Particle.news
Download on the App Store

CISA Discloses Response to Public Leak of AWS GovCloud Keys

Successful containment with no evidence of external misuse prompted CISA to overhaul its secrets management, researcher reporting, logging, development playbooks

Overview

  • A contractor’s personal GitHub repository exposed privileged CISA AWS GovCloud keys and build code, and CISA began an internal incident response on May 15 after a reporter raised the issue.
  • Responders immediately took the repo and development environment offline, revoked the contractor’s access, rotated all affected credentials, and preserved forensic artifacts for analysis.
  • Forensic review found no signs the leaked credentials were used outside CISA environments and no customer or mission data was exposed.
  • CISA identified specific gaps that slowed or complicated response: unclear researcher reporting channels, insufficient public‑repo controls, limited secret monitoring, and missing GitHub/cloud playbooks.
  • The agency is implementing fixes that include stricter controls on public uploads, enhanced automated secret scanning, broader Zero Trust protections for development systems, improved logging, and clearer instructions for external researchers.