Your Data Isn’t Safe in the Cloud — Here’s What Actually Protects It

-
What is Cloud Security? Threats, Best Practices & How to Protect Cloud Data (Complete 2026 Guide)

What is Cloud Security? Top Threats, Shared Responsibility & How to Protect Cloud Data (Complete 2026 Guide)

By Amardeep Maroli  |  April 18, 2026  |  Cloud Security, AWS, Cybersecurity  |  16 min read
Your Data Isn’t Safe in the Cloud — Here’s What Actually Protects It

In 2019, Capital One suffered a breach that exposed the personal data of 106 million people — credit applications, social security numbers, bank account numbers. The attacker did not exploit a zero-day vulnerability. They did not break any encryption. They found a misconfigured Web Application Firewall running on AWS that had overly permissive IAM (Identity and Access Management) permissions. Through a server-side request forgery (SSRF) attack against that misconfigured WAF, they obtained temporary AWS credentials from the EC2 metadata endpoint — credentials the WAF should never have had access to — and used them to download 700 files from an S3 bucket.

The Capital One breach is the definitive cloud security case study because it illustrates the most important truth about cloud security: the cloud provider's infrastructure was not compromised. The customer's configuration was. AWS's servers were secure. Capital One's configuration of those servers created the vulnerability.

This is why cloud security is simultaneously the most important and most misunderstood area of cybersecurity in 2026. 94% of enterprises run some workload on cloud. 81% have "neglected assets" — public-facing cloud systems running outdated software. 21% had at least one storage bucket publicly accessible in 2024. The threats are largely self-inflicted, which means they are largely preventable.

Quick Navigation:
  1. What cloud security is — and why it is different from on-premises security
  2. The shared responsibility model — what the cloud provider secures and what you must secure
  3. Cloud service models — IaaS, PaaS, SaaS and what each means for security
  4. The top cloud security threats in 2026
  5. Cloud misconfiguration — the most common and most preventable threat
  6. Identity and access management (IAM) — the new cloud perimeter
  7. Cloud API security — the attack surface most teams underestimate
  8. Cloud security best practices and the hardening checklist

What Cloud Security Is — And Why It Is Different

Cloud security encompasses the policies, technologies, controls, and practices that protect cloud-based infrastructure, applications, and data from unauthorised access, data breaches, and service disruption. It covers the same fundamental goals as traditional security — confidentiality, integrity, availability — but in an environment with fundamentally different characteristics.

What makes cloud security different from traditional on-premises security:

  • Dynamic, ephemeral infrastructure. Cloud resources spin up and down automatically. A container running a web service might exist for minutes. Traditional security tools designed to scan fixed IP addresses cannot keep up with infrastructure that changes every hour.
  • Configuration as the primary attack surface. In on-premises environments, physical access controls and network perimeters provide baseline protection. In the cloud, everything is configured through APIs and management consoles. Every misconfiguration is instantly exploitable from anywhere on the internet.
  • Shared infrastructure. Cloud providers run multiple customers' workloads on the same physical hardware. Hypervisor isolation is the protection — and while hypervisor vulnerabilities are rare, they represent a fundamentally different threat model than dedicated hardware.
  • Identity as the primary control plane. In on-premises environments, network controls determine access. In the cloud, IAM (Identity and Access Management) roles, policies, and credentials determine what everything can do. Compromising an IAM role or credential can grant access to all resources that role touches — across any network segment.
  • The shared responsibility model. This is the most important concept in cloud security and is discussed in detail next.

The Shared Responsibility Model — What AWS/Azure/GCP Secures vs What You Must Secure

Every major cloud provider publishes a shared responsibility model that defines which security obligations belong to the provider and which belong to the customer. The core principle: the cloud provider secures the cloud infrastructure; you secure what you put in it and how you configure it.

Cloud Provider Secures

The physical and infrastructure layer

  • Physical data centre security
  • Hardware (servers, networking equipment)
  • Hypervisor and virtualisation layer
  • Core network infrastructure
  • Global backbone availability
  • Managed service security (RDS encryption at rest, etc.)
Shared

Depends on service type

  • Operating system patching (IaaS: you; PaaS: provider)
  • Network controls (partially both)
  • Application security (you)
  • Data classification (you)
  • Identity management (you)
Customer Secures

Your data and configuration

  • IAM roles and permissions
  • Data encryption configuration
  • Storage bucket access policies
  • Security group and firewall rules
  • Application-level security
  • Logging and monitoring setup
  • Compliance configuration
The most dangerous cloud security misconception: "My data is secure because it is on AWS/Azure/GCP." The cloud provider's infrastructure is secure. Your configuration of that infrastructure may not be. Capital One was on AWS. Every major cloud breach in the last five years occurred because of customer configuration errors, not provider infrastructure failures.

