Cloud storage misconfig research

Cloud storage is the cloud’s filing cabinet, and a bad lock on one bucket can open a path to much more than stolen files. Aviatrix’s latest research maps how exposed storage, overbroad identity permissions, and weak runtime controls can combine into a full cloud attack chain. (aviatrix.ai) A storage bucket is a container for files in services such as Amazon S3, and its permissions decide who can read, write, or list what is inside. Amazon says S3 Block Public Access can be set at the account, bucket, or access-point level, with the most restrictive setting taking effect. (docs.aws.amazon.com) Identity and Access Management, or IAM, is the cloud’s permission system: it decides which users, apps, and machines can call which cloud APIs. Amazon’s own guidance says least privilege means granting only the permissions required for a task and no more. (docs.aws.amazon.com) Aviatrix’s Threat Research Center says recent breach analysis is focused on how attacks unfold across identities, workloads, and cloud-native services, and on where runtime controls could have broken the chain. In one February 3, 2026 case study, Aviatrix said an attacker used credentials exposed in public S3 buckets to compromise an Amazon Web Services environment in eight minutes. (aviatrix.ai 1) (aviatrix.ai 2) That February case study said the attacker moved from exposed bucket data to administrative privileges and then laterally across 19 AWS principals before establishing command-and-control access and exfiltrating data. A separate Aviatrix analysis published January 10, 2026 described attackers abusing overly permissive AWS IAM settings, unsecured artificial-intelligence model storage, and excessive Kubernetes permissions in the same campaign pattern. (aviatrix.ai 1) (aviatrix.ai 2) The point of the new research is that the bucket mistake is often only the first move. Once an attacker gets a credential, token, or secret from storage, the next question is whether that identity can assume stronger roles, reach more workloads, or talk freely across connected cloud networks. (aviatrix.ai 1) (aviatrix.ai 2) Runtime segmentation is the cloud version of putting locked doors inside a building instead of only at the front entrance. Aviatrix says segmentation has to work as a runtime control, with explicit least-privilege rules and default-deny communication between network domains, because static designs can collapse once environments are connected. (aviatrix.ai) Amazon describes security groups as virtual firewalls that control inbound and outbound traffic for resources such as Elastic Compute Cloud instances, and its security maturity guidance says segmentation reduces blast radius after initial access. In plain terms, even if a bucket or credential is exposed, tighter east-west controls can stop one compromised workload from freely reaching databases, management planes, or neighboring apps. (docs.aws.amazon.com) (maturitymodel.security.aws.dev) This attack-chain framing also matches outside research on Aviatrix-related cloud risk. Wiz said on January 11, 2025 that about 3% of cloud enterprise environments in its data had Aviatrix Controller deployed, and 65% of those had a lateral-movement path from the controller’s virtual machine to administrative cloud control-plane permissions. (wiz.io) Aviatrix’s own AWS IAM documentation says its controller can create roles and policies that let it launch gateway instances, create route entries, and build networks, while customers can restrict API calls through custom IAM policies. That is why least-privilege tuning matters: broad permissions make automation work faster, but they also give attackers more room if a secret or control point is exposed. (legacy.docs.aviatrix.com) The practical fixes in the research are familiar but stricter in combination: block public access where it is not needed, keep secrets out of buckets, narrow IAM roles, and enforce segmentation after an attacker gets in. The thread running through Aviatrix’s recent cases is simple: in cloud breaches, one misconfigured bucket is rarely the whole story. (docs.aws.amazon.com) (docs.aws.amazon.com) (aviatrix.ai)