Dive Brief:
- Nearly one in 10 publicly accessible cloud-storage buckets contained sensitive data, with virtually all of that data considered confidential or restricted, according to a new report from Tenable based on scans conducted between October 2024 and March 2025.
- On the other hand, more than eight in 10 organizations using Amazon Web Services have enabled an important identity-checking service, according to the report, published last week.
- The number of organizations with triple-threat cloud instances — “publicly exposed, critically vulnerable and highly privileged” — declined from 38% between January and June 2024 to 29% between October 2024 and March 2025.
Dive Insight:
Tenable’s report highlights serious risks facing cloud storage users, as well as some promising security trends.
Amazon Web Services hosted more sensitive data (16.7% of its buckets) than Google Cloud Platform (6.5%) and Microsoft Azure (3.2%), the report showed. According to Tenable, that could be because “users are confident in the AWS security measures they have put in place” or because of AWS’s longevity as a cloud provider.
Cloud buckets’ configuration settings may be leaking secret data, Tenable said. Researchers found sensitive information in 54% of AWS users’ Elastic Container Service task definitions and 52% of Google CloudRun environment variables. In addition, Tenable found that more than a quarter of AWS users were storing sensitive information in their user data.
Overall, 3.5% of AWS EC2 instances contained secrets in user data. Tenable called this “particularly concerning,” noting that attackers who access these secrets “can use them to trigger a cascade of exploitative activity.”
Tenable’s report also dove into “toxic cloud trilogies” — instances that are publicly exposed to the internet, contain critical vulnerabilities and contain highly privileged data. Researchers saw promising declines in multiple metrics, including the number of organizations with at least one such bucket on AWS or GCP (down from 38% to 29%), the number of organizations with five of them (down from 27% to 13%) and the number of organizations with 10 of them (down from 15% to 7%). Even so, Tenable said, “these findings show that toxic cloud trilogies continue to pose an urgent problem for organizations.”
