloud environments, detect misconfigurations, and offer remediation assistance. 

CSPM isn’t just a nice-to-have. It is a critical component of modern cloud security. Cloud misconfigurations are inevitable in dynamic environments, but with proper visibility, monitoring, and management you can avoid costly firedrills. A proper CSPM solution will help you transform your security posture from reactive to proactive, empowering you to handle misconfigurations before they are exploited.

Common capabilities of CSPM solutions include:

• Asset inventory – Provides a centralized view of cloud assets and tracks security posture changes across multi-cloud environments.
• Misconfiguration detection – Uncovers security risks such as open storage buckets, exposed endpoints, and misconfigured network services.
• Compliance monitoring & reporting – Maps cloud configurations to compliance frameworks and gets audit-ready reports for standards like GDPR, HIPAA, DORA, PCI DSS, NIS, and NIST.
• Automated remediation & policy enforcement – Enables policies to enforce security best practices and provide guided remediation for common misconfigurations.
• Least-privilege access & IAM analysis – Detects excessive permissions, unused credentials, and risky roles; helps enforce least-privilege access controls.
• Network security & exposure analysis – Detects publicly exposed cloud resources and unsecured APIs, and maps network connections to highlight potential attack paths.
• Vulnerability assessments – Enables “shift-left” security by scanning workloads for known vulnerabilities, and Infrastructure-as-Code (IaC) manifests for security issues.

While cloud misconfigurations are a leading security and compliance challenge, by adopting a proactive approach, leveraging automation, fostering a culture of security, and integrating tools like CSPM—you can safeguard your cloud environments and reduce risks at any scale.