CISA Struggles to Contain Contractor Leak of AWS GovCloud Keys
*Lawmakers in Congress are pressing the Cybersecurity and Infrastructure Security Agency for details after a contractor posted agency credentials and other sensitive material to a public GitHub repository.*
CISA is still working to revoke credentials exposed when one of its contractors placed AWS GovCloud keys and additional internal material on an open GitHub account. The incident has prompted formal inquiries from members of both the House and Senate.
The contractor’s action made the keys and other agency data publicly accessible before the account was noticed. KrebsOnSecurity first reported the exposure earlier this week, and CISA has been attempting to limit further use of the leaked items since then.
Congressional offices have requested briefings and documentation on how the material was published and what steps the agency has taken to close the exposure. No timeline for full containment has been released.
What the Sources Show
The available reporting centers on two facts: the intentional posting of the keys by the contractor and the resulting demands from lawmakers. No additional technical details about the scope of the other “vast trove” of secrets have been disclosed in the source material.
Why It Matters
Agencies that hold government cloud credentials cannot afford public exposure of any duration. The episode shows how a single contractor account can bypass normal controls and force a scramble to invalidate live keys across production systems. Until CISA publishes a full account of the incident, the same risk remains for any other contractor with similar access.
---
Sources:
No comments yet