The Five Most Common Cloud Architecture Mistakes

Publication date:
Author: Szabolcs BECZE

Five cloud mistakes. Same five. Nearly every mid-market health check. The frameworks to fix them are free. The discipline to apply them is the gap.

The Five Most Common Cloud Architecture Mistakes

There’s a pattern we see when we run a cloud health check, especially for mid-market clients.

Five mistakes. Same five. Nearly every time.

Not because these teams are bad at their jobs, it’s because they’re busy. They shipped the thing, it worked, and nobody thought twice about it again.

The initial setup solidified into the permanent setup. And now, somewhere between the sprint backlog and the budget review, these quiet failures are compounding into something expensive.

Every one of these is fixable. And fixing them changes the trajectory of your cloud spend, your security posture, and your team’s ability to actually ship.

1. Over-provisioned instances nobody monitors

Datadog’s State of Cloud Costs 2024 — drawn from real AWS billing data, not a survey — found that 83% of container costs are tied to idle resources. The same dataset shows 83% of organizations are still running previous-generation EC2 instance types, paying a 17% premium for hardware that’s slower and more expensive than what’s already available.

That’s money leaving your pocket.

And the developer side of the equation tells the same story from a different angle. Harness’s FinOps in Focus 2025 report found that enterprises take an average of 31 days to identify and eliminate cloud waste.

Thirty-one days. That means an entire billing cycle before anyone notices.

The fix isn’t magic. It’s monitoring, rightsizing, and a recurring review cadence. The reason it doesn’t happen in mid-market environments is simpler than people admit: nobody’s job description includes doing it.

2. No cost alerts or budget monitoring set up

This one is almost too simple to believe, which is probably why it persists. Most companies spending on cloud have no automated budget guardrails in place.

A Forrester Consulting study of 420 IT decision-makers tells the whole story in three numbers: 72% exceeded their cloud budgets in the most recent fiscal year, only 6% described their cost strategy as proactive, and leaders could only accurately track 40% of their total cloud expenditure. Sixty percent of spend, flying blind.

CloudZero’s 2024 State of Cloud Cost Intelligence Report found that only 30% of organizations knew exactly where their cloud budget was going.

Setting up budget alerts takes hours, not weeks. The barrier isn’t complexity. It’s priority. The cloud bill arrives after the quarter closes — by which time it’s already too late.

3. Single availability zone with no failover

This is the one that should keep infrastructure engineers up at night.

Deploying production workloads in a single availability zone is explicitly flagged by the AWS Well-Architected Reliability Pillar as a common anti-pattern with a risk level of High. The guidance is unambiguous: run production across at least two AZs.

The financial exposure when you don’t is severe. The ITIC 2024 Hourly Cost of Downtime Survey found that the average cost of a single hour of downtime now exceeds $300,000 for over 90% of mid-size and large enterprises — and that’s before you factor in litigation, civil, or criminal penalties.

And here’s the number worth sitting with. The Uptime Institute’s 2024 Annual Outage Analysis found that 80% of serious outages could have been prevented with better management, processes, and configuration.

Eighty percent preventable through better architecture decisions and the discipline to revisit them.

Multi-AZ isn’t a luxury feature. It’s table stakes for any production workload you can’t afford to lose. 

Our managed cloud practice starts with a health check that surfaces these patterns and builds a concrete remediation roadmap. 
Find out how we can help you → here

4. IAM policies that haven’t been reviewed since initial setup

This is the scariest one on the list, and almost nobody talks about it until something breaks.

Palo Alto Networks’ Unit 42 analysis of more than 680,000 cloud identities found that 99% of cloud users, roles, services, and resources had been granted excessive permissions — with unused permissions persisting for more than 60 days. Not 99% of poorly managed accounts. Ninety-nine percent of all of them. That’s the default state of nearly every cloud environment in production today.

CrowdStrike’s 2026 Global Threat Report shows why this matters more with each passing year. Eighty-two percent of intrusions are now malware-free. Attackers aren’t deploying payloads — they’re logging in with stolen credentials.

The perimeter moved years ago. Identity is the perimeter now. Most mid-market companies are defending it with policies nobody’s touched since deployment day.

IAM reviews aren’t hard. They’re tedious. That’s exactly why they don’t happen. Someone has to pull the credential reports, cross-reference actual usage, and make the calls about what gets revoked. It’s the single highest-impact security improvement most mid-market companies can make today — and the one most likely to be sitting in a backlog labelled “when we get to it.”

5. No Infrastructure-as-Code, so changes are manual and undocumented

The DORA 2024 Accelerate State of DevOps Report draws the line between elite and low performers in stark terms: elite teams deploy multiple times per day and recover from failures in under an hour. Low performers take one to six months to deploy changes and up to a month to recover.

The mechanism behind that gap shows up in outage data. The Uptime Institute’s Annual Outage Analysis found that nearly 40% of organizations suffered a major outage caused by human error over a three-year period — and 85% of those stemmed from staff failing to follow procedures.

That’s the exact failure mode IaC eliminates. When your infrastructure is code, the procedure is the deployment. There’s nothing to forget, nothing to skip, nothing that depends on someone remembering the right sequence on a Friday afternoon.

IaC isn’t just about automation. It’s about making your infrastructure knowable. When everything is in code, you can see what changed, when it changed, who changed it, and why. You can roll back. You can reproduce. You can hand it to a new engineer and they can understand the system without three weeks of tribal knowledge transfer.

That’s the real prize. Not fewer clicks. Fewer unknowns.

 

Your cloud is already running. The question is whether anyone’s watching it evolve — or whether it’s drifting quietly in a direction nobody chose. If you want a team that treats your infrastructure with the same care as the engineers who built it → here's how we work.

The common root cause

If you’ve read this far, you’ve probably noticed: these five mistakes share a single origin story. Infrastructure decisions made under time pressure during initial setup that never got revisited.

For mid-market companies, the compounding effect is particularly brutal. You lack the dedicated platform teams of large enterprises, but you run workloads complex enough to require them. You’re in the gap — and the gap is where these five mistakes do the most damage.

The frameworks to fix all of this — AWS Well-Architected, CIS Benchmarks, NIST SP 800-53, DORA metrics — are freely available and well-documented. The gap isn’t knowledge. It’s the operational discipline to implement, monitor, and continuously review what’s already been built.

That’s the part that changes everything. Not a new tool. Not a bigger budget. A practice. A rhythm. Someone who wakes up on Tuesday and checks the IAM credential report because that’s what Tuesday is for.

The architecture gets simpler. The confidence comes back. Usually faster than anyone expected.

 

Ready to find out what’s hiding in your cloud?
We run health checks that surface exactly these patterns — and build the remediation roadmap to fix them. No 90-page report that gathers dust.
A prioritised plan your team can actually execute.
Let’s talk → contact us!

Cookie settings

We use cookies to personalise content and ads, to provide social media features and to analyse website traffic. You can read more by clicking on the "Settings" button.
We use cookies to personalise content and ads.

Cookies are small text files that can be used by websites to make a user's experience more efficient.
The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.
This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Your consent applies to the following domains sonrisa.hu

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

Statistical cookies allow anonymous data collection to allow website owners to analyze website usage.

The purpose of marketing cookies is to track users through multiple websites. The goal is to be able to display ads to our users that are relevant and of interest to them, making them more valuable to publishers and third-party advertising providers.

Cookie declaration last updated on 2020.09.04.