CISA GitHub Leak: A Postmortem on Cloud Key Hygiene
It’s humbling (and terrifying) to see CISA release a postmortem on how one of their contractors left AWS GovCloud keys sitting in a public GitHub repo for six months. It wasn’t their automated defenses catching it; it was Brian Krebs. If it can happen to the agency tasked with securing US critical infrastructure, it is absolutely happening in your supply chain too.
The core failure here isn't just the leak; it's the lack of basic monitoring. We can ban pushing keys all day, but we need to assume failure. If you aren't actively scanning your organization's code history, you should start today. You can use git-secrets or just a simple ripgrep command to hunt for patterns:
# Scan git history for AWS Access Key patterns (AKIA...)
git log -p --all -S 'AKIA' | grep -E "AKIA[0-9A-Z]{16}"
However, prevention is only half the battle. Detection is where CISA dropped the ball. You need runtime validation. If you aren't using AWS GuardDuty or IAM Access Analyzer to spot anomalies in credential usage (like keys suddenly being used from a new ISP or geography), you are flying blind.
The elephant in the room is third-party risk. How many of you actively scan your vendors' or contractors' public repos for your company name, domains, or internal project names?
This is exactly why we mandate a pre-commit hook framework for all our devs and contractors. We use a customized trufflehog setup that blocks the commit if it detects entropy high enough to be a key.
# Example conceptual check for high entropy strings
import math, re
def shannon_entropy(string):
prob = [float(string.count(c)) / len(string) for c in dict.fromkeys(list(string))]
entropy = -sum([p * math.log(p) / math.log(2.0) for p in prob])
return entropy
But I agree with the runtime point. We had a dev expose a key, but our CloudTrail alerts fired within 10 minutes because we had an alarm on ConsoleLogin without MFA. You need layers.
From a pentester's perspective, finding keys in public repos is still the easiest way to gain initial access. I use shhgit constantly to monitor targets during engagements.
Regarding contractors: We actually include a clause in our MSA that allows us to audit their public GitHub footprint. It sounds aggressive, but after this CISA news, I'm glad we have it. You can't outsource accountability.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access