Cloud Service Models — IaaS, PaaS, SaaS and Security Implications

🏗️ IaaS — Infrastructure as a Service You manage: OS, middleware, apps, data, security. Provider manages: physical hardware, networking, virtualisation. Examples: AWS EC2, Azure VMs, Google Compute Engine. Highest security responsibility falls on you.
⚙️ PaaS — Platform as a Service You manage: apps, data, security configuration. Provider manages: OS, runtime, middleware. Examples: AWS RDS, Azure App Service, Google App Engine. Shared responsibility — OS patching is the provider's problem.
☁️ SaaS — Software as a Service You manage: data, access control, user accounts. Provider manages: everything else. Examples: Gmail, Salesforce, Microsoft 365, Slack. Least infrastructure responsibility, but IAM and data classification remain yours.

Top Cloud Security Threats in 2026

#1 Threat — Most Common

Misconfiguration — The Self-Inflicted Vulnerability

Cloud misconfiguration is responsible for the majority of cloud data breaches. It includes: publicly accessible storage buckets (S3, Azure Blob, GCS) containing sensitive data, overly permissive IAM roles that give services more access than they need, exposed management interfaces (admin consoles, SSH, RDP) directly accessible from the internet, default security group rules that allow all inbound traffic, and debug settings left enabled in production. These are not sophisticated attacks — they are attacker tools scanning the internet 24/7 for known misconfiguration signatures.

Capital One (2019): Misconfigured WAF with overly permissive IAM role. 106 million records exposed. $80 million regulatory fine.
Microsoft Power Apps (2021): Default configuration of Power Apps portals left data publicly accessible. 38 million records from multiple organisations exposed — including COVID vaccination status, employee data, and contact tracing information. No hacking required — the data was simply publicly accessible by default.
Fix: Enable AWS Config, Azure Policy, or GCP Security Command Center to continuously audit configurations against security baselines. Treat misconfiguration detection as a continuous process, not a one-time audit. Use infrastructure-as-code (Terraform, CloudFormation) with security policy checks in the pipeline to catch misconfigurations before deployment.
#2 Threat — Identity Crisis

IAM Misconfiguration and Credential Theft

Identity is the new perimeter in the cloud. An overly permissive IAM role does not need a network attack to be exploited — any service running with that role can be leveraged to access everything the role permits. Principle of least privilege (every service, user, and role gets only the permissions they absolutely need) is the foundational IAM control. The most common IAM failures: wildcard permissions (giving a service account admin access when it only needs read access to one bucket), hard-coded credentials in source code (committed to GitHub and scraped by automated bots within minutes), long-lived access keys that never rotate, and orphaned accounts with high privileges from former employees or decommissioned services.

Credential exposure on GitHub: IBM X-Force found over 300,000 ChatGPT credentials on the dark web in 2025 — many originated from developer machines where browser sessions were stolen by infostealers. Similarly, AWS access keys exposed in public GitHub repositories are scraped within minutes by automated bots. Uber (2022) had a contractor's credentials compromised through MFA fatigue — those credentials provided access to the company's entire cloud infrastructure.
Fix: Apply least-privilege for every IAM role. Use IAM Access Analyzer (AWS) to identify overly permissive policies. Rotate access keys regularly and use temporary credentials (IAM roles for EC2, IRSA for Kubernetes) instead of long-lived keys. Never commit credentials to code — use secrets managers (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault). Enable MFA for all human IAM users, as covered in the MFA guide.
Critical for Developers

Insecure APIs and Cloud Service Endpoints

Every cloud service exposes APIs — for management, data access, and service integration. Insecure APIs are the attack surface that drives cloud data theft. Common cloud API vulnerabilities include: excessive permissions on API gateway integrations, missing authentication on internal APIs (assuming internal = safe, which is wrong in a zero-trust world), SSRF vulnerabilities that allow access to the EC2 metadata endpoint (which provides temporary IAM credentials), and verbose error messages that leak cloud account IDs, role names, and resource identifiers useful for reconnaissance. The Capital One breach exploited an SSRF vulnerability in the WAF application, which was then used to query the EC2 metadata service and obtain IAM credentials.

