Back to Glossary

Glossary Term

Cloud Misconfiguration

Insecure cloud resource settings—such as public buckets or permissive IAM policies—that expose data or infrastructure.

1 min read

Share this definition

Post it to your feed or send it to teammates.

What it is

Cloud misconfiguration refers to insecure setup or management of cloud resources—storage buckets, virtual machines, databases, APIs, IAM policies, or network controls—that leaves data or infrastructure exposed. Cloud platforms provide tremendous flexibility, but under the shared responsibility model the customer must configure services securely. Misconfigurations arise when permissions are too broad, encryption is disabled, logging is turned off, or default credentials and firewall rules remain in place.

Common examples include publicly accessible Amazon S3, Azure Blob, or Google Cloud Storage buckets; overly permissive IAM roles or service accounts; exposed management ports; and unmonitored cloud logs. Infrastructure-as-code templates or automation scripts can propagate insecure defaults across regions and accounts rapidly.

Why it matters

Cloud misconfigurations are among the leading causes of data breaches. Attackers actively scan for open storage, weak IAM policies, and exposed APIs—often finding valuable data without exploiting any software vulnerability. Risks include privilege escalation, lateral movement across environments, denial of service, compliance violations, and significant reputational damage. Because cloud resources are dynamic and API-driven, configuration drift can reintroduce issues even after remediation.

How to reduce risk

  • Deploy Cloud Security Posture Management (CSPM) tools to detect and remediate misconfigurations continuously.
  • Enforce least privilege IAM with granular roles, short-lived credentials, and regular access reviews.
  • Require encryption by default, enforce HTTPS/TLS, and block public access on storage services.
  • Use configuration baselines and policies (AWS Config, Azure Policy, GCP Organization Policies) to automate compliance.
  • Monitor for public exposure, weak firewall rules, and risky IAM changes via centralized logging.
  • Apply version control, peer review, and automated testing to Infrastructure-as-Code pipelines.
  • Conduct regular penetration tests, red-team exercises, and security training focused on shared responsibility.