Every day, 2,500 cyberattacks target cloud infrastructures worldwide. Most don't exploit sophisticated vulnerabilities—they simply find forgotten settings, default passwords, and open doors. This guide shows you the 7 critical settings you need to check today—regardless of whether you use AWS, Azure, or Google Cloud.
📖 Read more: Supply Chain Attacks: Why 2026 is the Silent Breach Year
Important: 82% of data breaches in 2025 came from cloud misconfiguration. These settings are not optional—they are essential.
🔍 Multi-Factor Authentication (MFA) Everywhere
It sounds obvious, but you'd be surprised how many organizations leave their root/admin accounts without MFA. A stolen password without a second factor = full access to everything.
AWS
IAM → Users → Security credentials → Assign MFA device
Azure
Entra ID → Security → MFA → Additional cloud-based MFA settings
Google Cloud
Admin Console → Security → 2-Step Verification → Enforcement
ℹ️ Lock Down Public Buckets/Blobs
S3 buckets, Azure Blobs, and GCS buckets with public access are the #1 cause of data leaks. Companies accidentally expose millions of files because someone once set “public” for a test.
🔍 How to check (AWS S3):
aws s3api list-buckets --query 'Buckets[].Name' | xargs -I aws s3api get-public-access-block --bucket 💡 Pro tip: Enable “Block Public Access” at the account level, not just the bucket level. That way nobody can accidentally create a public bucket.
🔒 Encryption at Rest & in Transit
Data encryption is no longer “nice to have”. With GDPR and NIS2, it's a legal obligation. Make sure your data is encrypted both in storage (at rest) and during transfer (in transit).
🔐 At Rest
- Server-Side Encryption (SSE)
- Customer-Managed Keys (CMK)
- Key rotation every 90 days
- Encrypted EBS volumes
🔄 In Transit
- TLS 1.3 mandatory
- HTTPS-only endpoints
- VPN for internal traffic
- mTLS for service-to-service
📝 Logging & Monitoring: Your Eyes on the Cloud
You can't protect what you can't see. Logs are the first line of defense for detecting attacks—but only if someone is monitoring them. Enable centralized logging and set up alerts for suspicious behavior.
📋 Checklist Logging
📌 Least Privilege: Only What's Needed, Nothing More
The principle of least privilege means that every user, application, or service has only the permissions needed to do its job. Nothing more. A developer doesn't need admin access to production databases.
🎯 Implementation Strategy
Audit all existing IAM roles and permissions
Remove unused permissions and dormant accounts
Create role-based access control (RBAC) with clearly defined roles
Just-In-Time (JIT) access for elevated privileges
📡 Network Segmentation & Firewalls
A flat network is a hacker's dream: if they breach one point, they have access everywhere. The solution? Segmentation. Divide your network into zones, restrict communication between them, and use Security Groups/NACLs to control every packet.
🔎 Backup & Disaster Recovery Testing
You have backups. Great. But have you ever tried to restore them? 60% of companies that think they have backups discover they don't work when they actually need them. Run regular DR drills—your peace of mind depends on it.
Backup Rule
3 copies, 2 media, 1 offsite
RPO Target
Max data loss
RTO Target
Recovery time
DR Drill
At least quarterly
🛡️ Final Thoughts
Cloud security is not a checkbox you tick once. It's an ongoing process. The 7 settings we presented form the foundation—but real security comes from organizational culture, user training, and constant vigilance.
Start today. A security misconfiguration won't wait.
OnOff Security Team
The OnOff.gr security team shares practical guides for protecting your digital infrastructure.