Fix: Block access to the EC2 instance metadata service (IMDSv1) from application code — require IMDSv2, which requires session-oriented requests that prevent SSRF exploitation. Apply OWASP API Security Top 10 controls (see the API security guide). Use WAF rules to detect and block SSRF patterns. Implement authentication and authorisation on every internal API endpoint — never assume internal traffic is trusted.
Supply Chain

Third-Party and Supply Chain Attacks

IBM X-Force reports that major supply chain and third-party breaches quadrupled over the past five years. Cloud environments are deeply interconnected — SaaS applications, third-party integrations, OAuth tokens, and API keys create a web of trust where compromising one supplier can cascade to all their customers. The Bybit $1.5 billion cryptocurrency theft began with compromise of a third-party wallet management software provider. The Drift/Salesloft/Salesforce attack chain in 2025 demonstrated how OAuth token theft from one SaaS platform enables access to connected cloud environments.

Fix: Audit third-party OAuth tokens and API integrations regularly — revoke any that are no longer needed. Apply least-privilege to third-party integrations. Implement supply chain security reviews before onboarding new SaaS vendors. Monitor for anomalous OAuth token usage. The zero-trust principle — verify every access request regardless of source — applies as strongly to third-party integrations as to users.
Visibility Problem

Lack of Visibility and Insufficient Logging

The average breach dwell time is 241 days (IBM 2025). In cloud environments, this persistence is often possible because organisations have insufficient logging and monitoring to detect attacker activity in their cloud accounts. Cloud accounts generate enormous volumes of events — API calls, resource creation, permission changes, data access — and most organisations are not capturing, storing, or alerting on them effectively. An attacker who has obtained IAM credentials can quietly enumerate resources, exfiltrate data, and establish persistence for months if CloudTrail (AWS), Azure Monitor, or GCP Cloud Logging is not enabled and monitored.

Fix: Enable CloudTrail in all AWS regions — including management events and data events for sensitive buckets. Set up alerting for high-risk events: creation of new IAM users, IAM policy changes, public access enabled on storage buckets, console logins from unusual locations. Use AWS GuardDuty, Azure Defender, or GCP Security Command Center for automated threat detection. Apply the same principles described in the firewall guide's logging guidance to cloud environments.

Cloud Security Best Practices — The Hardening Checklist

Cloud Security Checklist 2026

  1. Apply least-privilege IAM across everything. Every user, role, and service account should have only the permissions it needs — no more. Start by auditing existing permissions with IAM Access Analyzer (AWS) or Azure IAM review tools. Treat overly permissive roles as critical security findings. "AdministratorAccess" for non-administrative roles is a red flag in every cloud environment.
  2. Enable MFA on all human IAM accounts — especially root/admin accounts. The AWS root account should have a hardware security key MFA enabled and its access keys should be deleted entirely. Use IAM roles for programmatic access, never root. Review the MFA guide for implementation priorities.
  3. Audit all storage bucket permissions weekly. S3 buckets, Azure Blob containers, and GCS buckets should never be publicly accessible unless that is explicitly required and deliberately configured. Use AWS Config rules to alert on any bucket that becomes public. Block public access at the account level in AWS using the "Block Public Access" setting — this prevents any accidental public bucket creation.
  4. Enable comprehensive logging (CloudTrail, Azure Monitor, GCP Audit Logs). Log API calls, console activity, data access on sensitive resources, and IAM changes. Store logs in a separate account or immutable storage — so that an attacker who compromises the primary account cannot delete evidence of their activity.
  5. Never store credentials in code, environment variables in plaintext, or container images. Use AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault for credentials. Use IAM roles for EC2 instances and Kubernetes service account roles (IRSA) instead of long-lived access keys. Run automated secret scanning on all code commits — GitHub has built-in secret scanning; tools like truffleHog and GitLeaks work for other environments.
  6. Encrypt data at rest and in transit. Enable server-side encryption on all storage services. Enforce HTTPS/TLS on all endpoints — reject HTTP. Manage encryption keys through KMS (Key Management Service) rather than using default provider-managed keys for sensitive data. The encryption guide explains the cryptographic principles behind this.
  7. Implement network segmentation — VPCs, security groups, and private subnets. Databases should run in private subnets with no direct internet access. Security groups should follow default-deny principles — allow only the specific ports and sources that are required. Management interfaces (RDS, ElastiCache, internal APIs) should never be internet-accessible.
  8. Apply DevSecOps — embed security into the CI/CD pipeline. Infrastructure-as-code (Terraform, CloudFormation) templates should be scanned for misconfigurations before deployment using tools like Checkov, tfsec, or Snyk IaC. Container images should be scanned for vulnerabilities before pushing to production. Shift security left — find and fix problems in development, not after deployment to production.
  9. Enable cloud-native threat detection. AWS GuardDuty, Azure Defender for Cloud, and GCP Security Command Center provide continuous threat detection using machine learning, analysing CloudTrail logs, VPC Flow Logs, and DNS logs to identify suspicious activity (unusual API call patterns, cryptocurrency mining, credential exfiltration). These services are remarkably inexpensive relative to the value of early threat detection.
  10. Conduct regular cloud security assessments. Use cloud security posture management (CSPM) tools — Wiz, Prisma Cloud, Orca Security — for continuous visibility into misconfiguration and risk across multi-cloud environments. Run penetration tests against cloud workloads annually, as covered in the penetration testing guide.
Related Posts on This Blog

