Cloud misconfigurations cause 70% of breaches. IAM over-permissioning, exposed storage, and secrets in code let attackers in faster than you can patch a server. This article walks through five critical misconfigurations, shows the bad policy and the good policy in JSON/HCL, and maps native cloud tools (AWS Config, Azure Defender, GCP SCC) to continuously detect them. If you're running workloads in AWS, Azure, or GCP without scanning these daily, you're a soft target.
Introduction
Small businesses are now the primary targets for ransomware groups — up 25% year-over-year[1]. Australian SMBs are adopting cloud at record speed, but only 14% are completely confident their providers can keep data safe[2]. The real danger: misconfigured identity, storage, and serverless settings that turn a $50/month cloud bill into a $1.5 million incident. Below, we dissect five common cloud misconfigurations, show you exactly what to fix, and what to monitor.
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
1. IAM Over-Permissioning: The Wildcard Policy Problem
What goes wrong: Teams grant "Action": "*" and "Resource": "*" on roles because it's faster than scoping least privilege. Long-lived access keys get committed to repos or embedded in config files. Attackers pivot from a compromised dev machine to full account takeover in minutes.
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →BAD policy (AWS IAM):
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}]
}GOOD policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::app-docs-bucket/*"
}]
}Azure equivalent (RBAC bad → good):
- Bad: Contributor role on subscription
- Good: Custom role with only
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/readandwritescoped to a specific resource group.
Remediation: Enable IAM Access Analyzer to detect overly permissive policies. Delete all long-lived access keys; switch to IAM roles everywhere. In Azure, enforce Azure Policy [Preview]: Audit VMs with managed identities and disable shared access signatures (SAS) where possible.
2. Public S3 Buckets and Misconfigured Blob Containers
The problem: A single misclick on "Block Public Access" settings and your customer data, backups, or Terraform state files are accessible to anyone. Attackers scan for open buckets 24/7 using automated tools.
BAD S3 bucket policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::customer-data-bucket/*"
}]
}GOOD (default deny + explicit private):
{
"Version": "2012-10-17",
"Statement": []
}(Block Public Access enabled at account level, no explicit public grant.)
For Azure Blob Storage:
- Bad: "Public access level: Container"
- Good: "Public access level: Private" and use SAS tokens with short expiry for temporary external sharing.
Monitoring: AWS Config rule s3-bucket-public-read-prohibited; Azure Defender for Cloud Storage account public access should be disallowed; GCP storage-buckets check in Security Command Center.
3. Lambda Secrets in Environment Variables
The problem: Developers hardcode API keys and database passwords in Lambda environment variables. Those vars are visible in plaintext in the console and logged by CloudWatch if the function crashes. A compromised developer laptop leaks everything.
BAD:
DB_PASSWORD=SuperSecret123!GOOD: Use AWS Secrets Manager or Parameter Store with encryption:
# Terraform example
resource "aws_lambda_function" "app" {
environment {
variables = {
DB_SECRET_ARN = aws_secretsmanager_secret.db.arn
}
}
}The function retrieves the secret at runtime using AWS SDK with IAM role permissions scoped to that secret only.
Azure Functions: Use Key Vault references (@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/DBPassword/)).
Remediation: Enable Lambda code scanning with Amazon Inspector. For Azure, use Defender for Cloud's Function apps should have Client Certificates (Incoming client certificates) enabled and secrets should be pulled from Key Vault only. GCP Cloud Functions should use Secret Manager.
4. Unmonitored CloudTrail / Activity Log Gaps
What goes wrong: Organisations turn on CloudTrail but don't enable log file validation, don't ship logs to a central SIEM, or fail to create metric filters for critical API calls like ConsoleLogin without MFA. Attackers delete trails and cover tracks. In Azure, subscription-level Activity Logs are exported only to a storage account that gets forgotten.
