How to Protect Your Cloud Assets Amid Growing Threats

Introduction

Cloud platforms have become indispensable in an era where artificial intelligence (AI) is rapidly transforming business operations and digital ecosystems. However, this shift has also introduced significant vulnerabilities. A recent study from Varonis, a data security and analytics firm, reveals a major concern for enterprises relying on cloud services: overly permissive access policies in Amazon Web Services (AWS). The 2025 State of Data Security Report, released on May 20, 2025, paints a troubling picture of the security posture across leading cloud platforms, with AWS standing out due to the sheer scale and sprawl of its permissions structure.

This blog dives deep into the findings of the Varonis report, analyzing the implications of excessive cloud permissions, the rise of shadow AI, and the urgent need for better identity and access management (IAM) hygiene. We will explore why AWS environments are particularly vulnerable, how AI amplifies risks, and what steps organizations must take to secure their data in a rapidly evolving threat landscape.

The Alarming Scope of AWS Access Risks

One of the most startling revelations in the Varonis report is that the average AWS environment contains over 3,000 risky access policies per account. These policies often grant overly broad permissions, far exceeding what users or applications require. This kind of access bloat creates a massive and largely invisible attack surface for malicious actors.

AWS provides over 18,000 possible identity and access management (IAM) permissions, giving administrators fine-grained control over access to cloud resources. However, the vast number of options can be overwhelming, leading to configuration errors and security oversights. The result is that many organizations unintentionally assign too generous permissions, failing to follow the principle of least privilege.

Cloud Complexity Meets Governance Challenges

With cloud adoption accelerating across industries, organizations are racing to modernize their infrastructure and support agile, data-driven operations. However, this rapid growth often comes at the expense of security best practices. According to Varonis, the average enterprise manages tens of thousands of permissions across AWS accounts, many of which are outdated, unnecessary, or misconfigured.

AWS IAM sprawl, the unchecked growth of access roles, groups, and policies, is a critical governance issue. Poor policy hygiene can result in former employees retaining access, third-party vendors being granted permanent permissions, and applications with access to sensitive data well beyond their scope.

AI

AI is revolutionizing everything from customer service to cybersecurity. But as the Varonis report highlights, it’s also introducing new risks. One of the most eye-opening statistics from the report is that 99% of organizations had sensitive data exposed to AI tools. This includes large language models (LLMs), generative AI assistants, and other emerging technologies that integrate directly with business data.

AI tools often require access to vast datasets to function effectively. Without careful governance, they may query, process, or store sensitive information in unsecured ways. Worse, unsanctioned or unverified AI tools, often referred to as “shadow AI”, may be deployed by employees without IT oversight, increasing the risk of data leakage or misuse.

Cross-Platform Vulnerabilities

While AWS was a major focus, the Varonis report assessed security risks across popular cloud platforms, including Microsoft 365 and Salesforce. The findings were equally concerning:

• 98% of organizations used unsanctioned AI or third-party applications
• 88% had stale but active user accounts
• MFA (multifactor authentication) enforcement was inconsistently applied

These trends reflect a broader issue in cloud governance, namely, the lack of visibility and control over who has access to what data and how that access is monitored or revoked.

The Impact of Over-Permissioned Policies

Why are excessive permissions so dangerous? Simply put, they increase the likelihood of a breach. Attackers exploit misconfigurations and unused access routes to gain a foothold in cloud environments. Once inside, lateral movement is much easier when users or systems have access to a wide range of services or data.

Moreover, over-permissioned accounts are a favorite target for phishing campaigns. The entire cloud environment could be at risk if a compromised account has an administrator or cross-account permissions. In this context, enforcing least privilege access is not just a best practice, and it’s a critical defense mechanism.

Recommendations for AWS Security Teams

The Varonis report doesn’t just highlight problems, and it also points the way toward solutions. Here are some key recommendations for organizations looking to tighten their AWS security posture:

1. Conduct a Permissions Audit: Review all AWS IAM policies and roles regularly to identify and eliminate overly permissive configurations.
2. Enforce Least Privilege Access: Ensure that users and applications have only the permissions necessary to perform their tasks.
3. Implement MFA Everywhere: Multifactor authentications are required for all accounts, especially those with elevated privileges.
4. Monitor for Shadow AI: Establish policies to detect and control the use of unsanctioned AI tools.
5. Retire Stale Accounts: Immediately disable accounts that are no longer in use or have been inactive for extended periods.
6. Automate Policy Hygiene: Use automation tools to detect and remediate risky IAM configurations in real time.

Conclusion

By embracing automation, enforcing best practices, and staying ahead of emerging threats, security teams can turn the tide and protect their cloud assets in 2025 and beyond.

Drop a query if you have any questions regarding Cloud environments and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner,  AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.