Misconfigured S3 buckets and overprivileged insiders account for the majority of cloud data breaches. This article examines both vectors — the technical anatomy of storage misconfiguration and the behavioural and technical controls for insider threat detection.
Sign in to mark this article as read and track your progress.
Cloud security research consistently finds that the most common cause of cloud data breaches is not sophisticated external attack — it is misconfiguration and insider access. A 2023 Gartner study attributed 95% of cloud security failures to customer error (not provider failure). Understanding these two threat vectors is not optional for any cloud security professional.
Amazon S3 has a multi-layer access control system. Before 2022, it was possible for a bucket to be publicly accessible with no deliberate action by the account administrator — simply because the bucket's Access Control List (ACL) was set to public-read by a developer who needed temporary access and forgot to revert it.
High-profile breaches from public S3 buckets:
| Year | Organisation | Records Exposed | Configuration Error |
|---|---|---|---|
| 2017 | Deep Root Analytics | 198M US voter records | Bucket ACL set to public-read |
| 2018 | GoDaddy | 31,000 customer records | Bucket ACL misconfigured |
| 2021 | Twitch | 128 GB source code | Internal bucket made public |
| 2022 | Toyota | Customer data | Misconfigured access token embedded in public repo |
| Layer | What It Controls | Secure Default |
|---|---|---|
| Block Public Access (account-level) | Overrides all bucket and object ACLs to prevent public access | Enable for all accounts |
| Block Public Access (bucket-level) | Per-bucket override | Enable; disable only if explicitly needed |
| Bucket Policy | JSON policy granting access | "Principal": "*" is the danger; always scope to specific principals |
| Object ACL | Per-object permissions | Disable ACLs (ObjectOwnership: BucketOwnerEnforced) |
| Bucket ACL | Legacy bucket-level permissions | Disable; use bucket policies |
Rule of thumb: If Block Public Access is enabled at the account level, no bucket or object in that account can be made public, regardless of bucket policy or ACL settings. Enable it.
| Provider | Service | Misconfiguration Risk | Control |
|---|---|---|---|
| Azure | Blob Storage | Anonymous read access on container | Disable anonymous access at storage account level |
| GCP | Cloud Storage | allUsers ACL on bucket | Uniform bucket-level access (disable ACLs) |
| AWS | S3 | Public ACL / open bucket policy | S3 Block Public Access + no wildcard Principal |
An insider threat is a risk that originates from people within the organisation — employees, contractors, former employees, or business partners. In cloud environments, insider threats are particularly dangerous because cloud access is designed to be broad (any device, any location) and insiders have legitimate credentials.
Insider threats fall into three categories:
| Type | Definition | Example |
|---|---|---|
| Malicious | Intentional harm for personal gain | Employee downloads customer database before resignation |
| Negligent | Unintentional harm through carelessness | Developer commits AWS access keys to a public GitHub repository |
| Compromised | Legitimate credentials used by an external attacker | Phishing attack captures an admin's password; attacker acts as insider |
1. Privileged Access Management (PAM) Privileged accounts (those with admin or elevated IAM permissions) should use just-in-time (JIT) access. The employee does not have standing admin access — they request elevation, the request is approved, a time-limited role is assumed, and all actions are logged.
2. CloudTrail Anomaly Detection AWS CloudTrail logs every API call. GuardDuty analyses CloudTrail events using machine learning to detect:
cloudtrail:StopLogging)3. S3 Access Logging + Macie Enable S3 Server Access Logging on all buckets containing sensitive data. AWS Macie uses machine learning to discover personally identifiable information (PII) in S3 and generate findings when PII is moved or accessed anomalously.
4. Separation of Duties No single IAM user should have the ability to both deploy infrastructure and modify audit logs. Use AWS Organizations SCPs to ensure that CloudTrail log delivery buckets cannot be deleted by anyone in the production account — only a dedicated audit account can manage them.
5. Employee Offboarding Automation Integrate HR systems with the identity provider (IdP). When an employee's HR record is marked as terminated, their IdP account is automatically deprovisioned, and all associated IAM session tokens are invalidated. Manual offboarding processes fail at scale.
Twitch suffered a 128 GB data breach in 2022. Investigation suggested that a misconfigured internal Git server exposed source code, revenue data, and credentials. Whether this was an insider leak or an external attacker exploiting misconfiguration remains unclear — which illustrates how the two threat vectors often appear identical in the evidence. Both require the same technical controls: least privilege, comprehensive logging, and anomaly detection.