Research from Tenable revealed 9% of publicly accessible Cloud storage contains sensitive data, and 97% of such data is restricted and confidential, posing easy and prime targets for threat actors. This comes from their recently-released 2025 Cloud Security Risk Report.
Cloud environments face dramatically increased risk due to exposed sensitive data, misconfigurations, underlying vulnerabilities and poorly stored secrets – such as passwords, API keys and credentials.
Key findings:
- Using Identity Providers (IdPs) alone doesn’t eliminate risk: while 83% of AWS organisations are exercising best practices in using IdP services to manage their Cloud identities, overly-permissive defaults, excessive entitlements, and standing permissions still expose them to identity-based threats
- ‘Toxic Cloud Trilogy’ workloads remain a persistent, high-impact risk: nearly a third (29%) of organisations still grapple with at least one ‘toxic Cloud trilogy’ workload. This critical combination—a workload that is publicly exposed, critically vulnerable, and highly privileged—represents an immediate, high-impact risk pattern
- Secrets found in diverse Cloud resources, putting organisations at risk: over half of organisations (54%) store at least one secret directly in Amazon Web Services (AWS) Elastic Container Service (ECS) task definitions — creating a direct attack path. Similar issues were found among organisations using Google Cloud Platform (GCP) Cloud Run (52%) and Microsoft Azure Logic Apps workflows (31%). Alarmingly, 3.5% of all AWS Elastic Compute Cloud (EC2) instances contain secrets in user data — major risk given how widely EC2 is used
“Despite the security incidents we have witnessed over the past few years, organisations continue to leave critical cloud assets, from sensitive data to secrets, exposed through avoidable misconfigurations,” said Ari Eitan, Director of Cloud Security Research, Tenable. “The path for attackers is often simple: exploit public access, steal embedded secrets or abuse overprivileged identities. To close these gaps, security teams need full visibility across their environments and the ability to prioritise and automate remediation before threats escalate. The Cloud demands continuous, proactive risk management, and not reactive patchwork.”
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.