By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: SentinelOnePublished July 17, 2025

TL;DR: Cloud misconfigurations and compromised credentials remain the dominant cloud attack paths, with SentinelOne citing examples ranging from public S3 buckets exposing data to leaked API keys enabling lateral movement and exfiltration across cloud and supply chain environments. Basic hygiene still matters because attackers increasingly chain minor issues into broader compromise.


At a glance

What this is: This analysis argues that cloud security failures still start with misconfigurations and credential exposure, then expand through chained weaknesses and lateral movement.

Why it matters: For IAM and PAM teams, the article shows that access scope, secret handling, and privilege containment are still decisive controls even as cloud and AI environments become more complex.

By the numbers:

👉 Read SentinelOne's analysis of cloud misconfigurations and credential theft


Context

Cloud security failures often begin with two familiar conditions: exposed access and weak configuration. The article frames both as persistent issues because attackers do not need novel techniques when public storage, leaked secrets, and overly permissive roles still create a direct path into cloud environments. That is why cloud misconfiguration and cloud credential theft remain central governance problems, not just technical hygiene issues.

The identity angle is clear. Compromised cloud credentials are effectively non-human identities in motion, especially when keys, tokens, or service accounts can move across systems without tight scope control. Once those secrets are exposed, the operational question is no longer whether IAM exists, but whether privilege boundaries, secret scanning, and offboarding discipline are strong enough to contain abuse.


Key questions

Q: What breaks when cloud credentials are exposed in developer environments?

A: Exposed cloud credentials break the assumption that development systems are low-risk staging areas. Once API keys, SSH keys, or environment files are stolen, the attacker can reuse those identities across repositories, cloud control planes, and CI/CD systems. The practical consequence is that a single leak can become a multi-system trust failure, not just a one-host incident.

Q: Why do cloud misconfigurations remain dangerous even with CSPM in place?

A: CSPM can identify many configuration issues, but it does not automatically determine which combination creates a viable attack path. Cloud environments are interconnected, so a low-severity issue can become critical when paired with permissive access or exposed data. The control problem is prioritisation, not visibility alone.

Q: How should teams reduce the risk from exposed NHI secrets?

A: Teams should combine secret discovery, immediate revocation, enforced rotation, and tighter access controls around repositories, logs, and collaboration tools. The core challenge is that detection alone does not close the window of abuse, so remediation workflows need to move faster than attacker reuse patterns.

Q: Who should own cloud secret and role governance?

A: Cloud secret and role governance should be shared across IAM, PAM, cloud security, and platform teams because the risk crosses boundaries. IAM owns identity lifecycle, PAM governs elevated access, and cloud teams control the configurations that expose or overextend those identities. Shared ownership is the only way to close the loop on exposure, privilege, and revocation.


Technical breakdown

Cloud misconfigurations become breach paths when they chain together

A cloud misconfiguration is not only a single exposed bucket or permissive security group. Attackers increasingly combine small weaknesses, such as a public storage object, a weak IAM role, and a reachable function or service endpoint, to create a path that was not obvious when each issue was viewed in isolation. This changes the defender problem from finding the loudest alert to understanding how separate posture issues interact across the environment. In practice, the danger is contextual, because one weak control can become the bridge to the next stage of access.

Practical implication: triage cloud findings as chains of exposure, not isolated defects, and correlate posture data with identity and access scope.

Compromised credentials turn cloud access into multi-system reach

Cloud credentials are valuable because they often authenticate to more than one service, account, or workload. A leaked API key, token, or service credential can allow an attacker to authenticate legitimately, bypassing perimeter controls and gaining access that looks normal to logging systems. The article’s examples show how one exposed credential can support lateral movement, data extraction, or supply-chain impact when the credential is tied to connected services. In identity terms, this is a control failure around secret lifecycle, scope, and visibility.

Practical implication: treat every cloud secret as a governed identity with lifecycle, scope, and revocation requirements.

Secret scanning matters because leaked credentials are often the first durable foothold

Secret scanning is a detection control, but its value is upstream of incident response because it finds credentials before attackers use them. The article notes that organisations still underrate it relative to other cloud controls, even though exposed secrets often provide the fastest route from public code or endpoints into cloud workloads. In a modern cloud stack, leaked keys and tokens are not merely configuration issues. They are access grants that can survive beyond the system where they were created if no one is watching for them.

Practical implication: embed secret discovery into development and cloud operations so leaked NHI credentials are revoked before reuse.


Threat narrative

Attacker objective: The attacker wants durable cloud access that can be expanded into lateral movement, data theft, or wider operational disruption.

  1. Entry occurs when attackers find public cloud storage, exposed credentials, or insecure code and use that exposure to authenticate into the environment.
  2. Escalation follows when the initial foothold is combined with permissive roles or chained misconfigurations that widen access and enable movement across services.
  3. Impact is reached when attackers exfiltrate data, disable protections, or use the compromise to extend into connected systems and supply chains.

NHI Mgmt Group analysis

Cloud misconfiguration is now a governance problem, not just a posture problem. The article shows that organisations can own CSPM tooling and still fail to stop real-world exposure because alert volume, validation friction, and poor prioritisation leave the highest-risk issues unresolved. The named concept here is misconfiguration chain risk, meaning several low-severity issues combine into a practical breach path. Practitioners should manage cloud posture as a connected control system, not a queue of individual findings.