About the Author

Amardeep Maroli

MCA student and cybersecurity enthusiast from Kerala, India. I focus on API security, cloud security, and ethical hacking — sharing practical guides built from hands-on lab work and real-world vulnerability research.

Read More Posts GitHub Telegram Contact

Cloud Security FAQs

Is the cloud less secure than on-premises infrastructure?
Not inherently — and for most organisations, a well-configured cloud environment is more secure than on-premises because cloud providers invest in physical security, hardware reliability, and security tooling at a scale most organisations cannot match internally. However, the cloud introduces different risks, primarily around misconfiguration and identity. The major cloud providers (AWS, Azure, GCP) have strong security infrastructure. The security failures that make the news are almost always customer configuration failures — not cloud provider failures. An organisation that migrates to the cloud and applies security controls carefully can achieve better security than their previous on-premises environment. An organisation that migrates to the cloud and applies the same casual configuration habits as their on-premises environment often ends up with worse security because the cloud's default-open APIs have a much larger attack surface than a firewall-protected data centre.
What is a public S3 bucket and why is it a security risk?
An Amazon S3 bucket is a cloud storage container. By default, S3 buckets are private — only accessible to the AWS account that owns them and resources with explicit IAM permissions. A "public" S3 bucket has its access control configured to allow access from anyone on the internet — no authentication required. Attackers use automated tools to scan for public S3 buckets and download their contents, which frequently include database backups, application logs with credentials, customer data exports, and sensitive documents. The bucket name is often guessable (company-name-backup, company-name-logs). AWS now provides a "Block Public Access" setting at the account level that prevents any S3 bucket from being made public — enable this on every AWS account and treat any exception as requiring explicit justification and review.
What is a cloud security posture management (CSPM) tool?
A CSPM tool continuously monitors your cloud environments (AWS, Azure, GCP) for misconfigurations, compliance violations, and security risks — automatically comparing your configurations against security benchmarks (CIS Benchmarks, NIST, ISO 27001, PCI DSS) and alerting on deviations. Where a penetration test gives you a point-in-time snapshot, a CSPM provides continuous visibility. Leading CSPM tools in 2026 include Wiz, Orca Security, Prisma Cloud, and AWS Security Hub / Azure Security Center (native tools). CSPMs are increasingly essential as cloud environments grow in complexity — an organisation running 50 AWS accounts across multiple regions cannot manually audit configurations; a CSPM automates this at scale.
What is the EC2 metadata endpoint and why is it a security risk?
The EC2 Instance Metadata Service (IMDS) is a special HTTP endpoint accessible only from within an EC2 instance at http://169.254.169.254. It provides the instance with information about itself — including, critically, temporary IAM credentials for any IAM role attached to the instance. This is how EC2 instances access AWS services without hard-coded keys. The security risk: if an application running on an EC2 instance has a Server-Side Request Forgery (SSRF) vulnerability, an attacker can use that vulnerability to make the server send a request to the metadata endpoint and return the IAM credentials. With those credentials, the attacker has all the permissions that role has — potentially access to S3 buckets, databases, and other AWS resources. The Capital One breach followed exactly this pattern. Mitigation: require IMDSv2, which uses session-oriented requests that cannot be exploited by simple SSRF attacks.
How do compliance requirements like GDPR and India's DPDP Act affect cloud security?
Compliance frameworks impose specific requirements on how you handle data in the cloud — and violations carry significant financial penalties. GDPR (European Union) requires that personal data of EU residents be protected with appropriate technical and organisational measures, that data breaches be reported within 72 hours, and that data not be transferred to countries without adequate privacy protections. Penalties can reach 4% of annual global turnover. India's Digital Personal Data Protection (DPDP) Act 2023 imposes similar requirements for Indian residents' data, with penalties up to Rs. 250 crore per incident. For cloud environments, this means: knowing where your data is stored (which cloud regions), implementing appropriate encryption and access controls, having breach detection and notification processes in place, and ensuring your cloud provider's data processing agreements cover your compliance obligations. Most major cloud providers offer compliance-ready configurations and certifications (ISO 27001, SOC 2, PCI DSS) for their infrastructure — but the customer remains responsible for how they configure and use that infrastructure.
Tags: what is cloud security, cloud security threats 2026, shared responsibility model, S3 bucket security, IAM misconfiguration, cloud data breach, AWS security, Azure security, DevSecOps, cloud security best practices

