02 July 2025

The Tenable Research 2025 Cloud Security Risk Report reveals critical gaps in safeguarding sensitive data, managing identities, and securing cloud workloads — especially with the increasing use of AI resources.

The report highlights concerning levels of data exposure, noting that 9% of publicly accessible cloud storage contains sensitive information, with 97% of this data classified as restricted or confidential. Such exposure significantly raises the risk of exploitation by malicious actors, particularly when misconfigurations or embedded secrets like passwords and API keys are present. Security inconsistencies across major public cloud providers — Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure — compound these vulnerabilities, leaving organisations exposed to potential breaches.

In terms of secrets and workload security, the report reveals that more than half of organisations (54%) store at least one secret directly within AWS Elastic Container Service (ECS) task definitions, creating a direct attack vector. Similar patterns are evident on GCP Cloud Run, where 52% of organisations store secrets within resources, and 31% of Microsoft Azure Logic Apps workflows contain embedded secrets. Additionally, 3.5% of all AWS EC2 instances were found to hold secrets within user data, representing a substantial security concern given AWS’s widespread adoption.

While there has been some progress — specifically, a reduction in the ‘toxic cloud trilogy’ scenario, where workloads are publicly exposed, vulnerable, and highly privileged — from 38% to 29% — the risk remains significant. This persistent threat underscores the importance of tightening security controls around cloud workloads.

The report also emphasises ongoing challenges in identity and access management. Although 83% of AWS organisations use Identity Provider (IdP) services to manage cloud identities — a recognised best practice — risks persist due to overly permissive default settings, excessive permissions, and lingering standing privileges. These misconfigurations open pathways for attackers to exploit over-privileged accounts, access sensitive assets, or extract embedded secrets with relative ease.

“Despite the numerous security incidents we’ve observed, many organisations continue to leave critical cloud assets exposed through avoidable misconfigurations. Attackers can exploit public access, embedded secrets, or overprivileged identities to gain entry,” said Ari Eitan, Director of Cloud Security Research at Tenable.

To combat these vulnerabilities, Eitan advocates for continuous, proactive risk management. He emphasises that security teams require comprehensive visibility across their cloud environments and the ability to automate remediation to prevent threats from escalating. The report advocates for a unified approach to cloud exposure management, increased asset visibility, and systematic automation of security processes — especially as reliance on AI-driven cloud resources continues to grow.