Home › Blog ›
CISA Contractor Leaked AWS GovCloud Keys on GitHub: What Thi
Cybersecurity News
🔐 CISA Contractor Leaked AWS GovCloud Keys on GitHub: What This Means for Your Security
By AY Tanoli, · 19 May 2026 · 3 min read · 0 words
In a startling 2026 incident, a CISA contractor inadvertently leaked AWS GovCloud credentials directly on GitHub, exposing highly sensitive government cloud infrastructure. The keys were embedded in a public repository for hours before discovery, more than enough time for malicious actors to scrape and exploit them. This underscores the critical importance of secrets management at every level of government contracting.
For any organisation handling sensitive infrastructure, NordPass provides enterprise-grade password and secrets management with role-based access controls and detailed audit logs. On the endpoint protection side, Kaspersky Premium can help detect and block malware payloads that might be used to extract credentials from developer workstations before they ever reach a public repository.
What Happened: A GovCloud Key in a Public Repository
A contractor working with the Cybersecurity and Infrastructure Security Agency (CISA) accidentally committed a set of AWS GovCloud access keys to a public GitHub repository. GovCloud is the isolated AWS region designed for U.S. government workloads that must meet strict compliance standards such as FedRAMP High and ITAR. When credentials to that environment leak, the stakes are dramatically higher than a routine cloud misconfiguration, because the data and systems behind those keys are often tied to national security operations.
The exposure followed a depressingly familiar pattern. A developer hardcoded long-lived credentials into a script, pushed the code to a repository, and made it public — likely without realizing the keys were buried in the commit history. Automated scanners that crawl GitHub for secrets can locate exposed AWS keys within seconds of a push, which means attackers frequently find leaked credentials before the developer who leaked them does.
Why GovCloud Keys Are a High-Value Target
AWS GovCloud credentials are prized by attackers for several reasons. The environment hosts sensitive government and defense-contractor data, the access controls are assumed to be strong (so a valid key bypasses a lot of suspicion), and lateral movement inside a government tenant can yield intelligence value that ordinary commercial breaches do not. A single leaked key pair can grant programmatic access to S3 buckets, EC2 instances, IAM configurations, and potentially the ability to escalate privileges across an entire account.
Data exfiltration: Direct read access to storage buckets containing controlled unclassified information (CUI).
Persistence: Creation of new IAM users or roles to maintain access even after the original key is revoked.
Resource abuse: Spinning up compute for cryptomining or to stage further attacks under a trusted government IP range.
Reconnaissance: Mapping the architecture of a sensitive environment for a future, more targeted intrusion.
The Root Cause: Secrets That Should Never Be Static
The core failure here is the use of long-lived, static credentials in the first place. Access keys that never expire are a liability the moment they are created. They get copied into config files, shared over chat, embedded in scripts, and eventually committed to version control. Once a static key exists, it is only a matter of time and human error before it ends up somewhere it should not be.
Git makes the problem worse because deleting a secret in a later commit does not remove it from history. Unless the repository history is rewritten and force-pushed — and the key is rotated — the credential remains retrievable by anyone who clones the repo.
How to Prevent a Credential Leak Like This
Organizations handling cloud infrastructure, especially in regulated environments, should treat secret management as a first-class security control rather than an afterthought. The following practices would have prevented this incident:
Eliminate static keys. Use temporary credentials through AWS IAM roles, IAM Identity Center, or STS-issued short-lived tokens that expire automatically.
Enforce pre-commit secret scanning. Tools like git-secrets, Gitleaks, or TruffleHog can block commits that contain credential patterns before they ever leave a developer's machine.
Enable platform-side detection. GitHub Secret Scanning and push protection can reject pushes that contain recognizable AWS keys.
Apply least privilege. Scope every credential to the minimum permissions required, so a leak limits the blast radius.
Monitor with CloudTrail. Alert on anomalous API calls, logins from unexpected regions, and IAM modifications.
Rotate and audit regularly. Automate key rotation and periodically audit which credentials exist and where they live.
What to Do If Your Keys Are Exposed
Speed is everything once a leak is discovered. The exposed credentials must be revoked immediately — not disabled later — and replaced. Then investigate the scope of the exposure using access logs.
Deactivate and delete the compromised access keys in the IAM console without delay.
Review CloudTrail logs for any API activity tied to the leaked key.
Rotate any other secrets that may have been stored alongside it.
Purge the credential from Git history and force-push the cleaned repository.
Report the incident through the appropriate compliance and disclosure channels.
The Bigger Lesson
This incident is a reminder that the weakest link in cloud security is rarely the cloud provider — it is the human workflow around credentials. The strongest passwords and the most secure infrastructure mean little if a static key ends up in a public repo. Building security into the development pipeline, removing long-lived secrets entirely, and assuming that any committed secret is already compromised are the habits that keep sensitive environments like GovCloud out of attackers' hands.
We use cookies to improve your experience. Learn more
How the GovCloud Keys Ended Up Public
The exposure began with a routine commit. A contractor pushed an internal deployment script to a public GitHub repository, and embedded inside that script were long-lived AWS access keys scoped to a GovCloud environment. Because GovCloud is designed to host workloads subject to federal compliance regimes, the keys carried elevated trust. Automated credential scanners that continuously crawl public commits flagged the secret within minutes, but attackers run identical scanners.
What Attackers Could Have Done
Static, long-lived keys are dangerous because they do not expire on their own. Once harvested, an adversary could authenticate directly against the GovCloud account and attempt a range of actions:
Enumerate S3 buckets and exfiltrate sensitive or regulated data
Spin up compute instances for cryptomining at the agency's expense
Pivot laterally using over-permissioned IAM roles attached to the credentials
Establish persistence by creating new IAM users or access keys
Tamper with CloudTrail logging to obscure their activity
Lessons for Federal Contractors
This incident is a textbook reminder that secrets never belong in source control. Contractors handling government workloads should adopt short-lived credentials issued through AWS IAM Identity Center or STS, and enforce least-privilege policies so a single leaked key cannot unlock an entire environment.
Enable pre-commit secret scanning with tools like git-secrets or Gitleaks
Rotate and revoke any credential the moment exposure is suspected
Require IMDSv2 and role assumption instead of static keys
Audit public repositories tied to agency contracts on a regular cadence
Detection only worked because monitoring existed. Prevention, however, would have stopped the leak before a single attacker ever saw it.