12 Days of Cloud Security Christmas

12 Days of Cloud Security Christmas

12 Days of Cloud Security Christmas

The Cloud is the gift that keeps on giving with new features and services being deployed daily. Securing your Cloud environment is an add-on that makes your gift extra special. Similar to the Cloud, users continue gift-giving traditions well after the holiday is over. From wide open S3 buckets to FedRAMP violations, security misconfiguration continues to be on the list of gifts security teams receive throughout the year. This holiday season, let the 12 days of Cloud Security Christmas bring a smile to your face as you recount some of the joys that you have experienced through the year with your cyber security team.


On the first day of Christmas a User gave to me
A malformed IAM policy.

On the second day of Christmas a User gave to me
Two reasons why MFA should not be a security thing,
And a malformed IAM policy.

On the third day of Christmas a User gave to me
Three root accounts with access keys,
Two reasons why MFA should not be a security thing,
And a malformed IAM policy.

On the fourth day of Christmas a User gave to me
Four S3 buckets with wide open bucket policies,
Three root accounts with access keys,
Two reasons why MFA should not be a security thing,
And a malformed IAM policy.

On the fifth day of Christmas a User gave to me
Five network rules with 0.0.0.0 access for everybody,
Four S3 buckets with wide open bucket policies,
Three root accounts with access keys,
Two reasons why MFA should not be a security thing,
And a malformed IAM policy.

On the sixth day of Christmas a User gave to me
Six reasons why we don’t need a password policy,
Five network rules with 0.0.0.0 access for everybody,
Four S3 buckets with wide open bucket policies,
Three root accounts with access keys,
Two reasons why MFA should not be a security thing,
And a malformed IAM policy.

On the seventh day of Christmas a User gave to me
Seven secret keys in Github,
Six reasons why we don’t need a password policy,
Five network rules with 0.0.0.0 access for everybody,
Four S3 buckets with wide open bucket policies,
Three root accounts with access keys,
Two reasons why MFA should not be a security thing,
And a malformed IAM policy.

On the eighth day of Christmas a User gave to me
Eight lift and shift projects,
Seven secret keys in Github,
Six reasons why we don’t need a password policy,
Five network rules with 0.0.0.0 access for everybody,
Four S3 buckets with wide open bucket policies,
Three root accounts with access keys,
Two reasons why MFA should not be a security thing,
And a malformed IAM policy.

On the ninth day of Christmas a User gave to me
Nine broken CI/CD pipelines,
Eight lift and shift projects,
Seven secret keys in Github,
Six reasons why we don’t need a password policy,
Five network rules with 0.0.0.0 access for everybody,
Four S3 buckets with wide open bucket policies,
Three root accounts with access keys,
Two reasons why MFA should not be a security thing,
And a malformed IAM policy.

On the tenth day of Christmas a User gave to me
Ten systems without tags,
Nine broken CI/CD pipelines,
Eight lift and shift projects,
Seven secret keys in Github,
Six reasons why we don’t need a password policy,
Five network rules with 0.0.0.0 access for everybody,
Four S3 buckets with wide open bucket policies,
Three root accounts with access keys,
Two reasons why MFA should not be a security thing,
And a malformed IAM policy.

On the eleventh day of Christmas a User gave to me
Eleven FedRAMP violations,
Ten systems without tags,
Nine broken CI/CD pipelines,
Eight lift and shift projects,
Seven secret keys in Github,
Six reasons why we don’t need a password policy,
Five network rules with 0.0.0.0 access for everybody,
Four S3 buckets with wide open bucket policies,
Three root accounts with access keys,
Two reasons why MFA should not be a security thing,
And a malformed IAM policy.

On the twelfth day of Christmas a User gave to me
Twelve security breaches,
Eleven FedRAMP violations,
Ten systems without tags,
Nine broken CI/CD pipelines,
Eight lift and shift projects,
Seven secret keys in Github,
Six reasons why we don’t need a password policy,
Five network rules with 0.0.0.0 access for everybody,
Four S3 buckets with wide open bucket policies,
Three root accounts with access keys,
Two reasons why MFA should not be a security thing,
And a malformed IAM policy.

Happy Holidays, Merry Christmas, and a Secure New Year from ScaleSec!


The information presented in this article is accurate as of December 17, 2020. Follow the ScaleSec blog for new articles and updates.

About ScaleSec

ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.

Get in touch!


2020 in Review

Entering 2021 after a year of growth, change, and teamwork.

Next article

ScaleSec is a Cloud Security Alliance Member.
ScaleSec is a Cloud Security Alliance Trusted Cloud Consultant.
ScaleSec is a Better Business Bureau® Accredited Business.
ScaleSec is a PCI Security Standards Council Participating Organization.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security.
ScaleSec is a certified Veteran’s Business Enterprise™ (VBE) from the National Veteran Owned Business Association.

Here for you

Have questions? Leverage our expertise to help you meet your business goals with a strong security posture.

Join us

ScaleSec is a well-connected, fully remote team. We thrive in the great undocumented beyond. We’re hiring in most US metros.

Get in touch

Considering cloud? Want to optimize and transform your existing digital portfolio?
Reach out to us.

Gap Assessment

Get perspective. Address security comprehensively.

Prepare for compliance.

ScaleSec
San Diego, CA 92120, United States

619-SCALE15

© 2023 ScaleSec. All rights reserved. | Privacy Policy