AWS Data Security Risk Analysis

The most significant data risks in AWS are not the public buckets everyone watches for. The real challenge is the structural gaps that sit below the surface.
Under the AWS shared responsibility model, AWS offers native controls such as KMS encryption, IAM, S3 Block Public Access, CloudTrail, region restrictions, and tagging. Enterprises must configure and manage these controls across their environments. Cyera Research analyzed 14,992 high and critical-severity data security issues affecting 21.8 trillion records to assess enterprise consistency. The findings show these are not AWS vulnerabilities, but rather governance programs that have not kept pace with the scale and speed of cloud data. With S3 representing 9 of the top 10 violation categories, the exposure is significantly greater than in collaboration platforms, as AWS stores the core business data for most enterprises.
What's inside
The report ranks the top 10 violations by record count and highlights two distinct mitigation patterns:
- Visible, well-publicized risks are consistently addressed. Publicly exposed sensitive data in S3 has a 99.9% mitigation rate.
- Structural risks lag badly. US Social Security Numbers in plain text show just a 19% mitigation rate, leaving 191 billion records at active risk.
- Scale changes the math. Mismatched classification tags affect 11.7 trillion records. Even with a 96% mitigation rate, 452 billion records remain misclassified.
- Encryption is the largest category of active, unmitigated technical risk, at more than 730 billion records combined across S3 and RDS.
The report concludes with four key governance themes: classification drift, encryption gaps, PII discovery, and logging gaps. It also provides a prioritized action plan with recommendations for both immediate (0 to 30 days) and longer-term (30 to 180 days) initiatives.
See where enterprise AWS governance is holding and where it is quietly falling behind. Read the full report.
.png)

