Cloud Misconfiguration & Secret Exposure

Cloud SecurityAWS MisconfigurationAzure SecurityGCP SecurityS3 Bucket

Cloud Misconfiguration & Secret Exposure at a glance

What it is: Security misconfigurations in cloud infrastructure including publicly accessible storage buckets, overly permissive IAM policies, exposed secrets, and insecure network configurations.

Why it happens: Cloud misconfigurations occur when resources have overly permissive access, exposed credentials, disabled encryption or logging, public network rules, or admin accounts without MFA, leading to data and service exposure.

How to fix: Enforce least privilege for all IAM roles, prevent public access to storage or databases, use managed secret stores, and enable logging and monitoring for cloud resources.

Overview

Cloud platforms offer powerful services but require careful security configuration. Misconfigurations can expose sensitive data to the internet, grant excessive permissions, or leak credentials. Many high-profile data breaches have resulted from simple cloud security oversights.

Common cloud misconfigurations include publicly accessible S3 buckets or Blob storage, overly permissive IAM/RBAC policies granting admin access, hardcoded cloud credentials in source code, security groups allowing unrestricted inbound access (0.0.0.0/0), unencrypted data at rest, disabled logging and monitoring, publicly exposed databases and services, and missing MFA for privileged accounts.

sequenceDiagram participant Developer participant S3 as S3 Bucket participant Attacker Developer->>S3: Create bucket (public access) Developer->>S3: Upload customer_data.csv Attacker->>Attacker: Scan for public buckets Attacker->>S3: List bucket contents S3-->>Attacker: customer_data.csv Attacker->>S3: Download all files Attacker->>Attacker: Exfiltrate customer data Note over S3: Misconfiguration: Public access enabled<br/>Missing: Bucket encryption<br/>Missing: Access logging

A potential flow for a Cloud Misconfiguration & Secret Exposure exploit

Where it occurs

Cloud misconfigurations occur in storage, IAM, or network settings that allow public access, weak permissions, exposed credentials, missing encryption or logging, and admin accounts without MFA.

Impact

Cloud misconfigurations lead to massive data breaches with customer data exposure, complete account takeover through stolen credentials, cryptocurrency mining on compromised instances, data deletion or ransomware attacks, regulatory fines under GDPR/CCPA, intellectual property theft, and infrastructure abuse for DDoS attacks.

Prevention

Prevent cloud misconfigurations by enforcing least privilege IAM, blocking public access, using managed identities, encrypting data, segmenting networks, enabling logging and threat detection, scanning IaC, requiring MFA, and auditing permissions regularly.

Examples

Switch tabs to view language/framework variants.

S3 bucket configured with public read access

Terraform creates publicly accessible S3 bucket.

Vulnerable

HCL • Terraform — Bad

resource "aws_s3_bucket" "data" {
  bucket = "company-customer-data"
  acl    = "public-read"  # BUG: Public access!
}

Line 3: Public ACL

Public ACLs expose sensitive data to the internet.

Secure

HCL • Terraform — Good

resource "aws_s3_bucket" "data" {
  bucket = "company-customer-data"
}

resource "aws_s3_bucket_public_access_block" "data" {
  bucket = aws_s3_bucket.data.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
  bucket = aws_s3_bucket.data.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

Line 5: Block all public access
Line 13: Encryption at rest

Block all public access and enable encryption by default.

CloudFormation template creates publicly accessible S3 bucket

Infrastructure as Code misconfiguration allows public read/write access to S3 storage.

Vulnerable

YAML • AWS CloudFormation — Bad

# Vulnerable CloudFormation template
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  UserUploadsBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: company-user-uploads
      # VULNERABLE: Public read/write access!
      PublicAccessBlockConfiguration:
        BlockPublicAcls: false
        BlockPublicPolicy: false
        IgnorePublicAcls: false
        RestrictPublicBuckets: false
      AccessControl: PublicReadWrite
  
  # No bucket policy restrictions
  # No encryption enabled
  # No versioning enabled

Line 10:
Line 14:
Line 16:

Public S3 bucket allows unauthenticated read/write access, no encryption.

Secure

YAML • AWS CloudFormation — Good

# Secure CloudFormation template
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  UserUploadsBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: company-user-uploads-secure
      # Block all public access
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      # Private bucket
      AccessControl: Private
      # Enable encryption
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      # Enable versioning
      VersioningConfiguration:
        Status: Enabled
      # Lifecycle policies
      LifecycleConfiguration:
        Rules:
          - Id: DeleteOldVersions
            Status: Enabled
            NoncurrentVersionExpirationInDays: 90
  
  UserUploadsBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref UserUploadsBucket
      PolicyDocument:
        Statement:
          - Sid: DenyInsecureTransport
            Effect: Deny
            Principal: '*'
            Action: 's3:*'
            Resource:
              - !GetAtt UserUploadsBucket.Arn
              - !Sub '${UserUploadsBucket.Arn}/*'
            Condition:
              Bool:
                'aws:SecureTransport': false
          - Sid: AllowApplicationAccess
            Effect: Allow
            Principal:
              AWS: !GetAtt ApplicationRole.Arn
            Action:
              - 's3:GetObject'
              - 's3:PutObject'
            Resource: !Sub '${UserUploadsBucket.Arn}/*'

Line 9:
Line 18:
Line 37:
Line 46:

Blocks public access, enforces encryption and HTTPS, uses IAM roles with least privilege.

