Misconfigurations are still the top cause of cloud incidents. The good news is that most of them are easy to fix once you know where to look. This guide lists the top 10 misconfigurations we see and the secure defaults that prevent them.
1. Public object storage
Public buckets are still a common data leak source.
Fix:
- Block public access at the account level.
- Require bucket policies for any exception.
Reference:
2. Overly permissive security groups
Security groups with 0.0.0.0/0 on admin ports are a direct risk.
Fix:
- Allow only required ports.
- Restrict admin access to known IPs or VPN.
Reference:
3. Long-lived access keys
Long-lived keys are hard to track and easy to leak.
Fix:
- Use IAM roles and short-lived credentials.
- Rotate keys on a schedule.
Reference:
4. Missing MFA for privileged accounts
MFA is one of the highest leverage controls.
Fix:
- Require MFA for admin roles and root.
- Remove SMS-based MFA where possible.
Reference:
5. No centralized logging
Without logs, you cannot investigate or respond.
Fix:
- Enable CloudTrail in all regions.
- Centralize logs in a dedicated account.
Reference:
6. Unencrypted data at rest
Data should not be stored without encryption.
Fix:
- Enable default encryption for S3, EBS, and RDS.
- Use KMS-managed keys where possible.
Reference:
7. Public databases
Public RDS or open database ports are a common mistake.
Fix:
- Keep databases in private subnets.
- Block public IP access to DB ports.
Reference:
8. No backup retention or testing
Backups that are not tested are a false sense of safety.
Fix:
- Enable automated backups and retention.
- Test restores quarterly.
Reference:
9. Unrestricted egress
Outbound traffic is often left wide open.
Fix:
- Restrict egress by workload.
- Use VPC endpoints for AWS services.
Reference:
10. No guardrails for config drift
Good defaults drift without checks.
Fix:
- Use AWS Config managed rules.
- Alert on high-risk changes.
Reference:
How to validate quickly
You can check most of these defaults in a short pass.
Practical steps:
- Review S3 public access settings at the account level.
- List security groups with 0.0.0.0/0 on admin ports.
- Check for IAM users with active access keys.
- Confirm CloudTrail and GuardDuty are enabled.
Automate the checks
Automation keeps defaults from drifting back.
Practical steps:
- Use AWS Config rules for S3 public access and open SGs.
- Add IAM access key age checks.
- Alert on changes to logging and guardrails.
Prioritize the fixes
If you cannot fix everything at once, start with the highest impact.
Suggested order:
- Public storage and open admin ports
- Logging and MFA for privileged access
- Encryption defaults and backup retention
- Egress controls and drift detection
Example remediation week
One focused week is enough to reduce risk.
Example plan:
- Day 1: Block public S3 and review security groups
- Day 2: Enable CloudTrail, GuardDuty, and Config
- Day 3: Enforce MFA and remove old access keys
- Day 4: Turn on encryption defaults and backups
- Day 5: Document changes and add monitoring
Why these misconfigs happen
Most issues are the result of default settings and rushed setup.
Common causes:
- New environments created without guardrails
- Legacy configs copied forward without review
- Limited ownership of account-level settings
Default settings for new accounts
If you create new accounts often, bake in these defaults.
Defaults:
- CloudTrail and GuardDuty enabled at account creation
- S3 public access blocked
- IAM access key creation restricted
- Config rules enabled for high-risk resources
Quick self-check questions
Use these before a release or account launch:
- Are any admin ports open to the internet?
- Can a developer create long-lived access keys?
- Is logging enabled in all regions?
Quick checklist
- Public storage blocked at the account level
- MFA required for privileged access
- Central logging enabled in all regions
- Encryption defaults enforced for data stores
- Egress and admin ports restricted
Closing thought
Secure defaults are about removing easy mistakes. If you block public storage, enforce MFA, enable logging, and control egress, you will prevent most common cloud incidents.
If you want help auditing your current defaults or fixing gaps quickly, we can help. We focus on practical changes that reduce risk fast. Reach out through our consulting page to start a quick conversation.