Understand the shared responsibility model

Whichever provider you use (AWS, Azure, Google Cloud), the provider secures the underlying infrastructure — but you remain responsible for how you configure and use it: access control, data classification, network settings, and application security. Most breaches in the cloud trace back to the customer side of that line.

The most common cloud mistakes we find

  • Public storage buckets. S3 buckets, blob storage, or file shares left open to the internet — often by accident during setup.
  • Overly broad permissions. Service accounts and users with far more access than their job requires.
  • No MFA on cloud console access. The console that controls everything is protected by a password alone.
  • Default security groups / firewall rules. Ports left open (databases, remote access) that should only be reachable internally.
  • No logging or alerting. Activity logs exist but nobody reviews them or gets notified of risky changes.
  • Secrets in code. API keys and passwords committed to repositories or left in configuration files.

A practical starting checklist

  • Enable MFA on every account with console or admin access.
  • Review storage buckets and shares for public access — restrict to what's actually needed.
  • Apply least privilege: scope permissions to specific resources and actions, not broad admin roles.
  • Turn on your provider's security/audit logging (e.g. CloudTrail, Azure Monitor, Cloud Audit Logs) and review it periodically.
  • Use secrets management (a vault or environment-based secrets) instead of hardcoding credentials.
  • Patch and update managed services, containers, and VM images regularly.
  • Tag and track what's actually running — unused resources are unmanaged risk.

Free check: use our Security Headers Checker and SSL Certificate Checker to spot-check any public-facing site or app you host in the cloud.

Get an independent look

A cloud configuration review as part of a vulnerability assessment finds exposed storage, excessive permissions, and missing logging before an attacker finds them for you.

See Vulnerability Assessment Back to blog