cmdev
Cloud Security

Why African Enterprises Are Failing at Cloud Security

cmdev9 min read
Why African Enterprises Are Failing at Cloud Security
Share
~14 min

The migration without the security

African enterprises are moving to the cloud at pace. Cloud infrastructure spending across the continent grew over 25% in 2025, driven by financial services modernization, digital government initiatives, and a wave of Series A-funded startups scaling beyond on-premises capacity. AWS opened a direct connect location in Lagos. Azure expanded its South Africa regions. GCP deepened partnerships with Pan-African telcos.

The problem is not the migration itself. The problem is who was in the room when migration decisions were made — and who was not. In most organizations we assess, cloud adoption was driven by engineering and product teams under business pressure to ship. Security teams were either excluded from planning, consulted after workloads were already in production, or did not exist in a meaningful capacity.

The result is predictable: production environments running with default VPC configurations, IAM roles that grant full administrative access, storage buckets open to the internet, and no logging to tell you what happened when something goes wrong. These are not edge cases. They are the norm.

IAM: the root of most compromises

Identity and Access Management is the single most common failure point in cloud security incidents affecting African enterprises. The pattern repeats with minor variation across every engagement.

The typical sequence:

  1. A developer needs programmatic access to AWS for a deployment pipeline
  2. The developer — or an IT administrator with no IAM training — creates an IAM user with AdministratorAccess attached directly to the user
  3. The developer generates an access key pair and stores it in a .env file
  4. The .env file is committed to a private Git repository (or worse, a public one)
  5. The access keys are never rotated. The IAM user has no MFA. The keys are long-lived — months, sometimes years
  6. An attacker gains access to the repository through a compromised developer account, leaked credentials, or a misconfigured repository visibility setting
  7. The attacker uses the access keys to enumerate the AWS account, escalate privileges, and begin exfiltration or resource abuse

This is not theoretical. Secret scanning services detect thousands of exposed AWS credentials in public repositories every month. Private repositories are not immune — a single compromised developer laptop or stolen session token exposes every secret stored in code.

What makes this worse in the African enterprise context:

  • Security teams rarely have visibility into which IAM entities exist, what permissions they hold, or when credentials were last used
  • Root account credentials are frequently shared among multiple administrators, sometimes over WhatsApp
  • MFA adoption on root and privileged accounts remains low — many organizations have never enabled it
  • Service accounts accumulate permissions over time and are never audited
  • There is no separation between development, staging, and production IAM boundaries

The fix is not complicated. It is just not prioritized until after an incident.

S3 and storage misconfigurations

Every major cloud provider has made it progressively harder to accidentally create public storage. AWS blocked public access on new S3 buckets by default starting in April 2023. Azure Storage accounts default to private. Yet misconfigured storage remains one of the most common findings in African enterprise cloud environments.

How this happens:

  • Legacy buckets created before the default-deny change were never retroactively secured
  • Developers disable Block Public Access to serve static assets or share files with external partners, then never re-enable it
  • Bucket policies are written permissively ("Principal": "*") without understanding the implication
  • Server-side encryption is not enabled, leaving data at rest unprotected
  • Access logging is not configured, so there is no record of who accessed what

The data exposed in these buckets is not trivial. In assessments of Nigerian fintech companies and banking infrastructure, we have encountered: customer KYC documents (national IDs, utility bills, photographs), transaction records, internal financial reports, database backups containing PII, and API keys granting access to downstream services.

A single misconfigured bucket can constitute a violation of the Nigeria Data Protection Act (NDPA) and expose the organization to regulatory action by the Nigeria Data Protection Commission (NDPC). The reputational damage compounds: customers whose KYC documents are exposed in a breach do not return.

The baseline that most organizations have not implemented:

  • Enable S3 Block Public Access at the account level, not just the bucket level
  • Enforce server-side encryption (SSE-S3 at minimum, SSE-KMS for regulated data)
  • Enable access logging on all buckets containing sensitive data
  • Use S3 Bucket Policy conditions to restrict access by VPC endpoint, source IP, or IAM role
  • Run regular scans with AWS Config rules or third-party CSPM tools to detect drift

Network architecture gaps

Cloud networking is where on-premises habits cause the most damage. Organizations accustomed to flat internal networks replicate that architecture in the cloud — except now the flat network is accessible from the internet.

Common findings:

Finding Frequency Risk
Default VPC in use for production workloads Very common No network segmentation, default routing
Security groups allowing 0.0.0.0/0 on port 22 (SSH) Very common Direct SSH access from any IP on the internet
Security groups allowing 0.0.0.0/0 on port 3306/5432 Common Database accessible from the internet
No WAF in front of public-facing APIs Common No protection against OWASP Top 10
No network segmentation between application tiers Very common Lateral movement trivial after initial access
VPC Flow Logs not enabled Very common No visibility into network traffic patterns

The default VPC problem deserves emphasis. Every AWS account comes with a default VPC in each region. This VPC has an internet gateway attached, public subnets with auto-assign public IP enabled, and permissive default security group rules. Organizations that deploy workloads into the default VPC without modification are running production systems on infrastructure designed for getting-started tutorials.

Proper cloud network architecture requires purpose-built VPCs with private subnets for application and database tiers, public subnets only for load balancers and bastion hosts, security groups following the principle of least privilege, and NACLs as a secondary defense layer. This is documented in every cloud provider's well-architected framework. It is rarely implemented.

