Blog

What’s the Real Cost of an AWS Misconfiguration?

Written by ShardSecure | March 1 2023

Cloud providers offer unparalleled tools to companies of all sizes, providing the flexibility and scalability to grow and adapt in today’s digital environment. 

But the popularity of the cloud has also led to security risks, including misconfigured cloud buckets. Research shows that nearly 70% of exposed records — 5.4 billion in total — were caused by unintentional internet exposure due to misconfigurations. Not surprising, then, that the NSA considers them a leading vulnerability in the cloud.

With misconfigurations causing everything from data breaches and downtime to reputational damage and other costly consequences, it’s important to understand the risks. And with AWS currently responsible for 34% of the worldwide cloud market share, it’s more important than ever to understand how to prevent misconfigurations in an AWS environment.

Below, we’ll examine the true cost of an AWS misconfiguration, and we’ll explain how to mitigate them to protect your organization from harm.

Where do the costs of AWS misconfigurations come from?

Data breaches

The most highly publicized cases of AWS misconfigurations usually involve data breaches. This happens when misconfigured AWS buckets leave sensitive data — including personally identifiable information (PII), intellectual property, financial or healthcare information, and more — exposed and accessible to unauthorized parties. 

Some recent examples of high-profile data breaches due to AWS misconfigurations include:

  • A 2019 Capital One breach that exposed the PII of 100 million people.
  • A 2020 database breach that exposed sensitive records of millions of European shoppers.
  • A 2021 FlexBooker breach that compromised user information for 3 million people.
  • A 2021 SeniorAdvisor breach that exposed personal data for over 3 million people.
  • A 2022 Pegasus Airlines breach that exposed 23 million files.
  • And much more.

The cost of this kind of data breach can be staggering, with the average price tag reaching $9.44 million in the US and $4.35 million globally, according to a recent IBM report. That’s not to mention the cost of remediation, which can require third-party services and be time-consuming and expensive.

Downtime

Misconfigured AWS buckets can also cause critical applications and services to function incorrectly, resulting in downtime. Although it’s often less dramatic than a data breach, downtime can still be expensive, leading to lost productivity, revenue, violation of SLAs, and customer dissatisfaction.

Some high-profile examples of losses from downtime include:

  • $25 million lost by Apple after 12 hours of Apple Store downtime in 2015.
  • $150 million lost by Delta Airlines after 5 hours of downtime (and a resulting 2,000 canceled flights) in 2016.
  • $90 million lost by Facebook after 14 hours of downtime in 2019.

The average cost of downtime can vary depending on the size and scope of the business, making it difficult to calculate. However, studies suggest that it comes out to approximately $9,000 per minute (a whopping $540,000 per hour) for a large enterprise and up to $427 per minute ($25,620 per hour) for a small business.

Regulatory fines

If an AWS misconfiguration results in a data breach, companies may face significant fines for failing to comply with regulations. Below are examples of possible or actual fines for noncompliance with cross-border data regulations:

  • $9 million or more under Brazil’s General Data Protection Law (LGPD).
  • $25 million or more under Canada’s Consumer Privacy Protection Act (CPPA).
  • $21 million or more under the European Union’s General Data Protection Regulation (GDPR).
  • $50 million or more under South Korea’s Personal Information Protection Act (PIPA).

You can explore compliance and the importance of cross-border data protection more extensively in our white paper on the subject.

Reputational damage

The impact of a data breach from an AWS misconfiguration goes far beyond the financial cost. Companies that suffer data breaches can experience significant reputational damage that can have long-lasting effects on their business. And in today’s digital landscape, where consumers are more privacy-conscious than ever before, a data breach can erode trust and result in a loss of customers.

Additionally, negative media coverage and social media backlash can damage a company’s reputation. While it’s difficult to quantify the amount of lost revenue from this kind of publicity, one Forbes Insights report estimated that 46% of organizations had suffered damage to their brand value as a result of a data breach.

Top tips to avoid AWS misconfigurations

Preventing misconfigurations in AWS — and in the cloud more broadly — is not a simple task. It requires a multifaceted approach that includes:

  • Providing comprehensive training to all employees and administrators with AWS access.
  • Carrying out regular security audits.
  • Using automation to detect and prevent common misconfigurations.
  • Acknowledging the ever-present risk of human error and taking steps to mitigate the risk.
  • Employing third-party data protection solutions.

Organizations should also consider a data security solution that neutralizes the risk of AWS misconfigurations and keeps your company safe, even when sensitive information is left exposed.

Mitigating misconfigurations and embracing lower costs in AWS

The ShardSecure platform allows companies to keep their data secure from threats while using multiple AWS buckets, a multi-cloud architecture with AWS and other storage providers, or even hybrid configurations of AWS and on-prem data centers. Our technology separates data access from infrastructure providers, including cloud storage admins and cyberattackers. Even if an AWS bucket is accidentally left exposed, the data inside it will remain unintelligible to unauthorized users.

Our platform also helps companies leverage the flexibility of the cloud and optimize their storage without rewriting legacy applications. With ShardSecure’s transparent plug-and-play technology, companies can leverage affordable object storage like AWS S3 with no need to redesign data flows. Our performance speeds are very similar to AWS EFS, so data access remains fast and easy.

Conclusion

The true cost of an AWS misconfiguration can be significant and far-reaching. Data breaches, downtime, regulatory fines, and reputational damage can all have a long-lasting impact on a company’s bottom line. The ShardSecure platform offers a way for organizations to mitigate these risks and leverage lower costs in AWS and beyond.

To learn more about achieving greater security and cost savings in AWS, visit our white paper on cloud resource optimization.

Sources

4 Common Cloud Misconfigurations & What To Do About Them | Cloud Security Alliance

Mitigating Cloud Vulnerabilities | National Security Agency

Chart: Amazon, Microsoft & Google Dominate Cloud Market | Statista

Amazon Web Services (AWS) Data Breaches: Full Timeline Through 2022 | Firewall Times

Cost of a Data Breach 2022 | IBM

Cost of Downtime: Truth and Facts of IT Downtime | OpsWorks Co

2015 Cost of Data Center Outages | Vertiv

Calculating the Cost of Downtime | Atlassian

The Reputational Impact of IT Risk | Forbes