The hidden threat of neglected cloud infrastructure

In 2012, the Cybersecurity and Infrastructure Security Agency (CISA) issued a public advisory regarding software to monitor and control building systems. Fast-forward to 2023, and cybersecurity researchers at watchTowr discovered that an abandoned Amazon S3 bucket referenced in that advisory was still active and vulnerable.

Left unattended for over a decade, malicious actors could have reregistered this bucket to deliver malware or launch devastating supply chain attacks. Fortunately, researchers notified CISA, which promptly secured the vulnerable resource. The incident illustrates how even organizations dedicated to cybersecurity can fall prey to the dangers of neglected digital infrastructure.

This story is not an anomaly. It indicates a systemic issue that spans industries, governments, and corporations. A recent investigation by watchTowr underscores the pressing risks posed by abandoned or poorly configured cloud infrastructure, revealing a widespread blind spot that urgently needs the industry’s attention.

An unguarded access point

During the four-month investigation by watchTowr researchers managed to assume control of roughly 150 neglected AWS S3 buckets belonging to a range of users, including Fortune 500 corporations, government agencies, academic institutions, and cybersecurity firms. These abandoned cloud assets were still being queried via millions of HTTP requests. Legitimate organizations and systems sought critical resources such as software updates, unsigned virtual machines, JavaScript files, and server configurations. During two months, more than 8 million such calls were recorded.

The implications are staggering: These requests could have easily been manipulated by bad actors to deliver malware, collect sensitive information, or even orchestrate large-scale supply chain attacks. WatchTowr warned that breaches of this magnitude could surpass the infamous 2020 SolarWinds attack in scale and impact. Among the incidents uncovered by watchTowr are several alarming examples:

• Abandoned S3 buckets tied to SSL VPN appliance vendors were discovered to be still serving deployment templates and configurations.
• An older GitHub commit from 2015 exposed an S3 bucket linked to a popular open source WebAssembly compiler.
• Researchers uncovered systems pulling virtual machine images from abandoned resources.

A minor oversight with major consequences

Entities attempting to communicate with these abandoned assets include government organizations (such as NASA and state agencies in the United States), military networks, Fortune 100 companies, major banks, and universities. The fact that these large organizations were still relying on mismanaged or forgotten resources is a testament to the pervasive nature of this oversight.

The researchers emphasized that this issue isn’t specific to AWS, the organizations responsible for these resources, or even a single industry. It reflects a broader systemic failure to manage digital assets effectively in the cloud computing age. The researchers noted the ease of acquiring internet infrastructure—an S3 bucket, a domain name, or an IP address—and a corresponding failure to institute strong governance and life-cycle management for these resources.

Neglected digital infrastructure is a massive, often ignored security vulnerability. Enterprises need to adopt a stronger and more proactive approach to cloud governance and infrastructure management to avoid falling victim. Below are actionable recommendations for enterprises to address the challenges uncovered by watchTowr:

• Establish a clear and comprehensive inventory of all digital assets, whether on premises or in the cloud.
• Perform frequent security reviews of your cloud environment and address misconfigurations or outdated resources.
• Ensure that every cloud resource is assigned to a specific owner within the organization who is held accountable for its maintenance or decommissioning.
• Employ automated scripts to identify and remove unused resources, including S3 buckets, old DNS entries, and unneeded IPs.
• Embed security best practices into your development life cycle. Require all configurations for cloud resources to meet specific security benchmarks before deployment and ensure proper oversight for infrastructure as code.
• If your organization relies on third-party cloud resources or open source tools, establish monitoring to detect when those resources are abandoned or compromised.

I agree with all of these.

An opportunity for change

The discovery of vulnerable cloud infrastructure is both a warning and an opportunity. Enterprises can substantially reduce risk exposure by adopting a culture of accountability, investing in robust asset management, and integrating automated security practices.

Organizations must move beyond the “fire-and-forget” mindset. It requires vigilance, a long-term strategy, and consistent investments in security to truly support an enterprise’s goals. By addressing these vulnerabilities now, enterprises can ensure that cloud computing promises don’t come with unintended—and potentially catastrophic—costs. You’ve been warned.