Understand the shared responsibility model
Whichever provider you use (AWS, Azure, Google Cloud), the provider secures the underlying infrastructure — but you remain responsible for how you configure and use it: access control, data classification, network settings, and application security. Most breaches in the cloud trace back to the customer side of that line.
The most common cloud mistakes we find
- Public storage buckets. S3 buckets, blob storage, or file shares left open to the internet — often by accident during setup.
- Overly broad permissions. Service accounts and users with far more access than their job requires.
- No MFA on cloud console access. The console that controls everything is protected by a password alone.
- Default security groups / firewall rules. Ports left open (databases, remote access) that should only be reachable internally.
- No logging or alerting. Activity logs exist but nobody reviews them or gets notified of risky changes.
- Secrets in code. API keys and passwords committed to repositories or left in configuration files.
A practical starting checklist
- Enable MFA on every account with console or admin access.
- Review storage buckets and shares for public access — restrict to what's actually needed.
- Apply least privilege: scope permissions to specific resources and actions, not broad admin roles.
- Turn on your provider's security/audit logging (e.g. CloudTrail, Azure Monitor, Cloud Audit Logs) and review it periodically.
- Use secrets management (a vault or environment-based secrets) instead of hardcoding credentials.
- Patch and update managed services, containers, and VM images regularly.
- Tag and track what's actually running — unused resources are unmanaged risk.
Free check: use our Security Headers Checker and SSL Certificate Checker to spot-check any public-facing site or app you host in the cloud.
Get an independent look
A cloud configuration review as part of a vulnerability assessment finds exposed storage, excessive permissions, and missing logging before an attacker finds them for you.