Misconfigured Cloud Storage Fuels False Sense of Security

Tenable’s 2025 Cloud Security Risk Report reveals that 9% of publicly accessible cloud storage contains sensitive data, with 97% of it classified as restricted or confidential. This highlights an urgent need for IT leaders to address cloud misconfigurations, exposed secrets, and identity gaps before they escalate into security breaches.

The Tenable Cloud Security Risk Report 2025 is based on real-world telemetry collected from actual cloud environments. The researchers found over 54% of organizations store at least one secret (e.g., passwords, API keys) in Amazon Web Services (AWS) Elastic Container Service (ECS) task definitions. Moreover, 3.5% of AWS Elastic Compute Cloud (EC2) instances contain secrets in user data, which pose a major risk.

Secrets mismanaged across AWS, GCP, and Azure

In GCP Cloud Run, 52% of organizations were found to store secrets within service configurations or environment variables, where they can be inadvertently exposed if access controls are misconfigured. Similarly, 31% of organizations using Azure Logic Apps embed secrets directly in workflows or connectors. These secrets can be accessed by unauthorized users if proper role-based access controls and encryption are not enforced.

While 83 percent of AWS users implement Identity Providers (IdPs), many still suffer from overly permissive defaults, excessive entitlements, and standing permissions. These security gaps leave organizations vulnerable to identity-based attacks.

The “Toxic Cloud Trilogy” still haunts organizations

The study also found that the percentage of organizations with a “toxic cloud trilogy” dropped from 38% to 29%. However, it still remains a significant and common risk. The toxic cloud trilogy refers to cloud workloads that are publicly exposed, contain critical vulnerabilities, and have high privileges, which significantly increases the risk of exploitation. It could allow attackers to easily discover, exploit, and escalate access within a cloud environment.

“Despite the security incidents we have witnessed over the past few years, organizations continue to leave critical cloud assets, from sensitive data to secrets, exposed through avoidable misconfigurations,” said Ari Eitan, Director of Cloud Security Research at Tenable. “The path for attackers is often simple: exploit public access, steal embedded secrets, or abuse overprivileged identities.”

This report highlights emerging risks in securing AI and ML workloads, especially when they process sensitive or regulated data. IT leaders must ensure data governance and access control are in place for AI pipelines.

Why do secrets get exposed in cloud environments?

Secrets are often exposed in cloud environments due to insecure development practices and misconfigured infrastructure. Developers may hardcode credentials into environment variables or configuration files. These credentials can then be accessed if permissions are too broad or if the service is publicly exposed.

Many organizations also lack proper secret management tools, which leads to sensitive data being stored in plain text or in locations not designed for secure storage. Moreover, gaps in access control, insufficient developer training, and leaks through CI/CD pipelines or logs further increase the risk of unintentional exposure.

Mitigation strategies to strengthen cloud security

The Tenable Cloud Security Risk Report 2025 outlines several mitigation strategies to help organizations reduce cloud security risks and close critical gaps.

1. Monitor and minimize public exposure

Many cloud users unintentionally expose sensitive data due to unfamiliarity with secure storage practices. To reduce this risk, organizations should continuously scan for public access and use automation to detect misconfigurations, enforce least privilege, and map exposure across hybrid environments.

2. Protect secrets with continuous visibility

Secrets like credentials and API keys must be centrally managed and monitored to prevent accidental exposure. Cloud providers offer built-in secret management tools that integrate with IAM systems, which help enforce least privilege, reduce sprawl, and improve audit trails.

3. Prioritize vulnerabilities based on context

Organizations must address vulnerabilities connected to exposed, privileged, or sensitive assets. Security teams can correlate identity, network, and vulnerability data to identify and prioritize combinations that could lead to serious breaches.

4. Strengthen identity security

Managing cloud identities requires controlling excessive permissions and eliminating always-on access. Organizations are advised to implement Just-in-Time (JIT) access and educate teams on entitlement management to reduce the attack surface significantly.

5. Protect sensitive data in the era of AI

As AI tools work with more and more sensitive information, it’s important to know exactly where that data is stored, how private it is, and who can see it. This helps organizations put the right protections in place and focus on the biggest risks of data leaks or misuse.