As more and more organizations' critical systems move to the cloud, simple mistakes can be catastrophic. Industry research has been warning for years that cloud misconfigurations are behind a huge percentage of breaches. For example, in 2024 SentinelOne found that almost 23% of cloud security incidents stem from misconfigurations. As threats have evolved, the ease of making mistakes in cloud setup has remained the biggest cloud risk. This blog looks at why misconfigurations are still dominating cloud security incidents and what you need to do about it.
Why Misconfigurations Persist
Clouds are big, dynamic, and easy to deploy, which means they are prone to human error. Lack of visibility or expertise means settings get overlooked. As the Cloud Security Alliance (CSA) puts it, “Misconfigurations are among the most significant security threats in cloud environments today. They occur due to human error, lack of knowledge, or not following best practices when setting up cloud resources.” According to Sentinel One’s 2024 report, 82% of the time since cloud misconfigurations are due to human mistakes, not software errors. With millions of instances, Application Programming Interfaces (APIs) and services in play, even experienced teams can slip up. IBM’s X-Force found that in fully cloud native deployments, security checks failed “due to misconfiguring assets,” meaning basic settings were wrong or missing.
The complexity is compounded by fast-paced development and multi-cloud. Teams spin up new resources to meet business demands without involving security. Insiders with little IT background can create open buckets or over-permissive roles when they deploy tools. In practice, many misconfigurations live in hidden traces. This is why misconfigurations persist: they hide silently until attackers find them. Security teams must proactively look for anomalies because unchecked cloud drift and neglected assets give attackers an open door before an attack occurs. Still, many organizations often find exposed cloud assets only after a breach.
In short, humans and velocity mean misconfigurations keep happening. While automation can help, many organizations still struggle. It’s impossible to have teams manually keep track of what’s deployed and configured correctly in the cloud. Without automation or continuous monitoring, simple mistakes like leaving an S3 bucket public or forgetting to disable default credentials can slip through the cracks.
Other Threats in the Cloud Landscape
Of course, misconfiguration is just one type of cloud risk. At RSAC 2025 Conference, identity and access management (IAM) were front of mind. In his session on Cloud Security, Rich Mogull told the audience, “All cloud security failures are identity failures and all identity failures are governance failures”. In practice, credential theft and role misuse get attackers in. In an RSAC podcast, Neil Carpenter found that leaked credentials were the initial access point in 65% of the cloud breaches he analyzed. In many cases, those credentials just unlocked an open door, a misconfigured instance, or a database. In fact, RSA’s Sean Metcalf pointed out that misconfigurations in cloud identity systems (like Entra ID) are themselves attack vectors.
Other trends like ransomware-as-a-service, API exploitation and AI-driven threats are vying for attention. Modern threats matter. Phishing and malware still lead to many breaches. But even many of those attacks rely on misconfigurations or policy gaps to succeed in the cloud. For example, an open API key or disabled logging can amplify the impact of a phishing breach. One trend that bubbled up in the RSAC 2025 Conference Call for Submissions Trends Report was the recognition that, “Insider threat comes not only from a disgruntled employee but also from common misconfigurations”. In other words, an unintentional misconfiguration is itself an insider risk. Likewise, CSA’s latest Top Threats report (2024) listed “Misconfiguration and inadequate change control” as #1 cloud threat above even zero-day attacks. That means the community still sees misconfiguration as at least co-equal with the other top threats.
So what’s the single biggest threat? Well, that depends on your perspective. But the data and the experts all say misconfigurations are among the top risks. Ransomware may take down workloads and supply-chain attacks get the headlines but underneath it’s often a configuration gap. In short, even as new threats emerge, misconfigurations are still embedded in how attacks work.
Mitigating the Misconfiguration Problem
The good news is that misconfigurations are also, in principle, more manageable than some threats. They are preventable with the right processes and tooling. Experts advise shifting left and baking security into the development and ops pipeline. For example, integrating Infrastructure-as-Code (IaC) with embedded security policies means deployments follow secure templates rather than manual setup. At RSAC, security leaders pushed for rigor in identity governance and zero-trust: eliminate long-lived credentials, enforce MFA everywhere, and revoke unused permissions. These changes reduce the blast radius if something goes wrong.
Continuous visibility is another key. As Esteban Gutierrez of New Relic says, “observability tools let defenders see the exact data being interacted with” and spot misconfigurations early. His advice is for security teams to adopt cloud-native monitoring: observability’s real-time monitoring and automation capabilities can help proactively detect and mitigate risks in cloud configurations. In practice, this means real-time logging, configuration scanning and anomaly alerts. In many cases, cloud providers’ native tools (AWS Config, Azure Policy, etc.) can enforce baselines. Third-party Cloud Security Posture Management (CSPM) and CNAPP platforms can continuously audit and auto-remediate issues.
Automation helps at scale. Finding misconfigurations manually is impossible, so security teams are automating scanning of resources and remediation playbooks. Automation is critical in the cloud. AI-driven rule-checkers, compliance bots and even GitOps enforcement can close the gap between “misconfiguration risk” and actual secure configuration.
And finally, the team’s mindset matters. Security pros must think like hunters, not just responders. Destcert reminds us that “often the real danger lies in the hidden traces” and that proactive curiosity is the key to finding them. In concrete terms, this means drilling into logs, threat-hunting cloud accounts for irregular activity and challenging assumptions (“what if an S3 bucket is public?” “what if an API key leaked?”). It also means tying security to business strategy: treating cloud governance as a board-level issue, not an afterthought.
Misconfigurations are still top of mind for 2025. While the threat landscape has grown with AI-driven attacks, deepfake phishing and geopolitical crises, the evidence is clear that misconfigurations are still at or near the top of the risk register. Analysts and standards bodies alike rank them as the number one cause of breaches. The difference now is that we have better tools and techniques to fix them. Organizations that adopt continuous auditing, least privilege and developer-driven security will reduce this risk. In the end, misconfigurations are a solvable problem: by investing in visibility, automation and culture, security teams can make these old vulnerabilities go away. The cloud will always change but with vigilance and strategy, we can make misconfigurations yesterday’s biggest problem