Found this useful? Share the shared responsibility model diagram with any developer who thinks "we're on AWS so we're secure." That misunderstanding is behind most cloud breaches.

What cloud platform does your organisation or project use? What's the trickiest cloud security challenge you have encountered? Share in the comments.

Privacy Policy | Terms of Service | About | Contact | Back to Home

Comments

Post a Comment

Popular posts from this blog

SQL Injection Explained: 5 Types, Real Examples & How to Prevent It (2026 Guide)

-
Image
What Is SQL Injection? Complete 2026 Guide — How It Works, Real Attack Examples, Types & Prevention With Code What Is SQL Injection? Complete 2026 Guide — How It Works, Real Attack Examples, Every Type & Prevention Code By Amardeep Maroli | April 8, 2026 | SQL Injection, Web Security, Developer Guide | 16 min read Home About Contact SQL injection has been the most exploited web vulnerability for over two decades — and it is still responsible for some of the largest data breaches every year. The 2021 LinkedIn leak of 700 million records, the 2020 Marriott breach, and thousands of smaller incidents every month all trace back to the same root cause: user input being trusted and executed as part of a database query. It sits at position A03 in the OWASP Top 10 — the globally recognised list of the most critical web application security risks. Yet despite being well-documented for 25 years, it kee...
Read more

Penetration Testing Guide: Real-World Methodology (Recon to Exploitation) [2026]

-
Image
What is Penetration Testing? Complete Beginner Guide 2026 — How It Works, Types, Tools & Career What is Penetration Testing? Complete Beginner Guide 2026 — How It Works, All Types, Real Tools & Career Roadmap By Amardeep Maroli  |  April 10, 2026  |  Penetration Testing, Ethical Hacking, Cybersecurity  |  16 min read Home About Contact At 2:17 AM on a Tuesday, a penetration tester was three days into an engagement with a mid-sized fintech company that processed billions in annual transactions. The company had firewalls, endpoint detection, multi-factor authentication, and quarterly vulnerability scans. Their security team believed they had things locked down. The tester had just chained three seemingly minor findings together: an API endpoint returning verbose error messages, an internal Jenkins server with default credentials accessible via a misconfigured VPN split-tu...
Read more

Phishing Scams in 2026: How They Work & How to Avoid Them

-
Image
What is Phishing? Types, Real Examples & How to Spot Every Attack (2026 Guide) What is Phishing? Every Type Explained with Real Examples & How to Spot Every Attack (Complete 2026 Guide) By Amardeep Maroli  |  April 9, 2026  |  Phishing, Social Engineering, Cybersecurity  |  15 min read Home About Contact In February 2024, a finance employee at a multinational company in Hong Kong received a video call from his CFO. The CFO asked him to authorise a series of urgent transfers totalling $25 million. The employee was nervous about the large amount but recognised the CFO's face, voice, and mannerisms on the call. Several other colleagues were also on the call — the employee could see their faces and hear their voices too. Every person on that call except the employee was a deepfake generated by AI. The $25 million was transferred and never recovered. That incident ill...
Read more