Under attack? Call 1300 112 313
Client PortalInsightsContact
Home / Insights / Guide
Guide · 8 min

Cloud misconfiguration: controls that usually matter first

A practical guide to prioritising cloud security controls that reduce common exposure and investigation gaps.

Cloud breaches are configuration breaches

Cloud breaches rarely happen via zero-day exploits. They happen via misconfigurations — public storage buckets, overly permissive IAM roles, hardcoded API keys in source code, and missing logging. These are not sophisticated attacks; they are the exploitation of preventable mistakes.

The challenge is that cloud environments change constantly. A configuration that was correct last month may have drifted. A developer who needed temporary access may still have it. A storage bucket created for testing may now contain production data.

Identity and access management

IAM is the most critical cloud security control. Enforce the principle of least privilege — do not use wildcards (*) in IAM policies. Review who has administrative access and whether that access is justified. Implement just-in-time (JIT) elevation for administrative tasks rather than standing admin privileges.

  • Audit all IAM roles with administrative or wildcard permissions
  • Remove or restrict service accounts with standing elevated access
  • Enable MFA on all human accounts — no exceptions for administrators
  • Review cross-account access and trust relationships

Public exposure and secrets

Ensure S3 buckets, Azure blob containers, and GCP storage buckets are not publicly accessible unless explicitly required. Scan source code repositories for hardcoded API keys, database credentials, and secret tokens. Move all secrets to a secure vault service (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault).

Run a public exposure scan at least monthly. Attackers actively scan for newly exposed storage and services — the window between misconfiguration and exploitation can be hours.

Logging and monitoring

Enable CloudTrail (AWS), Activity Log (Azure), or Cloud Audit Logs (GCP) on all accounts and regions. Ensure logs are stored in a separate, immutable location that cannot be deleted by a compromised production account. Without logging, you cannot detect, investigate, or evidence what happened during an incident.

Backup isolation

Ensure cloud backups are immutable and stored in a logically separate account. If compromised production credentials can delete your backups, they are not backups — they are a copy that fails when you need it most. Test recovery from backups at least quarterly.

Need help applying this?

Turn the guide into an action plan.

Tenodex can assess your current state, prioritise the practical work and help implement the operating model.

Book a Briefing