TL;DR: Identity failures across AWS and Azure often start with credential misuse, and the article argues that periodic reviews, static secrets, and fragmented tooling leave multi-cloud environments exposed, according to Unosecur and the 2023 Verizon Data Breach Investigations Report. Continuous detection, posture management, and short-lived access are now the decisive controls.
NHIMG editorial — based on content published by Unosecur: How to stop identity threats across AWS and Azure accounts
By the numbers:
Questions worth separating out
Q: What breaks when cloud identities are reviewed only on a schedule?
A: Scheduled reviews miss the time window in which attackers actually use exposed or reused credentials.
Q: Why do service accounts and tokens increase multi-cloud attack risk?
A: Service accounts and tokens increase risk when they are long-lived, overprivileged, or poorly inventoried.
Q: How do security teams know whether identity posture management is working?
A: It is working when unused permissions disappear, stale credentials are removed, and high-risk roles are reduced before they are abused.
Practitioner guidance
- Replace static cross-cloud credentials Move AWS and Azure integrations away from hard-coded API keys and shared secrets, and use OIDC, managed identities, or IAM roles for service accounts where the platform supports them.
- Centralise identity telemetry Ingest cloud authentication, role-assumption, and token-use signals into a single detection path so lateral movement and credential misuse can be correlated across AWS and Azure.
- Track stale and orphaned identities continuously Build a recurring control to find unused permissions, abandoned service accounts, and privileged roles that still exist after the workload or user no longer needs them.
What's in the full article
Unosecur's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for wiring AWS and Azure identity signals into ITDR and SIEM workflows
- Platform-specific examples of Access Analyzer, Entra Access Reviews, GuardDuty, and Defender for Identity in use
- Concrete remediation patterns for orphaned service accounts, stale roles, and token sprawl
- The vendor's own mapping of ISPM, Zero Standing Privilege, and automated compliance to cloud identity controls
👉 Read Unosecur's practical guide to stopping identity threats across AWS and Azure →
AWS and Azure identity threats: what IAM teams need to fix?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Periodic access reviews are now a lagging control for cloud identity risk. The article is right to frame multi-cloud identity defense as continuous rather than episodic, because review cycles do not match attacker speed. In AWS and Azure, the exploitable state is often a live token, a stale role, or an orphaned service account that remains active between certifications. The practitioner conclusion is straightforward: if identity abuse can occur in minutes, the governance model cannot wait for quarters.
A few things that frame the scale:
- From our research: 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Our research also shows that 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which keeps cloud identity exposure high.
A question worth separating out:
Q: Which frameworks support continuous cloud identity governance?
A: NIST Cybersecurity Framework 2.0 and Zero Trust guidance both support continuous verification of identity behaviour. They align with moving from one-time approvals to ongoing monitoring, especially where AWS and Azure identities span human users, service accounts, and machine workloads.
👉 Read our full editorial: Identity threats across AWS and Azure still hinge on credential misuse