Top 10 Cloud Misconfigurations We Find in Indian Organizations

Cloud misconfigurations remain the leading cause of data breaches in cloud environments. After conducting over 200 cloud security assessments across AWS, Azure, and GCP for Indian organizations, we've identified a consistent pattern of misconfigurations that appear with alarming regularity. These aren't exotic attack vectors — they're fundamental hygiene issues that create significant risk.

Number 1: Overly permissive IAM policies. In 94% of assessments, we find IAM roles with wildcard permissions (Action: '*', Resource: '*'). The most common justification: 'We'll tighten it later.' Later never comes. The fix is simple in concept but requires discipline: implement least-privilege from day one, use AWS IAM Access Analyzer or Azure AD PIM, and review permissions quarterly.

Number 2: Public S3 buckets and Azure Blob containers. Despite years of high-profile breaches, 67% of organizations we assess have at least one publicly accessible storage resource containing sensitive data. Often these are 'temporary' buckets created for data migration or sharing that were never locked down. Enable S3 Block Public Access at the account level. No exceptions.

Number 3: Unencrypted data at rest. 78% of organizations have at least some databases or storage volumes without encryption enabled. In 2026, there's no performance excuse — encryption overhead is negligible. Enable default encryption for all storage services. This is a one-time configuration change with permanent security benefit.

Number 4: Security groups allowing 0.0.0.0/0 on management ports. SSH (22) and RDP (3389) open to the internet appear in 82% of assessments. The fix: use VPN or bastion hosts for administrative access. No management port should ever be exposed to the public internet.

Number 5: Missing CloudTrail or equivalent logging. 45% of organizations either don't have comprehensive audit logging enabled or don't retain logs long enough for forensic investigation. Enable CloudTrail in all regions, ship logs to a separate account, and retain for at least one year.

Numbers 6 through 10 include: disabled MFA on root/admin accounts (71%), unused access keys older than 90 days (89%), missing VPC flow logs (56%), default VPC usage in production (43%), and cross-account trust relationships without condition keys (38%). Each represents a systemic gap that automated tools can detect and continuous monitoring can prevent.