Back to Intelligence

AWS GovCloud Leak via GitHub: Detecting and Remediating Exposed Cloud Credentials

SA
Security Arsenal Team
May 24, 2026
6 min read

The recent revelation that a contractor for the U.S. Cybersecurity & Infrastructure Security Agency (CISA) intentionally published AWS GovCloud keys and sensitive agency data on a public GitHub repository is a stark warning for the industry. It is not merely a compliance failure; it is a catastrophic operational security breach that highlights the fragility of the software supply chain and the human element in cloud security.

For defenders, the scenario is a nightmare scenario: valid, high-privilege credentials—specifically for the isolated, high-security GovCloud environment—exposed to the public internet. While CISA scrambles to invalidate credentials and contain the breach, security teams worldwide must ask: Could this happen to us?

This post provides the technical indicators and defensive playbooks required to detect if your organization is leaking secrets to public repositories and how to respond if the worst occurs.

Technical Analysis

Threat Type: Credential Exposure / Data Leak (Human-OPSEC Failure) Affected Platforms: AWS GovCloud (US), GitHub, General-purpose Git repositories Severity: Critical

The Attack Chain

  1. Initial Compromise (Internal): A trusted insider or negligent contractor interacts with sensitive credentials (AWS Access Keys/Secret Keys) in a development environment.
  2. Exfiltration/Publication: The secrets are committed to a local Git repository and pushed to a public remote origin (e.g., github.com).
  3. Discovery by Automated Scrapers: Within minutes of publication, automated bots scanning public repositories for specific regex patterns (e.g., AKIA[0-9A-Z]{16}) identify the keys.
  4. Cloud Exploitation: Attackers use the leaked credentials to authenticate against the AWS API (sts:GetCallerIdentity) to enumerate permissions and potentially exfiltrate data or alter infrastructure.

Exploitation Status

Confirmed Active Leakage. While the news focuses on CISA, the techniques are generic. There are no CVEs associated with this specific incident; the vulnerability lies in process failure. However, the exposure of GovCloud keys implies a bypass of standard federal compliance controls, suggesting that standard DLP (Data Loss Prevention) and secret scanning solutions either failed to alert or were absent.

Detection & Response

When credentials hit GitHub, speed is everything. You must detect the push behavior before the keys are scraped, or detect the usage of those keys in your cloud logs immediately after.

SIGMA Rules

These rules focus on detecting the process behavior associated with pushing code to public repositories, which is the primary vector in this incident.

YAML
---
title: Potential Code Exfiltration via Public Git Push
id: 8c4d9b12-3a5e-4f1d-9e8c-2b4f5a6c7d8e
status: experimental
description: Detects attempts to push local git repositories to public remote origins like GitHub, GitLab, or Bitbucket. This rule targets the vector used in the CISA leak.
references:
 - https://krebsonsecurity.com/2026/05/lawmakers-demand-answers-as-cisa-tries-to-contain-data-leak/
author: Security Arsenal
date: 2026/05/15
tags:
 - attack.exfiltration
 - attack.t1567.001
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith:
     - '\git.exe'
     - '\git.cmd'
   CommandLine|contains:
     - 'push'
 filter_corporate:
   CommandLine|contains:
     - 'internal.corp.com'
     - 'github.enterprise.corp'
 condition: selection and not filter_corporate
falsepositives:
 - Developers pushing to personal open-source projects (vet these)
level: high
---
title: AWS Credentials Enumeration via CLI
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects usage of AWS CLI commands often used by attackers immediately after discovering leaked credentials to validate permissions (e.g., sts get-caller-identity, iam list-roles).
references:
 - https://attack.mitre.org/techniques/T1059/006/
author: Security Arsenal
date: 2026/05/15
tags:
 - attack.execution
 - attack.t1059.006
logsource:
 category: process_creation
 product: windows
detection:
 selection_aws:
   Image|endswith: '\aws.exe'
 selection_command:
   CommandLine|contains:
     - 'sts get-caller-identity'
     - 'iam list-users'
     - 'iam list-roles'
     - 's3 ls'
 condition: selection_aws and selection_command
falsepositives:
 - Legitimate administrative DevOps automation
level: medium

KQL (Microsoft Sentinel / Defender)

This hunt query correlates endpoint process creation with network connections to identify active Git sessions to known public hosts. It assumes you are ingesting DeviceNetworkEvents and DeviceProcessEvents via Microsoft Defender for Endpoint.

