Published on the 08/07/2025 | Written by Heather Wright

The threat of cloud security gaps…

Nearly one in 10 publicly accessible cloud storage buckets contain sensitive data – the majority of which is restricted or confidential – with cloud workloads supporting AI more likely to contain critical vulnerabilities than non-AI workloads.

Tenable’s 2025 Cloud Security Risk Report highlights the risks facing cloud storage users, with over half (54 percent) of all organisations storing at least one ‘secret’ – privileged credentials, including API, access and encryption keys, and traditional user names and passwords, used by human and machine identities to access sensitive systems – directly in AWS Elastic Container Service task definitions and 52 percent of Google CloudRun environment variables. In what Tenable dubs an ‘alarming’ finding, 3.5 percent of AWS EC2 instances had a secret in their user data, presenting what Tenable calls an ‘outsize risk’ given the widespread use of EC2.

Twenty-nine percent of organisations have at least one toxic cloud trilogy.

AWS has ‘by far’ the highest percentage of identified sensitive storage resources, at 17 percent of S3 buckets, versus seven percent for Google Cloud storage buckets and three percent for Azure Blob storage containers, but the report notes that that could be due to a users faith in AWS’ security measures or simply the fact that as the oldest major public cloud, AWS has accumulated more sensitive data over time.

Ari Eitan, Tenable director of cloud security research, says while the cloud offers agility, without strong controls and continuous monitoring, it creates significant exposures.

“Understanding sensitive data, credentials and access must be a board-level priority,” Eitan says.

The report points to misconfigured access settings and overly permissive policies as two major causes of the inadvertent exposure, which is making the sensitive data publicly accessible. Privilege elevation – intended for short term use and then forgotten – flawed permission structures and inadequate monitoring or even the belief that obscure storage bucket URLs will provide significant protection, are also contributing factors.

Whatever the cause, the situation can have serious consequences, including customer data leakage, theft and potential financial loss.

For Australian companies that loss could also include regulatory repercussions and fines under the Privacy Act and Notifiable Data Breaches scheme.

The Security of Critical Infrastructure (SOCI) Act requires essential service providers to implement rigorous risk management programs and report serious cyber incidents. The Australian Signals Directorates Essential Eight maturity model, meanwhile, urges businesses to adopt stronger baseline security controls and the Office of the Australian Information Commission is continuing to enforce the Privacy Act and NDB scheme.

“Compromising secrets is a common attack vector of bad actors, allowing them to move laterally, escalate their privileges and gain access to valuable assets.”

Verizon’s 2025 Data Breach Investigations Report found cloud infrastructure secrets accounted for 15 percent of all exposed secrets in public cloud repositories, behind web app infrastructure (39 percent) and development and continuous integration/deployment (32 percent).

The report also found 70 percent of AI workloads across AWS, Microsoft Azure and Google Cloud contain at least one unremediated critical vulnerability, compared to 50 percent of non-AI workloads.

“Organisations using AI developer tools and services would do well to understand and mitigate cloud-based AI risks as early as possible in their development lifecycle.

“Security must be implemented in lockstep with an organisation’s AI initiatives,” the report says, noting that best practices for securing cloud environments also apply to securing AI environments.

Those mitigation strategies including monitoring public exposure, including monitoring third parties which can often be a weak link in the cloud security chain, and automating detection of misconfigured storage services, enforcing least-privilege and assessing posture on an ongoing basis.

Using the native secrets management tools provided by major cloud service providers, and which integrate with their identity and access management frameworks, can help enforce least privilege, reduce sprawl and improve auditability, the report says.

The report also looks at ‘toxic cloud trilogies – a cloud workload that is publicly exposed, critically vulnerable and highly privileged. The research found the number of organisations with a toxic cloud trilogy was down nine percentage points from the half year to June 2024. On the flip side, that’s still 29 percent of organisations – or nearly one-third –  that have at least one toxic cloud trilogy.