Express, the US fashion retailer, exposed customer personal data — names, addresses, email addresses, and order details — in an S3 bucket that had been left publicly accessible. The data was not stolen by a sophisticated attacker exploiting a zero-day vulnerability. It was sitting in an S3 bucket that anyone with the URL could read, with no authentication required. This is what makes cloud misconfiguration breaches particularly frustrating from an engineering perspective: there was no technical sophistication required on the attacker's side. Security researchers and malicious actors alike regularly scan the internet for misconfigured cloud storage buckets, and they find them because organisations are deploying cloud resources faster than they are implementing the governance processes to ensure those resources are configured correctly.
What We'll Cover
What Happened and Why It Matters
The Express breach was discovered by a security researcher using automated scanning tools that regularly probe publicly accessible cloud storage for misconfigured buckets. The researcher found an S3 bucket with a bucket policy that allowed s3:GetObject for Principal "*" — meaning any user on the internet, authenticated or not, could download any file in the bucket. The bucket contained hundreds of thousands of customer order records in structured JSON format, making the data immediately usable for fraud, phishing, and identity theft.
The "it was always there" breach is a specific category of cloud misconfiguration incident: the data was never breached in the traditional sense — no attacker penetrated a defended perimeter. The data was simply left in a publicly readable location, discoverable by anyone who knew to look. Gartner estimated that through 2025, 99% of cloud security failures would be the customer's fault — the result of misconfiguration, not cloud platform vulnerabilities. The question is not whether your cloud infrastructure has misconfigurations; it is whether you have the automated processes to detect and remediate them before a researcher or attacker finds them first.
Why Cloud Misconfiguration Is the #1 Cause of Data Exposure
Cloud platforms offer enormous flexibility — and that flexibility creates an enormous configuration surface that must be secured. The most common misconfiguration patterns are consistent across organisations and cloud providers:
- Public S3 buckets and equivalent object storage — AWS, GCP, and Azure all allow object storage to be configured as publicly readable. This is appropriate for static website assets but catastrophic for any bucket containing customer data, backups, logs, or configuration files. AWS changed the default to block public access in 2023, but pre-existing buckets and explicit overrides remain a persistent risk.
- Overpermissioned IAM roles and service accounts — Engineers under time pressure create IAM roles with wildcard permissions ("Action: *", "Resource: *") to make things work quickly and never refactor them. A Lambda function that needs to read one S3 bucket ends up with permissions to read all S3 buckets in the account.
- Unauthenticated API endpoints — REST and GraphQL APIs intended to be internal-only end up accessible from the internet because security group or VPC configuration was not set correctly. Without authentication, anyone who discovers the endpoint URL can query the underlying data.
- Exposed environment variables and configuration files — Database connection strings, API keys, and service credentials committed to source code, stored in publicly readable S3 buckets, or exposed via misconfigured CI/CD pipeline artefacts. GitHub's secret scanning has found millions of exposed credentials in public repositories.
The Cloud Security Configuration Checklist
The following checklist should be applied to every cloud environment as a minimum standard. Automated tools can enforce most of these controls as policy rather than manual review:
- Enable S3 Block Public Access at the account level — AWS provides an account-level setting that blocks public access to all S3 buckets regardless of individual bucket policies. Enable this in every AWS account. Override only for specific buckets that require public access, and document every override. Use AWS Config rule s3-bucket-public-read-prohibited to alert on deviations.
- Audit and enforce IAM least-privilege with AWS Access Analyzer — AWS IAM Access Analyzer identifies resource policies that grant external access and generates least-privilege policies based on actual CloudTrail access logs. Run Access Analyzer continuously and review every "external access" finding within 24 hours.
- Require authentication on every API endpoint — Use API Gateway with a Cognito authoriser, Lambda authoriser, or IAM authorization for every API endpoint. Remove security group rules that allow 0.0.0.0/0 access to application ports from the internet. Internal APIs should be accessible only from within the VPC.
- Deploy a Cloud Security Posture Management (CSPM) tool — Tools like Wiz, Orca Security, Prisma Cloud, or the open-source Prowler continuously scan your environment against CIS Benchmarks and alert on misconfiguration findings. Integrate CSPM findings into your security ticket workflow with SLA-based remediation targets.
- Scan for secrets in code and configuration — Use GitHub Advanced Security, truffleHog, or Gitleaks in your CI/CD pipeline to block commits containing credentials, API keys, or connection strings. Rotate any credentials that have been committed to version control — treat any committed credential as compromised.
What Engineering Teams Should Do
Cloud misconfiguration is an engineering governance problem, not a security team problem. The decisions that create misconfiguration exposure — how IAM roles are designed, how S3 bucket policies are set, how API endpoints are exposed — are made by engineers in the course of building features. Fixing this requires building security configuration validation into the development process: Infrastructure as Code (IaC) linting with tools like Checkov or tfsec, CSPM scanning in CI/CD pipelines, and security reviews as a standard part of architecture design.
Pillai Infotech's cloud and DevOps engineers implement cloud security foundations — IAM architecture, S3 bucket policy enforcement, CSPM integration, and IaC security scanning — as part of every infrastructure engagement. Our DevOps engineers have audited and remediated cloud misconfiguration for retail, fintech, and healthcare companies, reducing their cloud security risk posture from critical to manageable within weeks.
Frequently Asked Questions
What is a cloud misconfiguration breach?
A cloud misconfiguration breach occurs when cloud resources are configured in a way that unintentionally exposes data or allows unauthorised access. Unlike traditional breaches requiring vulnerability exploitation, misconfiguration breaches often require no technical sophistication — the data is simply accessible to anyone who knows to look. Gartner estimated that 99% of cloud security failures through 2025 would be the customer's fault — the result of misconfiguration, not cloud platform vulnerabilities.
What is a CSPM tool and do we need one?
A Cloud Security Posture Management (CSPM) tool continuously scans your cloud environment against security benchmarks and alerts on misconfiguration findings. Popular tools include Wiz, Orca Security, Prisma Cloud, and the open-source Prowler. If you have more than one AWS account or a multi-cloud environment, a CSPM tool is essentially mandatory — the configuration surface is too large for reliable manual review.
How do attackers find misconfigured S3 buckets?
Attackers use automated scanning tools that enumerate possible S3 bucket names based on company names, domain names, and common patterns, then probe each for public access. Tools like GrayhatWarfare index publicly accessible S3 buckets and make them searchable. The attack requires no credentials and no technical vulnerability.
What is Infrastructure as Code (IaC) security scanning?
IaC security scanning analyses Terraform, CloudFormation, and Kubernetes manifests for security misconfigurations before they are deployed. Tools like Checkov, tfsec, and Snyk IaC can run in CI/CD pipelines to block deployments that would create publicly accessible storage buckets or overpermissioned IAM roles. Catching misconfigurations in code review is faster and cheaper than finding them in production.
What to do if we discover a misconfigured public S3 bucket?
Immediately enable S3 Block Public Access on the bucket. Review S3 server access logs and CloudTrail to determine if the bucket was accessed by unauthorised parties and what data was accessed. Assess notification obligations under applicable privacy laws (GDPR, India DPDP Act). Then implement preventive controls to stop it happening again.