Engineer Checklist

Block public access for all storage buckets
Apply least privilege to IAM/RBAC policies
Never use wildcard (*) in production IAM policies
Use managed identities/instance profiles instead of access keys
Never commit cloud credentials to version control
Use secret managers (AWS Secrets Manager, Azure Key Vault)
Restrict security group ingress to specific IPs
Enable encryption at rest for all resources
Enable cloud audit logging (CloudTrail, etc.)
Require MFA for privileged accounts
Use Infrastructure as Code with security scanning
Regularly audit and remove unused IAM users/keys
Enable cloud security monitoring (GuardDuty, etc.)
Implement network segmentation with VPCs
Use Service Control Policies for guardrails
Scan for exposed secrets in code repositories

End-to-End Example

An S3 bucket is misconfigured with public read access, exposing sensitive customer data to the internet.

Vulnerable

HCL

# Vulnerable Terraform
resource "aws_s3_bucket" "data" {
  bucket = "company-customer-data"
  acl    = "public-read" # Dangerous!
}

Secure

HCL

# Secure Terraform
resource "aws_s3_bucket" "data" {
  bucket = "company-customer-data"
}

resource "aws_s3_bucket_public_access_block" "data" {
  bucket = aws_s3_bucket.data.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
  bucket = aws_s3_bucket.data.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

Discovery

Use tools like ScoutSuite, Prowler, or cloud provider scanners to identify public buckets and misconfigurations.

1. Scan for public S3 buckets
cloud
Action

Use bucket enumeration tools to find publicly accessible storage

Request

GET https://s3.amazonaws.com/company-customer-data
Response
Status: 200

Body:

{ "note": "Bucket contents listable without authentication" }
Artifacts

public_bucket bucket_listing exposed_files
2. Check IAM policy misconfigurations
cloud
Action

Review IAM policies for overly permissive permissions
Request
CLI N/A

Body:

"aws iam list-policies | grep Action=*"
Response
Status: 200

Body:

{ "note": "Policies grant wildcard permissions to sensitive resources" }
Artifacts

overpermissive_policies wildcard_actions
3. Test security group configurations
cloud
Action

Scan for security groups allowing 0.0.0.0/0 access
Request
CLI N/A

Body:

"aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values=0.0.0.0/0"
Response
Status: 200

Body:

{ "note": "Critical services exposed to internet on sensitive ports" }
Artifacts

open_security_groups exposed_services

Exploit steps

Attacker scans for publicly accessible buckets using tools like bucket-stream, lists contents, and downloads sensitive data.

1. Enumerate and download public bucket data

Mass data exfiltration
cloud
Action

Download all files from publicly accessible S3 bucket
Request
CLI N/A

Body:

"aws s3 sync s3://company-customer-data ./stolen_data --no-sign-request"
Response
Status: 200

Body:

{ "note": "Gigabytes of sensitive customer data downloaded" }
Artifacts

customer_data pii credentials database_backups
2. Abuse overpermissive IAM roles

Privilege escalation via IAM
cloud
Action

Use compromised role to escalate privileges
Request
CLI N/A

Body:

"aws iam attach-user-policy --user-name attacker --policy-arn arn:aws:iam::aws:policy/AdministratorAccess"
Response
Status: 200

Body:

{ "note": "Admin access granted through wildcard IAM permissions" }
Artifacts

admin_access full_account_control
3. Access services through open security groups

Direct database access
cloud
Action

Connect to production database through open security group

Request

TCP postgres://prod-db.region.rds.amazonaws.com:5432
Response
Status: 200

Body:

{ "note": "Direct access to production database from internet" }
Artifacts

database_access customer_records financial_data

Specific Impact

Exposure of millions of customer records including personal information, financial data, and credentials, leading to identity theft, fraud, and regulatory fines.

Fix

Block all public access to S3 buckets by default. Enable encryption at rest. Use bucket policies with least privilege. Enable access logging and CloudTrail for audit trails.

Detect This Vulnerability in Your Code

Sourcery automatically identifies cloud misconfiguration & secret exposure vulnerabilities and many other security issues in your codebase.

Scan Your Code for Free