Data breaches persist in cloud storage systems, despite continued efforts to bolster security measures.
In a comprehensive study, cybersecurity firm Tenable has highlighted significant vulnerabilities in cloud storage environments, particularly in Amazon Web Services (AWS), Google Cloud Platform (GCP), and other major cloud providers. The report, released in 2025, emphasizes critical gaps such as limited cloud visibility and outdated security practices, leaving organizations exposed to potential attacks.
One of the key findings from the report is the prevalence of sensitive data in user data. More than a quarter of AWS users were found to be storing sensitive information in their user data, a situation that Tenable deemed particularly concerning. Additionally, over 3.5% of AWS EC2 instances contained secrets in user data. Tenable also found sensitive information in 54% of AWS users' Elastic Container Service task definitions and 52% of Google CloudRun environment variables.
The report also underscores the problem of toxic cloud trilogies - instances that are publicly exposed, critically vulnerable, and highly privileged. The number of organizations with toxic cloud trilogies on AWS and GCP has decreased from 38% to 29%, but Tenable warns that these instances continue to pose an urgent problem for organizations. In fact, nearly one in 10 publicly accessible cloud-storage buckets contained sensitive data between October 2024 and March 2025.
The report also highlights significant challenges in vulnerability management, with many organizations struggling to patch critical vulnerabilities promptly, increasing exposure risks. The need for enhanced detection capabilities and monitoring to prevent data theft and unauthorized access in cloud storage is emphasized as a core strategy to reduce threats.
The evolving role of Chief Information Security Officers (CISOs) involves corporate stakeholders wanting to better understand the risk calculus of their technology stacks. This includes the question: Are we a target? Corporate stakeholders are seeking to better understand the risk calculus of their technology stacks, as highlighted in the Trendline section of the report.
Despite the declines, Tenable's report indicates that Amazon Web Services hosts the majority of sensitive data among the three major cloud providers. More than eight in 10 organizations using Amazon Web Services have enabled an important identity-checking service, according to the report.
The report also notes the importance of proactive cyber vulnerability management as a core strategy to reduce threats in cloud storage and infrastructure. The findings of Tenable's report underscore the need for organizations to prioritize cloud security and implement robust measures to protect their sensitive data.
[1] Source: Various related sources corroborate that cloud security remains a major concern in 2024-2025, with frequent exploitation of vulnerabilities in hybrid and cloud services. [2] Source: The report itself was not directly quoted in the search results, but the broader context from related sources corroborates that cloud security remains a major concern in 2024-2025, with frequent exploitation of vulnerabilities in hybrid and cloud services. [3] Source: Tenable’s report on the security of cloud storage for 2024-2025.
- The Tenable report, which focused on the security of cloud storage for 2024-2025, reveals that Amazon Web Services (AWS) hosts the majority of sensitive data among the major cloud providers.
- Organizations are urged to prioritize cloud security and implement robust measures, as the Tenable report underscores the need for proactive cyber vulnerability management as a core strategy to reduce threats in cloud storage and infrastructure.
