CISA Contractor Publishes AWS GovCloud Keys on Public GitHub, Exposing Federal Systems
What Happened — A CISA‑contractor with administrative rights created a public GitHub repository (“Private‑CISA”) that contained plaintext AWS GovCloud credentials and dozens of other internal secrets. The contractor deliberately disabled GitHub’s secret‑scanning protection, allowing the data to be publicly accessible. CISA is working to invalidate the leaked keys and assess the exposure.
Why It Matters for TPRM —
- Credential leaks in a federal agency highlight the risk of third‑party contractors mishandling privileged access.
- Exposure of cloud‑infrastructure keys can enable adversaries to pivot into critical government networks.
- The incident underscores the need for continuous monitoring of contractor activities and strict secret‑management policies.
Who Is Affected — Federal government (critical infrastructure), cloud service providers (AWS GovCloud), any downstream vendors or partners relying on CISA‑managed services.
Recommended Actions —
- Review all third‑party contracts for privileged‑access controls and audit logs.
- Verify that any shared cloud credentials have been rotated and that secret‑scanning tools are enforced.
- Incorporate contractor‑access monitoring into your TPRM program and demand evidence of secure development practices.
Technical Notes — The leak stemmed from intentional disabling of GitHub’s built‑in secret‑detection feature, exposing plaintext AWS access keys, API tokens, and internal system passwords. No public exploit of the keys has been reported yet, but the potential for misuse is high. Source: Krebs on Security