Remediation:
- AWS: Enable CloudTrail in all regions, turn on log file validation, and create a metric filter + alarm for
ConsoleLoginwithout MFA. Use AWS Config rulecloud-trail-enabled. - Azure: Send Activity Logs to a Log Analytics workspace and create alert rules for privileged role assignments. Enable
Azure Policy [Preview]: Deploy - Configure diagnostic settings for Azure Activity Log to stream to Log Analytics workspace. - GCP: Enable Admin Activity audit logs across all services and export to Cloud Logging with retention.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →5. Serverless Cold-Start Secret Loading Anti-Patterns
The problem: Functions fetch secrets from a vault on every cold start. If the vault is throttled or the API call times out, the function fails silently. Attackers exploiting a DDoS can amplify this by forcing many cold starts, creating a denial-of-secrets scenario.
Better pattern: Use Lambda extensions or a sidecar to cache secrets in memory for the lifetime of the execution environment, refreshing them on a schedule. In AWS, the Parameters and Secrets Lambda Extension handles caching automatically. In Azure, use the Key Vault references that are resolved at platform level, not inside the function code.
BAD (snippet in Node.js cold start):
const secret = await SecretsManager.getSecret('prod/db');GOOD:
// Use AWS Parameters and Secrets Lambda Extension — no code change needed if you reference the ARN in environment variable. The extension fetches and caches.Native Cloud Monitoring Tools for Continuous Compliance
- AWS Config: Managed rules for IAM (
iam-policy-no-statements-with-admin-access), S3 (s3-bucket-public-read-prohibited), CloudTrail (cloud-trail-enabled), Lambda (lambda-function-settings-checkfor timeout/memory). - Azure Defender for Cloud / Azure Policy: Initiatives like "Azure Security Benchmark" cover storage accounts, Function Apps, Key Vault, and Activity Log alerts.
- GCP Security Command Center (SCC): Built-in detectors for public buckets, overly permissive IAM roles, and disabled audit logs.
- Third-party CSPM for SMBs: Wazuh (open source) with cloud integrations, or commercial tools like Orca, Wiz, and Sophos Cloud Optix (Sophos offers MDR for cloud, relevant from research[1]).
FAQ
Q: We're a small team — is CSPM overkill for a 20-person business? A: No. Automated CSPM is actually more important for small teams because you don't have a dedicated cloud security person. Tools like AWS Config rules or Azure Policy cost near zero to run and alert you to misconfigurations before an attacker finds them.
Q: IAM Access Analyzer flagged dozens of findings. How do we prioritise?
A: Focus on policies that grant * on * resources. Then address any policy with "Principal": "*" or "AWS": "*". After that, tackle findings involving iam:PassRole or write access to S3.
Q: We use Lambda for almost everything. Do environment variables really need to be in Secrets Manager?
A: Yes, especially if you've ever debugged a function by printing process.env to CloudWatch. Any developer with read access to the Lambda console can see those values.
Q: How often should we run a cloud configuration audit? A: Continuously. Native tools like AWS Config evaluate changes in near-real-time. For manual reviews, at least monthly, but automated scanning should be always-on.
Conclusion
Cloud misconfigurations are not a "some day" problem — they are the number one entry vector for ransomware attacks hitting Australian SMBs right now. Start by killing wildcard IAM policies, locking down storage blobs, moving secrets to a vault, and turning on real-time monitoring. Then let AWS Config, Azure Defender, or GCP SCC do the continuous checking so you don't have to.
Need help assessing your cloud security posture? Visit consult.lil.business for a free cybersecurity assessment. Our AI-driven process can audit your cloud configs and give you a concrete remediation plan in under 48 hours.
References
- Aaron Bugal, "Ransomware In 2026: Newer Groups, Severe Impact", SMBtech, 4 May 2026, https://smbtech.au/thought-leadership/ransomware-in-2026-newer-groups-severe-impact/
- Wolfgang Solutions, "3,000 SMB Leaders Told Us Their Cybersecurity Secrets", April 2026, https://wolfgangsol.com/blog/smb-cybersecurity-report-2026-findings
- ACSC, "Cloud Security Guidance", Australian Cyber Security Centre, https://www.cyber.gov.au/acsc/view-all-content/advice/cloud-security-guidance
- AWS, "AWS Config Managed Rules", https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
- Microsoft, "Azure Security Benchmark v3", https://learn.microsoft.com/en-us/security/benchmark/azure/overview
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.