A developer just pushed an AWS secret access key to a public GitHub repository. What do you do?
Expected Points
- ✓Explain that deleting the commit is NOT sufficient — GitHub retains history, forks may exist, and bots already scraped it. The key must be treated as fully compromised.3
- ✓Immediately revoke/deactivate the key in AWS IAM — before any investigation. Speed is the top priority here.3
- ✓Query CloudTrail for all API calls made with that key ID in the last 10+ minutes. Look for unexpected regions, new users/roles, data access, or resource creation.3
- ✓Issue a new short-lived replacement credential (ideally via OIDC/AssumeRole for CI rather than long-lived keys at all).2
- ✓Notify security leadership and legal/compliance per the incident response plan, especially if the key had access to PII or regulated data.2
- ✓Run git history clean-up (BFG Repo Cleaner / git filter-branch) and force-push if the repo is private, though treat this as housekeeping not remediation.1
- ✓Fix root cause: enable GitHub secret scanning (blocks future pushes), set up pre-commit hooks (gitleaks/trufflehog), and migrate to short-lived OIDC credentials so long-lived keys don't exist.2
Assume the key is already compromised the moment it hits a public repository — bots scan GitHub commits within seconds. Containment (revoke) takes priority over investigation. Act fast.