Logging and visibility

If you cannot answer these questions about your cloud environment, you do not have adequate visibility:

  • Who created an IAM user or role in the last 30 days?
  • Which S3 buckets were accessed from outside the organization's IP range last week?
  • What API calls were made using the root account in the last 90 days?
  • Which EC2 instances are communicating with IP addresses in known threat intelligence feeds?
  • When was the last time a specific access key was used, and from where?

Most African enterprises we assess cannot answer any of them.

The root cause: AWS CloudTrail is not enabled — or is enabled only in the primary region, leaving activity in other regions invisible. CloudWatch alarms are not configured for security-relevant events. There is no centralized log management platform. No SIEM. No alerting. No one is watching.

This means that when a breach occurs — and it will — the organization cannot determine scope, timeline, or root cause. Incident response becomes guesswork. Regulatory reporting is delayed because there is no evidence to report on. Legal exposure increases because the organization cannot demonstrate that it took reasonable steps to detect and respond to unauthorized access.

What "minimum viable visibility" looks like:

  • CloudTrail enabled in all regions with logs delivered to a centralized, immutable S3 bucket
  • CloudTrail log file validation enabled (tamper detection)
  • CloudWatch alarms on: root account usage, IAM policy changes, security group modifications, S3 bucket policy changes, console sign-in without MFA
  • VPC Flow Logs enabled on all production VPCs, delivered to CloudWatch Logs or S3
  • GuardDuty enabled in all regions (anomaly detection with minimal configuration overhead)
  • A log retention policy that meets regulatory requirements (NDPA, CBN guidelines)

The managed service illusion

The most dangerous misconception in African enterprise cloud adoption is the belief that migrating to AWS, Azure, or GCP means security is handled. It is not.

Every major cloud provider operates under a shared responsibility model:

  • The provider secures: The physical infrastructure, hypervisor, managed service internals, global network, and the availability of the platform itself
  • The customer secures: Everything deployed on top of the platform — operating systems, applications, data, identity, access control, network configuration, encryption settings, and compliance

AWS does not configure your security groups. Azure does not audit your IAM roles. GCP does not encrypt your Cloud Storage buckets unless you tell it to.

This distinction is well-documented but poorly understood. In boardroom conversations, "we moved to AWS" is treated as a security investment. It is not. It is an infrastructure investment. Security on that infrastructure remains the organization's responsibility, and the attack surface has often expanded — from a data center with physical perimeter controls to an internet-facing environment where every misconfiguration is one API call from exposure.

The shared responsibility model also means that when a breach occurs due to customer misconfiguration, the cloud provider bears no liability. The organization owns the incident, the regulatory reporting obligation, and the remediation cost. "But we're on AWS" is not a defense that regulators or courts will accept.

A practical security baseline

The gap between current state and a defensible security posture is not as wide as it appears. The following baseline addresses the most common and most exploitable failures. None of these require advanced tooling or large security teams. They require decision and execution.

Identity and access management:

  • Enable MFA on every human identity — root accounts, IAM users, SSO accounts. No exceptions
  • Delete or deactivate IAM access keys that have not been used in 90 days
  • Replace long-lived access keys with IAM roles and temporary credentials (STS) wherever possible
  • Implement least-privilege IAM policies — start with ReadOnlyAccess and add permissions as needed, not the reverse
  • Audit IAM policies quarterly using AWS IAM Access Analyzer or equivalent

Storage security:

  • Enable S3 Block Public Access at the account level
  • Enforce server-side encryption on all storage (SSE-S3 minimum, SSE-KMS for regulated data)
  • Enable access logging on buckets containing customer data or PII
  • Audit bucket policies and ACLs monthly

Network security:

  • Deploy production workloads in purpose-built VPCs, not the default VPC
  • Restrict security groups to specific source IPs and ports — no 0.0.0.0/0 on SSH, RDP, or database ports
  • Place databases and application servers in private subnets with no direct internet access
  • Deploy a WAF in front of all public-facing APIs and web applications
  • Enable VPC Flow Logs on all production VPCs

Logging and detection:

  • Enable CloudTrail in all regions with centralized log delivery
  • Enable GuardDuty in all regions
  • Configure CloudWatch alarms for high-severity events (root login, IAM changes, security group changes)
  • Establish log retention periods that meet NDPA and sector-specific regulatory requirements

Continuous compliance:

  • Enable AWS Config (or Azure Policy, GCP Organization Policy) with managed rules for the controls above
  • Deploy AWS Security Hub (or Azure Defender for Cloud, GCP Security Command Center) for a consolidated security posture view
  • Schedule quarterly reviews of findings — not annual. The environment changes weekly; annual audits find problems nine months too late

The starting point is not perfection. It is closing the gaps that attackers exploit first: overprivileged access, public storage, open network ports, and no logging. Get these right, and you have eliminated the majority of the attack surface that commodity threat actors target. Everything else — threat modeling, red teaming, zero trust architecture — builds on this foundation.

Organizations that cannot execute this baseline internally should engage a qualified cloud security partner to implement it. The cost of a cloud security assessment and remediation engagement is a fraction of the cost of a breach — in regulatory fines, customer attrition, and recovery effort. The math is straightforward.

cloud-securityawsafricaiammisconfigurationenterprise

Ready to strengthen your security posture?

We help organizations across Africa build resilient infrastructure, deploy AI at scale, and navigate complex regulatory environments.

Start a conversation
← PreviousFrom Discovery to Production: Building a Bedrock Document Pipeline for a London Insurance BrokerNext →Building Production AI Pipelines on AWS: Bedrock, Lambda, and the Glue Between Models