CLOUD SECURITY | MISCONFIGURATION
13 min read

Cross-Cloud Public Asset Exposure Audit: Find Your Misconfigurations Before Attackers Do

Sources:Tenable Cloud Security Risk Report 2025|Orca Security State of Public Cloud Security 2025|AWS Security Hub Foundational Best Practices
74%
of organizations running multi-cloud have at least one cloud asset with a critical misconfiguration that is publicly accessible — Tenable 2025
7 minutes
average time for automated scanners to probe a newly-created public cloud resource — Palo Alto Unit 42 cloud research
38%
of cloud breaches in 2025 originated from publicly exposed cloud storage containing sensitive data — Orca Security

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Running workloads across AWS, Azure, and GCP multiplies the misconfiguration surface area. Each cloud provider has its own storage service (S3, Azure Blob Storage, Google Cloud Storage), its own network security model (security groups, NSGs, VPC firewall rules), its own IAM, and its own defaults that have shifted over multiple product generations — meaning resources created two years ago may have had different default configurations than resources created today.

This guide covers a structured cross-cloud audit to identify publicly exposed assets: storage buckets and containers, network endpoints, database instances, and API gateways. The goal is to find what automated scanners will find, before they find it. The sequence is provider-by-provider for the most critical exposure class, followed by a cross-cloud consolidation using open source CSPM tooling.

AWS audit: Public exposure checks

AWS has the largest installed base and the most documented exposure patterns. S3 bucket misconfiguration and security group over-permissiveness are the top two vectors.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Azure audit: Public exposure checks

Azure Blob Storage and open NSG rules are the primary vectors. Azure Defender for Cloud provides consolidated findings but requires the plan to be enabled per-subscription.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

GCP audit: Public exposure checks

GCP's primary exposure patterns are public Cloud Storage buckets, firewall rules with 0.0.0.0/0, and Cloud SQL instances with public IP addresses.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Cross-cloud consolidation with open source CSPM

Running individual provider queries covers the surface area, but does not produce a consolidated risk view across all three environments. Prowler is an open source CSPM tool that audits AWS, Azure, and GCP using the same framework and produces unified findings.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

A cross-cloud public asset audit is a 2 to 4 hour exercise using native CLI tooling and Prowler — the time investment is low relative to the risk it closes. Run it quarterly at minimum, or after any significant infrastructure change. The majority of cloud breaches that make public news involve resources that would have appeared in this exact audit: publicly accessible storage buckets, open security group rules on database ports, or RDS instances with public endpoints. Finding them before an attacker does is achievable with tooling that already exists in your environment.

Frequently asked questions

What is the difference between CSPM and this manual audit approach?

Cloud Security Posture Management (CSPM) tools like Orca Security, Wiz, or Prisma Cloud run continuous automated scans across your cloud environments and alert on new misconfigurations as they appear. The manual CLI audit approach in this guide runs once on demand and covers the same checks. CSPM is the right long-term investment for organizations with significant cloud footprints — it converts a quarterly manual audit into continuous real-time detection. The manual approach is the right starting point for organizations evaluating their exposure before investing in a CSPM platform.

How do I check if my S3 bucket was accessed by unauthorized parties?

Enable S3 server access logging or S3 event notifications to CloudTrail for the bucket. Review S3 access logs in CloudWatch or Athena for GET requests from IP addresses outside your application's expected source ranges. If the bucket was public for a period and access logging was not enabled, you do not have direct visibility into who accessed it. AWS Macie can identify buckets containing sensitive data that has been exposed — enabling Macie retroactively scans existing bucket contents.

What does it mean when an Azure NSG rule has source: Internet versus 0.0.0.0/0?

In Azure NSG rules, Internet is a service tag that represents all public IP addresses not in the VirtualNetwork address space. 0.0.0.0/0 in CIDR notation covers all IPv4 addresses including private ones. Both effectively mean 'any source' for practical purposes when applied to inbound rules on resources with public IPs. Both require the same scrutiny during a security audit.

Sources & references

  1. Tenable Cloud Security Risk Report 2025
  2. Orca Security State of Public Cloud Security 2025
  3. AWS Security Hub Foundational Best Practices

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.