Preview Image

The snowflake data breach of 2024 was far from a zero-day exploit or a sophisticated attack. However, nearly 160 companies were compromised, including Ticketmaster (records of 560 million individuals), AT&T

The snowflake data breach of 2024 was far from a zero-day exploit or a sophisticated attack. However, nearly 160 companies were compromised, including Ticketmaster (records of 560 million individuals), AT&T (call metadata for 110 million customers), and several major banks.

Attackers logged into customer Snowflake tenants using stolen credentials against accounts that had no multi-factor authentication enforced. Some of those credentials had been sitting in infostealer logs since 2020.

This specific case strikes close to home, as even well-resourced companies with large engineering teams fail to enforce multi-factor authentication (MFA), making a bad configuration decision. This article walks you through the specifics of how even a single missing configuration can become catastrophic at scale.

Why CTOs at cloud-first companies carry most of this risk

If you are a CTO or VP of Engineering at a company that runs on AWS, Azure, or GCP without a dedicated security team, cloud misconfiguration becomes your problem. You own the architecture decisions and approve the access policies. So, you are the one whose team spins up new resources under sprint pressure and decides to tighten the permissions later.

The challenge is not unique at all. According to IBM's X-Force Threat Intelligence Index, 25% of all cloud security incidents involve misconfigured cloud services. It is widely known that an average enterprise, at any given point, is running over 3,000 misconfigured cloud assets. An average data breach, which involves multiple environments, costs nearly $5.05 million.

The problem compounds with size and speed.

Every new service, every third-party integration, every contractor who gets temporary access and whose account never gets deprovisioned keeps accumulating until these instances snowball into a critical risk. Gartner projected that 99% of cloud security failures through 2025 would be the customer's fault, and that projection has aged badly because it has come true.

Three factors that create the exposure

1. The shared responsibility model has a gap that most teams fall into

Cloud providers secure the physical infrastructure, the hypervisor, and the underlying network. Everything above that, from your configurations and access policies to storage settings, identity controls, API keys, and monitoring, is yours to secure. Most teams understand this in principle, but only a few implement it systematically.

What a good cloud security configuration looks like at the architecture level is not the same as having the operational discipline to maintain it under delivery pressure. The defaults that AWS or Azure ship with are convenient defaults.

2. Identity and access management is a configuration problem

Cloud misconfiguration caused by excessive identity and access management permissions in a cloud environment.

    Most discussions of cloud misconfiguration focus on storage buckets, and the larger risk is identity. Seventy percent of cloud breaches originate from compromised identities, according to Google Cloud's CISO Perspectives. Palo Alto's Unit 42 analyzed 680,000 cloud identities and found that 99% of users, roles, and service accounts hold excessive permissions.

    For instance, consider that a developer is given broad access to complete a migration. The migration finishes. The access is not revoked. Six months later, that account is compromised via a phishing email, and the attacker finds themselves with production database access.

    MFA reduces account compromise risk by more than 99%, according to Microsoft's research. Yet the 2026 Verizon DBIR found that 37% of organizations still had at least one admin cloud account with MFA disabled, and only 23% of third-party organizations had fully remediated MFA gaps. This matters because 48% of all breaches in 2026 involved third parties, up 60% from the prior year.

    Which means, every vendor and integration partner with access to your cloud environment is an extension of your attack surface.

    3. Detection lags far behind exposure

    The breach does not happen the day the misconfiguration is created. It happens weeks or months later, after an automated scanner that runs constantly across the internet finds the open bucket, the exposed management interface, or the unrotated API key.

    By then, the data has likely already been accessed.

    EduConnect, an online learning platform used by schools across the country, exposed a massive database through a misconfigured Amazon S3 bucket.

    Student names, home addresses, grades, disciplinary records, teacher personal informationโ€ฆ all readable by anyone who found the URL. The exposure ran for three weeks before detection. By then, automated scanners had almost certainly already copied and indexed everything.

    A publicly accessible S3 bucket held hundreds of thousands of PDF files related to bank transfer mandates. Customer names, home addresses, phone numbers, email addresses, bank account numbers, and routing codes. A separate misconfigured bucket left more than 8TB of meeting recordings and transcripts exposed to the public internet.

    If your team is not actively monitoring for configuration drift, you will likely find out about a breach from a third-party researcher, a news report, or a regulatory inquiry. This is why cloud workload protection and continuous monitoring have become the baseline requirements for any cloud-hosted business.

    A configuration security checklist for engineering teams

    Cloud misconfiguration security checklist for engineering teams to prevent cloud security risks and data breaches.

    Understanding what a good cloud security configuration looks like at the architecture level is not the same as having the operational discipline to maintain it under delivery pressure.

    The NSA and CISA published a joint advisory identifying the top 10 most common misconfigurations they found through Red and Blue team assessments of large organizations. The list includes default software configurations left unchanged, improper separation of user and administrator privileges, unused services with no access controls, and unpatched credentials. Most of these appear to be process failures.

    The checklist below is organized by what typically causes the most damage, addressed first.

    Identity and access

    • Audit every cloud identity this week, from users and roles to service accounts and OAuth apps. Revoke access for anything inactive or broader than what the role requires.

    • Enforce MFA on every admin account without exception. Apply it to all accounts with write or delete access to production resources.

    • Rotate all API keys and long-lived credentials on a defined schedule. Treat any exposed secret as compromised immediately.

    • Remove or offboard vendor and contractor accounts the day access is no longer needed.

    Storage and data exposure

    • Create an inventory of all S3 buckets, Azure Blob Storage containers, and GCP storage buckets in your environment. Flag any publicly accessible bucket and check what it contains.

    • Review database exposure. Cloud environments often have publicly exposed PaaS databases with insufficient access controls.

    • Separate dev, staging, and production environments with enforced access controls. A compromised staging environment should not be a path to production data.

    Monitoring and drift

    • Enable audit logs across all cloud accounts, all regions, and all services. Work with your cloud development and infrastructure team to set retention policies and configure alerting for anomalous access patterns.

    • Scan CI/CD pipelines, build logs, and environment variables for hardcoded secrets. This is where credentials leak most often in fast-shipping teams.

    • Schedule recurring configuration reviews. Cloud environments drift after deployments. A fix applied in January may not survive a March release cycle.

    Third-party and vendor risk

    • Audit what access each vendor and integration has. Apply least-privilege to every external integration. Review this on a quarterly basis.

    The cost of inaction is no longer abstract

    The pattern across every significant cloud breach in 2025 and 2026 is consistent. It is configurations that were not reviewed, permissions that were not revoked, and logs that were not monitored.

    It means this is entirely a solvable problem. But also means the only thing standing between your environment and a breach is operational discipline. Whether your team is checking what is open, who has access, and whether the fixes applied last quarter are still in place.

    For engineering teams running on cloud infrastructure without a dedicated security function, the right time to start is before the breach. The cybersecurity resources on our blog offer specific guidance across GRC, compliance frameworks, and cloud security that is relevant to teams at this stage.

    Respond to this article with emojis
    You haven't rated this post yet.