Over half of organisations store secrets directly in cloud services.
Around nine percent of publicly accessible cloud storage contains sensitive data, with the vast majority of it – 97 percent – classified as restricted or confidential.
According to the 2025 Cloud Security Risk Report from Tenable, such exposures, when combined with misconfigurations or embedded secrets like passwords and API keys, significantly increase the risk of exploitation.
Among the key findings, Tenable highlighted that over half of organisations store secrets directly in cloud services such as AWS Elastic Container Service (54 percent), Google Cloud Run (52 percent), and Microsoft Azure Logic Apps (31 percent). Also, 3.5 percent of AWS EC2 instances were found to contain secrets in user data.
While cloud workload security has improved slightly — with “toxic cloud trilogies” decreasing from 38 percent to 29 percent — the combination of public exposure, critical vulnerabilities, and high privilege remains a common and dangerous threat.
Tenable’s director of cloud security research, Ari Eitan, said many incidents stem from avoidable misconfigurations and stressed the need for continuous and proactive risk management. “Attackers often exploit public access, steal embedded secrets or abuse overprivileged identities,” he said. “Security teams need full visibility and automation to close these gaps before threats escalate.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
