Misconfigurations are still the top cause of cloud incidents. The good news is that most of them are easy to fix once you know where to look. This guide lists the top 10 misconfigurations we see and the secure defaults that prevent them.

1. Public object storage

Public buckets are still a common data leak source.

Fix:

  • Block public access at the account level.
  • Require bucket policies for any exception.

Reference:

2. Overly permissive security groups

Security groups with 0.0.0.0/0 on admin ports are a direct risk.

Fix:

  • Allow only required ports.
  • Restrict admin access to known IPs or VPN.

Reference:

3. Long-lived access keys

Long-lived keys are hard to track and easy to leak.

Fix:

  • Use IAM roles and short-lived credentials.
  • Rotate keys on a schedule.

Reference:

4. Missing MFA for privileged accounts

MFA is one of the highest leverage controls.

Fix:

  • Require MFA for admin roles and root.
  • Remove SMS-based MFA where possible.

Reference:

5. No centralized logging

Without logs, you cannot investigate or respond.

Fix:

  • Enable CloudTrail in all regions.
  • Centralize logs in a dedicated account.

Reference:

6. Unencrypted data at rest

Data should not be stored without encryption.

Fix:

  • Enable default encryption for S3, EBS, and RDS.
  • Use KMS-managed keys where possible.

Reference:

7. Public databases

Public RDS or open database ports are a common mistake.

Fix:

  • Keep databases in private subnets.
  • Block public IP access to DB ports.

Reference:

8. No backup retention or testing

Backups that are not tested are a false sense of safety.

Fix:

  • Enable automated backups and retention.
  • Test restores quarterly.

Reference:

9. Unrestricted egress

Outbound traffic is often left wide open.

Fix:

  • Restrict egress by workload.
  • Use VPC endpoints for AWS services.

Reference:

10. No guardrails for config drift

Good defaults drift without checks.

Fix:

  • Use AWS Config managed rules.
  • Alert on high-risk changes.

Reference:

How to validate quickly

You can check most of these defaults in a short pass.

Practical steps:

  • Review S3 public access settings at the account level.
  • List security groups with 0.0.0.0/0 on admin ports.
  • Check for IAM users with active access keys.
  • Confirm CloudTrail and GuardDuty are enabled.

Automate the checks

Automation keeps defaults from drifting back.

Practical steps:

  • Use AWS Config rules for S3 public access and open SGs.
  • Add IAM access key age checks.
  • Alert on changes to logging and guardrails.

Prioritize the fixes

If you cannot fix everything at once, start with the highest impact.

Suggested order:

  • Public storage and open admin ports
  • Logging and MFA for privileged access
  • Encryption defaults and backup retention
  • Egress controls and drift detection

Example remediation week

One focused week is enough to reduce risk.

Example plan:

  • Day 1: Block public S3 and review security groups
  • Day 2: Enable CloudTrail, GuardDuty, and Config
  • Day 3: Enforce MFA and remove old access keys
  • Day 4: Turn on encryption defaults and backups
  • Day 5: Document changes and add monitoring

Why these misconfigs happen

Most issues are the result of default settings and rushed setup.

Common causes:

  • New environments created without guardrails
  • Legacy configs copied forward without review
  • Limited ownership of account-level settings

Default settings for new accounts

If you create new accounts often, bake in these defaults.

Defaults:

  • CloudTrail and GuardDuty enabled at account creation
  • S3 public access blocked
  • IAM access key creation restricted
  • Config rules enabled for high-risk resources

Quick self-check questions

Use these before a release or account launch:

  • Are any admin ports open to the internet?
  • Can a developer create long-lived access keys?
  • Is logging enabled in all regions?

Quick checklist

  • Public storage blocked at the account level
  • MFA required for privileged access
  • Central logging enabled in all regions
  • Encryption defaults enforced for data stores
  • Egress and admin ports restricted

Closing thought

Secure defaults are about removing easy mistakes. If you block public storage, enforce MFA, enable logging, and control egress, you will prevent most common cloud incidents.

If you want help auditing your current defaults or fixing gaps quickly, we can help. We focus on practical changes that reduce risk fast. Reach out through our consulting page to start a quick conversation.