Cloud & Container Security · beginner · ~10 min
Recognise the classic public-exposure misconfigurations.
The top cloud findings are accidental public exposure: storage buckets made public (data/secrets leak), and security groups opening SSH/RDP/databases to 0.0.0.0/0. Plus public snapshots, databases, and dashboards. Fix: default-deny, block public access, restrict source ranges, no secrets in buckets.
Public buckets and 0.0.0.0/0 rules are among the most common and damaging cloud breaches — direct data exposure or internet-facing admin access with no exploit. They're quick to find and high impact.
Public buckets. Private by default, often misconfigured public; name enumeration. Security groups. Avoid 0.0.0.0/0 on 22/3389/DB ports. Other. Public snapshots/AMIs/dashboards/DBs. Fix. Block public access, least-privilege policies, restricted source ranges, bastions/VPN.
The most common cloud findings are resources accidentally exposed to the internet.
Object storage (S3, Azure Blob, GCS) is private by default but frequently made public by mistake — a checkbox, a broad bucket policy, or ACLs granting AllUsers. Result: customer data, backups, and secrets readable by anyone who knows (or guesses) the bucket name. Bucket-name enumeration is routine recon. The fix: block public access at the account level, least-privilege bucket policies, and don't store secrets in buckets.
Cloud security groups are virtual firewalls on instances. The classic mistake is opening sensitive ports to 0.0.0.0/0 (the whole internet) — SSH (22), RDP (3389), databases (3306/5432), or admin panels exposed globally. The fix: restrict source ranges, use bastions/VPN, and default-deny inbound.
Public snapshots/AMIs, public databases, unauthenticated dashboards (Kibana, etc.), and management APIs left open.
Enumerate the account's resources and ask, for each: is this reachable from the internet, and should it be? Public exposure + weak/no auth is a direct breach, no exploit required.
Cloud's classic breaches are public storage buckets and over-open security groups exposing sensitive ports to the whole internet. Default-deny, account-level public-access blocks, restricted source ranges, and keeping secrets out of buckets are the fixes.