Overprivileged Accounts: The Key Factor in Identity-Based Attacks, Cloud Security Report States
Published
Overprivileged identities are to blame for the majority of identity-based attacks in the cloud, a recent cloud security report states. Frighteningly, those insecure identities are what’s standing between attackers and cloud workloads, 80% of which are reported to have a critical (and unpatched) CVE.
The Tenable Cloud Risk Reports in 2024, 2025, and 2026 highlighted an ongoing key challenge:
How to keep sprawling identities safe while taking full advantage of growth opportunities in the cloud?
And has the problem already gotten away with us, or is there a way to rein in rampant identities?
Nearly One-Third Have Critical Or High-Severity Excessive Permissions
“Identities and permissions are among...the greatest sources of frustration for cloud security professionals,” the report notes. This highlights how most organizations have yet to get a handle on cloud IAM.
Public cloud access gaps
Across cloud environments (AWS, Azure, GCP), 32% were discovered to have critical or high-severity permissions. This includes both human and non-human (machine) entities. Excessive permissions for either can lead to dire consequences:
- Overprivileged human identities are the “key impact factor in identity-based attacks.”
- Overprivileged machine identities are mainly responsible for the fallout in application vulnerability-based breaches, according to the report.
Critical Risk Defined
What factors determine which permissions rank as “critical” or “high severity”? Things like infrastructure modification, data access, and privilege escalation played a part; all core levers attackers look to leverage during an attack.
84% Have Severe Vulnerabilities on Old Access Keys
Most organizations (a whopping 84%) had unused or longstanding access keys with the same issues: high-severity or critical excessive permissions.
Visibility Gap: Unrotated Keys
“The persistence of these keys, especially with high privileges, is a known, reported, major factor in numerous identity-based attacks and compromises,” Tenable notes. The problem is that these keys are lying dormant, either unused or unrotated, and therefore at an even higher risk of detection.
As Entro Labs explains in The NHI & Secrets Risk Report, “long-lived keys are left unrotated, secrets are pasted into spreadsheets or shared on messaging apps, and IAM roles with excessive permissions continue to fly under the radar.”
Illicit Access: A Primary Vector in Cloud Attacks
Access keys fall under the category of credentials, and the report asserts that “credential compromise is one of the most known attack vectors in cloud environments.” Breaches involving stolen credentials can be some of the hardest to find and remediate, taking 292 days on average in some sectors.
The problem comes when businesses lose track of these passwords, keys, or secrets, and leave them exposed without even knowing. Until all cloud credentials are present and accounted for, they will continue to be the secret weapon in a number of high-profile attacks.
Real-World Cloud IAM Risks
Weak cloud access security has been a favorite pain point of far-reaching cyberattacks and cybercriminal groups in recent years.
- MGM was targeted with an Okta social engineering scam, in which the ransomware group BlackCat/ALPHV used that access to move laterally into Microsoft Azure.
- Ransomware gang Scattered Spider specializes in attack tools made to crack hybrid cloud and identity environments.
- The FBot hacking tool includes several dedicated functions designed to compromise cloud, SaaS, and web services. It targets services like AWS and O365, and a primary function is to hijack initial access for use in broader campaigns.
Interestingly, the things that can stop these attacks are the basics. Good cyber hygiene goes a long way, even against “high-level” offensives. In the case of FBot, the tool is nothing more than a compilation of simple scripts, looking for simple errors.
Which is why threat response expert Balazs Greksza says, “As long as [security teams] follow AWS identity and access management (IAM) best practices” and double down on a few basics like MFA and misconfigurations, “the AWS operators should be fine.”
But that’s easier said than done across complex cloud environments.
The Struggle Behind With Cloud Access Security
Securing cloud access still presents a challenge for most organizations. Identity is widely known as the cloud’s perimeter, but protecting it is nothing like old-fashioned perimeter-based security.
Cloud-native and hybrid architectures are complex, housing policies and permissions by the thousand. This is a huge jump in what most companies are used to keeping track of. Siloed tools compound the problem, creating visibility gaps where more identities and data fall between the cracks.
Even if teams were to identify every vulnerable key, password, and overprivileged account, remediating them is a matter of prioritization and orchestration. Among so many thousands of exposed weaknesses, that can be a daunting task.
What Cloud Security Will Mean in 2026
Manual processes are out; automated tools are in. Cloud IAM best practices for 2026 will all revolve around keeping humans in the loop while offloading the majority of busywork to cloud security solutions.
The industry is already trending towards advanced cloud security platforms that:
- Identify all cloud exposures: IAM and otherwise.
- Automatically prioritize remediation: By aligning with the needs of the business.
- Unify cloud security: Identities, data, misconfigurations, vulnerabilities, all in one place.
Cloud growth is reflective of business growth and can’t be stopped. But no company’s growth is secure when it’s dragging high percentages of critically exposed access points behind it.
This research is a wake-up call to forward-looking companies: protecting the cloud without prioritizing cloud identities is not protecting it for long.
Sponsored Content Disclosure
This article is sponsored content, produced in partnership with a third-party brand and clearly labeled as such. The views and claims expressed here are the sponsor's — not necessarily TechNadu's. We were compensated for publishing it, and may earn a commission on any purchases made through the links.
What this means for readers
- The content reflects the sponsor's perspective on their own product or service.
- We haven't independently tested or verified every claim made in the article.
- Any specifications, pricing, or feature details come from the sponsor and may change — check with them directly before making a decision.
- Treat it the way you'd treat any promotional content — with a healthy dose of your own judgment.
Where we draw the line
Sponsored posts like this one are walled off from the rest of what we do. Our news coverage, product reviews, and recommendations are written independently, and advertisers don't get a say in them. That separation is non-negotiable for us.
For the full picture on how we handle sponsorships and affiliate links, see our Affiliate Disclosure.
Related
