Part 2: Cloud Misconfigurations and Attack Surface

Research and list 5 common cloud misconfigurations

(e.g., overly permissive S3 buckets, default security group rules).

On July 25, 2025, our company, Digitalwitch, experienced a security incident where a misconfigured cloud storage S3 bucket exposed sensitive customer data, resulting in a significant data breach. This incident highlighted the critical importance of identifying and addressing cloud misconfigurations promptly to prevent security risks, data breaches, and compliance issues.

As part of our incident response and remediation efforts, we need to identify and address common cloud misconfigurations that could lead to similar incidents in the future.

Our security team has identified the following 5 common cloud misconfigurations that need to be addressed:

1. Insecure Use of Elastic Compute Cloud (EC2) Instance Metadata: Sensitive information can be exposed through instance metadata if not properly secured. Ensure that instance metadata is properly configured and secured.
2. Publicly Accessible S3 Buckets: Leaving S3 buckets open to the public can expose sensitive data. We will ensure that all buckets are configured to block public access and use access controls to restrict unauthorized users.
3. Unrestricted Outbound Access: Allowing unrestricted outbound traffic can lead to data exfiltration. We will restrict outbound access to specific IP addresses and services to prevent unauthorized data transfer.
4. Disabled Logging and Monitoring: Failing to enable logging and monitoring can make it difficult to detect security incidents. We will enable CloudTrail and S3 server access logging to track API activity and detect unauthorized access.
5. Misconfigured Security Groups and Network ACLs: Ensure that security groups and network ACLs restrict access as intended. Misconfigured security groups can grant unintended access to resources.

By addressing these common cloud misconfigurations, we expect to significantly reduce the risk of future security incidents and protect our customers' sensitive information. Our proactive measures will include:

• Implementing regular security audits and risk assessments to identify potential vulnerabilities.
• Providing training and awareness programs for our security team and developers to ensure they understand the importance of secure cloud configurations.
• Continuously monitoring our cloud environment for suspicious activity and responding promptly to security incidents.
• Enhancing our incident response plan to ensure that we can quickly and effectively respond to future security incidents. By taking these measures, we are confident that we can prevent similar incidents in the future and maintain the trust and confidence of our customers.

 Part 3: Threat Actor Profile

AWS Config Rule Assignments