CISA Tightens GitHub Controls After May AWS Key Leak
CISA said privileged AWS GovCloud keys from a contractor appeared in a public GitHub repository in May, prompting secret rotation, repository monitoring and new incident playbooks. The agency said logs showed no customer or mission data exposure, but it did not name the contractor, repository, exposure window or exact AWS permissions.

CISA is turning a May credential leak into a public security-cleanup plan after privileged AWS GovCloud keys from a contractor appeared in a public GitHub repository, but the agency said its log review found no customer or mission data exposure.
The U.S. Cybersecurity and Infrastructure Security Agency said it took the affected repository and developer environment offline, revoked the responsible person’s access and rotated secrets after the incident.
The agency also said it will strengthen monitoring of uploads to public repositories and improve how researchers report vulnerabilities involving CISA itself.
CISA Says Leaked Keys Were Not Used Outside The Agency
CISA said it learned on May 15 that privileged Amazon AWS GovCloud keys had been exposed through a contractor’s public GitHub repository.
The agency said it moved to stop further harm by taking the repository and developer environment offline and revoking access tied to the person responsible for the leak.
The agency said it then analysed the repository and log files to determine the scope of the incident.
According to the agency’s account cited by CyberScoop, none of the leaked credentials were used outside CISA and no customer or mission data was exposed.
The disclosure still created a public test for an agency that regularly tells other organisations to share incident-response lessons.
Acting chief information officer Preston Werntz and acting chief information security officer Brad Libbey wrote that information exchange is critical to identifying trends and broader national awareness.
GitHub Upload Monitoring Becomes A Remediation Item
CISA said the response worked in some areas because staff treated the report seriously, had usable logging and applied zero-trust principles.
The agency also identified gaps that it said need to be fixed after the GitHub exposure.
The agency said it will use endpoint detection and response capabilities to monitor and manage uploads to public repositories.
It also rotated all secrets after the leak and developed a plan to improve secrets management.
CISA said the incident showed that public-repository monitoring had to be managed before similar exposures reached the same response stage.
That remediation list is narrower than a full breach-response overhaul.
The public account did not describe customer compromise, operational disruption or data theft.
It described a contractor-driven exposure of privileged cloud credentials and a cleanup plan focused on public-repository controls, secrets management and researcher reporting channels.
Researcher Reporting Channel Remains Part Of The Fix
CISA said it wants to make it easier to report vulnerabilities related to the agency itself.
The agency said it is more accustomed to receiving vulnerability information for broader public and private-sector cyber risks than for agency-specific issues.
CISA also said it had to build a GitHub-incident playbook during the response and recognised the need to prepare playbooks for other incident types in advance.
GitGuardian security researcher Guillaume Valadon, who uncovered the leak, told CyberScoop that CISA explained what happened, what worked and what needed improvement.
Valadon also told CyberScoop that the response recognised secrets scanning and simpler researcher relations.
CISA has not named the contractor, published the exposed repository, disclosed how long the keys were visible, listed the exact AWS permissions involved or released independent validation of the log-review findings.


