Compromised cloud secrets should be treated as non-human identity failure, not simple leakage. A leaked API key, token, or service credential is an identity object with scope, lifetime, and revocation requirements. The article’s examples reinforce that once those secrets are exposed, defenders are no longer dealing with a theoretical access problem but with active authentication abuse. IAM and PAM teams should align cloud secret governance with NHI lifecycle controls.

Detection without prioritisation will not close the cloud access gap. The article’s survey data points to a perception mismatch, where teams rate tools highly but still struggle to turn telemetry into action. That is a control maturity issue because cloud attack paths now depend on speed, chaining, and abuse of over-permissioned identities. Security leaders should expect cloud governance to move closer to identity-centric risk management, with misconfigurations and secrets managed as linked exposure classes.

AI workloads amplify the same access failures rather than replacing them. The article briefly notes that AI services introduce new misconfiguration surfaces, but the core failure mode remains familiar: weak identity boundaries make downstream compromise easier. That matters for agentic AI as well, because cloud credentials and workload permissions become the trust layer for automated systems. Practitioners should assume AI does not remove cloud identity risk; it compounds it.

Foundational cloud hygiene is still the decisive control layer. Even as defenders invest in newer detection and response tools, the attackers’ most reliable paths still begin with public exposure or credential misuse. This is why the field should resist treating basic controls as solved. Security teams should keep cloud identity governance, secret discovery, and least privilege at the centre of their operating model.

What this signals

Misconfiguration chain risk: cloud teams should stop treating posture findings as independent tickets and start modelling how weak storage, roles, and service settings combine into a breach path. That means joining CSPM output to identity context and remediation ownership so the highest-risk combinations are fixed first.

The operational signal for practitioners is that secret discovery must move closer to the point of creation and deployment. When keys, tokens, and certificates can live in code, pipelines, and runtime files, the only reliable defence is continuous discovery plus rapid revocation, not periodic review.

As cloud and AI services converge, identity governance will increasingly decide whether an environment stays containable or becomes self-amplifying. The strongest programmes will treat workload credentials, service accounts, and automated access paths as one control surface rather than separate admin problems.


For practitioners

  • Map misconfiguration chains, not isolated findings Correlate public exposure, insecure roles, storage settings, and function permissions into one review workflow so weak links are assessed as a path to compromise, not as separate tickets.
  • Expand secret discovery into development and runtime Scan source control, build artefacts, environment files, and cloud workloads for exposed API keys, tokens, and certificates, then revoke the credential before it is reused.
  • Apply lifecycle controls to cloud credentials Assign owners, expiry rules, rotation cadence, and revocation triggers to every service account and API key so cloud secrets are managed as identities with defined boundaries.
  • Prioritise privilege reduction before more telemetry Use access scope reduction and role cleanup to lower blast radius, especially for identities that can reach storage, CI/CD, and AI services across multiple accounts.
  • Align cloud posture reviews with identity governance Bring IAM, PAM, and cloud security teams into the same remediation queue so exposed resources and over-permissioned identities are fixed together.

Key takeaways

  • Cloud breaches still often begin with the oldest failure modes, namely exposed configuration and leaked credentials.
  • The scale of the problem is operational as much as technical, with survey data showing alert validation and prioritisation remain hard at 86.9%.
  • Teams should govern cloud secrets and roles as identities with lifecycle controls, because blast radius is what determines whether one mistake becomes a breach.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0001 , Initial Access; TA0006 , Credential Access; TA0008 , Lateral MovementThe article centers on exposure, credential abuse, and movement across cloud systems.
NIST CSF 2.0PR.AC-4Least privilege and access restrictions are central to the cloud identity failure described here.
NIST SP 800-53 Rev 5IA-5Credential lifecycle management directly applies to leaked keys, tokens, and certificates.
CIS Controls v8CIS-5 , Account ManagementAccount and credential governance is the practical control theme across the article.

Map cloud exposure paths to ATT&CK tactics and prioritise controls that break initial access and credential reuse.


Key terms

  • Cloud misconfiguration: A security failure caused by incorrect permissions, exposure settings, or integration design in cloud services. It is often less about the cloud platform itself and more about access paths that were created quickly, left broad, and never fully revalidated against actual business need.
  • Secrets Scanning: Automated tooling that scans source code repositories, CI/CD pipelines, and cloud environments to detect exposed secrets such as API keys, tokens, and passwords before they are exploited.
  • Lateral Movement: Lateral movement is the stage where an attacker uses one foothold to access additional systems, services, or accounts. In cloud environments, this often happens when a compromised credential has enough scope to reach multiple resources, making a single leak operationally far more dangerous.
  • Standing Privilege: Standing privilege is persistent access that remains available until someone removes it. In cloud and identity programmes, persistent roles, tokens, and service accounts increase blast radius because they give attackers a ready-made path to reuse access without waiting for approval.

What's in the full article

SentinelOne's full cloud risk report covers the operational detail this post intentionally leaves for the source:

  • Step-by-step examples of cloud credential theft, lateral movement, and exfiltration patterns across real attack themes
  • The survey breakdown behind CSPM, secret scanning, and misconfiguration prioritisation findings
  • Use cases showing how attacker-driven misconfigurations are created in cloud environments
  • The report's fuller treatment of AI services as a new cloud attack surface

👉 SentinelOne's full cloud risk post covers the attack examples, survey data, and control gaps in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and workload identity. It helps practitioners build the governance discipline needed to manage cloud credentials, access scope, and identity lifecycle risk.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org