KQL — Microsoft Sentinel / Defender
// Hunt for Git processes pushing to public Git hosts
let PublicGitHosts = dynamic(["github.com", "gitlab.com", "bitbucket.org", "bitbucket.org"]);
DeviceNetworkEvents
| where RemoteUrl in (PublicGitHosts) or RemoteUrl has_any (PublicGitHosts)
| join kind=inner (
    DeviceProcessEvents
    | where FileName in~ ("git.exe", "git")
    | where ProcessCommandLine contains "push"
    | extend ProcessKey = tostring(DeviceId) + "-" + tostring(ProcessId)
) on $left.DeviceId == $right.DeviceId
| project Timestamp, DeviceName, AccountName, RemoteUrl, InitiatingProcessFileName, ProcessCommandLine,FolderPath
| summarize count() by DeviceName, AccountName, RemoteUrl, bin(Timestamp, 5m)
| order by count_ desc

Velociraptor VQL

This artifact hunts the filesystem for potential AWS Access Key IDs (matching the AKIA prefix pattern) within common configuration or source code files. This helps locate the "smoking gun" on an endpoint if a leak is suspected.

VQL — Velociraptor
-- Hunt for AWS Access Key IDs on disk
SELECT * FROM foreach(
    glob(globs="/**/*.js", root="/"),
    {
        SELECT FullPath, Mtime, Size,
               regex(substring=data, re="AKIA[0-9A-Z]{16}") as AWSKeyMatch
        FROM read_file(filename=FullPath)
        WHERE AWSKeyMatch
    }
)
LIMIT 100

Remediation Script

If you suspect a leak, immediate containment is required. This Bash script scans the current directory tree for common secret patterns (AWS, Azure, Google) and simulates a "firebreak" by identifying the files that need to be sanitized or removed from Git history.

Bash / Shell
#!/bin/bash

# Defensive Script: Scan for Leaked Secrets in Local Repo
# Usage: ./scan_secrets.sh

echo "[+] Starting secret scan on $(pwd)..."

# Define regex patterns for common cloud secrets
AWS_ACCESS_KEY_REGEX="AKIA[0-9A-Z]{16}"
AWS_SECRET_KEY_REGEX="[0-9a-zA-Z/+]{40}"
AZURE_CLIENT_SECRET_REGEX="[a-zA-Z0-9_\-\.]{35}"
GCP_SA_KEY_REGEX=\"private_key\":\s*\"[a-zA-Z0-9_\-]+"

FOUND=0

# Scan files (excluding .git directory to avoid scanning history duplicates for speed)
for file in $(find . -type f -not -path "./.git/*"); do
    # Check for AWS Access Keys
    if grep -qE "$AWS_ACCESS_KEY_REGEX" "$file" 2>/dev/null; then
        echo "[!] FOUND AWS ACCESS KEY PATTERN IN: $file"
        FOUND=1
    fi
    # Check for generic Secret Keys (noisy, handles cautiously)
    if grep -qE "$AWS_SECRET_KEY_REGEX" "$file" 2>/dev/null; then
        echo "[!] FOUND POTENTIAL SECRET KEY IN: $file"
        FOUND=1
    fi
done

if [ "$FOUND" -eq 0 ]; then
    echo "[+] No obvious secret patterns found in working directory."
else
    echo "[!] CRITICAL: Secrets detected. Review files above and rotate keys immediately."
    echo "[!] Recommendation: Use 'git-secrets' to prevent future commits."
fi

Remediation

  1. Immediate Credential Rotation: If AWS keys are exposed, they must be treated as compromised. Delete the AccessKey in the IAM console immediately. Do not simply disable it; delete it to ensure it cannot be reactivated.
  2. Audit CloudTrail: Enable detailed AWS CloudTrail logging. Search the UserIdentityArn associated with the leaked key for any EventTime stamps between the leak commit time and now. Look for s3:GetObject, ec2:RunInstances, or iam:CreateUser events.
  3. Sanitize Git History: Simply deleting the file in the latest commit is insufficient. Use tools like BFG Repo-Cleaner or git filter-repo to remove the sensitive file from all commits in the repository history.
  4. Implement Pre-Commit Hooks: Mandate the use of git-secrets or truffleHog across all developer workstations and CI/CD pipelines. These tools scan commits for regex patterns matching API keys before they are pushed to remote repositories.
  5. Network Segmentation for Git: Consider requiring VPN access or specific internal IP ranges to push to corporate Git repositories. Block direct outbound SSH/HTTPS to github.com from production servers if not explicitly required.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemcloud-securityaws-govcloudcredential-leak

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action