TL;DR: The 2025 telemetry highlights the top 10 recurring AWS data security risks, showing how sensitive data is stored, accessed, and exposed at scale in cloud environments, according to Cyera. The pattern is clear: cloud security teams need tighter identity, access, and data governance, not just better discovery.
NHIMG editorial — based on content published by Cyera: Top 10 Notable Data Security Risks in AWS Environments
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
Questions worth separating out
Q: How should security teams reduce AWS data exposure without slowing cloud operations?
A: Start by reducing broad access paths to sensitive data, then recertify the remaining permissions against real workload and business use.
Q: Why do AWS environments create so much data security risk?
A: AWS environments combine scale, speed, and many identity types, which makes it easy for permissions to expand faster than governance can track them.
Q: What do security teams get wrong about data discovery in cloud environments?
A: They often assume that finding sensitive data is the same as securing it.
Practitioner guidance
- Map data to every reachable identity path Build an access graph for sensitive AWS stores that includes humans, roles, service accounts, automation, and third-party integrations.
- Tighten broad roles before expanding discovery scope If AWS roles still have wide permissions, reduce entitlement scope first.
- Recertify cloud entitlements against actual data use Review whether AWS permissions still match current workload behaviour, vendor access, and business need.
What's in the full report
Cyera's full report covers the operational detail this post intentionally leaves for the source:
- The exact list of the top 10 AWS risk patterns identified in Cyera's telemetry.
- The underlying exposure mechanisms behind each risk, including where identity and data controls diverge.
- Implementation detail on how Cyera frames remediation across AWS data environments.
- The research context behind the telemetry and how the findings were derived.
👉 Read Cyera's report on the top 10 AWS data security risks →
AWS data security risks in 2025: what governance teams should fix?
Explore further
AWS data security is an identity problem disguised as a storage problem. The article’s core message is that sensitive data exposure in AWS is driven by who can reach it, not just where it sits. That means IAM design, NHI sprawl, and access lifecycle discipline shape the actual risk surface. Practitioners should treat data security and identity governance as a single control plane.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How do IAM and NHI controls improve AWS data security together?
A: IAM controls define who and what can reach data, while NHI governance keeps machine access from becoming permanent, over-scoped, or unreviewed. Together they reduce the number of identity paths that can expose cloud data and make revocation meaningful when access is no longer needed.
👉 Read our full editorial: Top 10 AWS data security risks expose cloud governance gaps