All incidents

CISA contractor leaks AWS GovCloud keys on GitHub for six months

campaignopenJul 10, 2026 — Jul 13, 2026
CISA contractor leaks AWS GovCloud keys on GitHub for six months

THE CISA confirmed that a contractor published AWS GovCloud access keys on a public GitHub repository, where they remained exposed for six months. The leak was uncovered by GitGuardian on 15 May 2026, after the keys had been accessible since late 2025. CISA said the exposure did not lead to any confirmed compromise of sensitive data.

The repository held roughly 844 megabytes of material, including the secret keys, internal scripts and configuration files. GitGuardian’s alert prompted CISA to begin revocation, but the agency noted that invalidating the keys took more than 48 hours due to the complexity of its GovCloud environment and the need to coordinate with AWS support teams. No CVEs have been assigned to the incident, as the flaw stems from credential handling rather than a software vulnerability. CISA added that the keys could have provided privileged access to storage buckets and compute instances if misused.

Threat researchers have not identified any malicious actors exploiting the keys, and CISA’s preliminary assessment found no evidence of data theft. Nevertheless, the episode highlights the danger of leaving long‑lived credentials in publicly accessible places and highlights gaps in the agency’s secret‑management practises. Experts argue that adopting zero‑trust principles and enforcing stricter access controls for public repositories could have prevented the exposure. They also note that reliance on manual key rotation lengthens the window of risk.

CISA’s postmortem report called for continuous scanning of code repositories for exposed secrets and the establishment of clearer reporting channels for security researchers. It also recommended shortening the window between detection and credential revocation by automating key rotation wherever feasible. The agency acknowledged that its incident‑response playbook needed updates to reflect the realities of cloud‑native environments. Additionally, the report stressed the importance of improved oversight of third‑party contractors who handle sensitive credentials.

Organisations should deploy automated secret‑scanning tools that run on every commit and pull request, ensuring that any leaked key is flagged before it reaches a public forum. Enforcing least‑privilege access for cloud accounts and rotating keys on a regular schedule reduces the value of any credential that might be exposed. Security teams should also maintain an open line with vulnerability‑disclosure programmes, allowing external finders to report issues quickly and safely. Implementing multifactor authentication for privileged cloud roles adds another barrier against credential misuse.

CISA said it is reviewing its contractor oversight policies, adding mandatory secret‑checks before any code is pushed to external repositories and expanding training on cloud‑security hygiene. The agency plans to test improved communication pathways with security researchers later this year, aiming to shorten the time between discovery and mitigation. These steps are intended to strengthen its defence posture and restore confidence in its handling of sensitive information.

The incident serves as a reminder for federal agencies and their suppliers that supply‑chain security extends beyond software updates to include the protection of operational credentials. By tightening vendor contracts to require regular secret audits and immediate breach notification, organisations can reduce the likelihood of similar leaks. Continuous monitoring and rapid response remain essential components of a resilient cyber‑security strategy.

Intelligence briefing updated Jul 13, 2026

Root sourcewww.cisa.gov
Timeline Coverage

Swipe to explore timeline