Tenable report shows that organizations are failing to configure storage effectively – and may have a false sense of security

Tenable's 2025 Cloud Security Risk Report has found that there's sensitive data being held in 9% of publicly accessible cloud storage, and that 97% of this data is classified as restricted or confidential.

The data includes API keys, access keys, encryption keys, and tokens, as well as traditional usernames and passwords.

More than half of organizations (54%) store at least one secret directly in Amazon Web Services (AWS) Elastic Container Service (ECS) task definitions, for example, making for an easy line of attack. And alarmingly, said Tenable, 3.5% of all AWS Elastic Compute Cloud (EC2) instances contain secrets in user data.

And using Identity Providers (IdPs) alone doesn't fix this: while 83% of AWS organizations are using IdPs effectively to manage their cloud identities, they are still being exposed to identity-based threats, thanks to overly permissive defaults, excessive entitlements, and standing permissions.

Things weren't much better among organizations using Google Cloud Platform (GCP) Cloud Run, with 52% of users exposed, or for Microsoft Azure Logic Apps workflows, where the figure was 31%.

Researchers described what they called a 'toxic cloud trilogy' – a workload that is publicly exposed, critically vulnerable, and highly privileged. And while over the last year, the number of organizations in this situation has fallen from 38% to 29%, this still makes for a significant and common risk.

"Despite the security incidents we have witnessed over the past few years, organizations continue to leave critical cloud assets, from sensitive data to secrets, exposed through avoidable misconfigurations," said Ari Eitan, director of cloud security research at Tenable.

"The path for attackers is often simple: exploit public access, steal embedded secrets, or abuse overprivileged identities."

There are a variety of reasons for the secrets being exposed, said Tenable. Two big causes are misconfigured access settings and overly permissive policies. Another is privilege elevation by developers, which may be intended for short-term use but then forgotten, eventually becoming permanent.

Other contributing factors include flawed permission structures caused by inconsistent access policies or overlapping roles, inadequate – often manual – monitoring, and even the mistaken belief that obscure storage bucket URLs provide sufficient protection. And one major reason that secrets are being exposed may simply be that organizations aren't aware of the sensitivity level of the data.

"To close these gaps, security teams need full visibility across their environments and the ability to prioritize and automate remediation before threats escalate," said Eitan. "The cloud demands continuous, proactive risk management, and not reactive patchwork."