As cloud adoption skyrockets, proper AWS configuration remains critical for security, cost efficiency, and business continuity. At 56Bit, our technical team continuously works on cloud environments and as part of the drill identifies recurring misconfigurations threatening organisations’ security and operational resilience. Here is a rundown of the most frequent issues we uncovered in 2025 with insights on why they matter and how to fix them.
Public S3 Buckets Exposing Sensitive Data
Despite years of guidance, public S3 buckets remain a common misconfiguration. Organisations inadvertently expose sensitive or proprietary data publicly by misconfigured access policies or missing bucket ACL restrictions. The result? Potential data leaks, compliance violations, and reputational damage.
Best practice: Use private S3 buckets with strict IAM policies. Employ AWS Config rules and automated tools to detect and remediate public access. When public distribution is required, front S3 through CloudFront with signed URLs or Origin Access Identity to safeguard content delivery.
Serving Static Content Directly from EC2
We frequently see static website content hosted directly on EC2 instances, exposed without proper security controls. This setup lacks scalability and flexibility, increases attack surfaces, and often leads to excessive costs due to inefficient resource usage.
Best practice: Store static content securely in private S3 buckets and deliver via CloudFront CDN. This approach improves performance, reduces EC2 reliance, and ensures a tighter security posture.
Use of Public Endpoints for Internal Communication
A common cost and security pitfall is routing internal service communication over public Internet endpoints. This exposes critical data flows, inflates outbound bandwidth charges, and increases risk of interception.
Best practice: Leverage AWS PrivateLink, VPC endpoints, or AWS Transit Gateway for all internal traffic. This keeps communication within the AWS network, enhances security, and lowers data transfer costs.
Databases Running in Public Subnets With Direct Internet Access
One of the most alarming misconfigurations is running production databases in public subnets accessible directly via the Internet. This creates a massive attack surface where unauthorised users might exploit vulnerabilities or brute-force access.
Best practice: Place databases in private subnets behind security groups restricting access. Use VPNs or bastion hosts for administrative access, eliminating direct inbound internet permissions.
Missing VPNs or Bastion Hosts for Secure Access
Without VPN or bastion hosts, teams often expose critical systems to the public Internet, increasing risk of breach. This gap reduces auditability and control over who accesses sensitive environments.
Best practice: Implement VPNs or AWS Systems Manager Session Manager as secure gateways. Bastion hosts should be locked down with multi-factor authentication and detailed logging enabled.
Absence of Caching Leading to Cost Inefficiencies
Many cloud deployments neglect caching strategies, causing redundant database queries and increased compute usage resulting in unnecessary cost and slower application responsiveness.
Best practice: Utilise caching layers such as Amazon ElastiCache (Redis/Memcached) or CloudFront caching for static and dynamic content. This reduces backend load and accelerates user experience.
Poorly Configured Database Queries
Improper query design, especially indiscriminate use of “SELECT *”, leads to inefficient data retrieval and increased load on databases and applications. This can degrade performance and raise operational costs.
Best practice: Optimise queries to return only needed columns and rows. Employ prepared statements and query profiling tools to improve execution plans and reduce resource consumption.
Application Code Not Following Best Practices
Security holes and cost overruns stem from poorly written application code, missing input validation, insecure secrets management, excessive resource usage, and lack of autoscaling triggers.
Best practice: Adhere to secure coding guidelines, enforce environment-specific configurations, automate infrastructure provisioning with IaC, and implement cost-aware development patterns.
No Maintenance, Patching, or Update Tracking
Failure to apply security patches, conduct regular maintenance, and document update histories leaves systems vulnerable to exploits and causes unpredictable downtime.
Best practice: Automate patch management with services like AWS Systems Manager Patch Manager. Maintain audit logs of updates and perform routine vulnerability scanning.
Lack of Business Function Integration, HA, DR, and Continuity
Many deployments overlook defining business functions, high availability (HA), disaster recovery (DR), and business continuity plans. This exposes organisations to significant disruptions since recovery strategies are either absent or insufficient.
Best practice: Align cloud architecture with critical business processes. Implement multi-AZ deployments, backup strategies, failover mechanisms, and regularly test DR plans.
“By addressing these common misconfigurations rigorously, businesses can enhance security, optimise cloud spend, and improve operational resilience.” – Stefan Caruana, Head of Service Selivery at 56Bit.
56Bit’s ongoing commitment to leading cloud practices ensures that clients avoid these pitfalls and realise the full value of their AWS investments in 2025 and beyond.
