RC RANDOM CHAOS

Contractor pushed the boundary keys

A CISA contractor pushed AWS GovCloud admin keys to a public GitHub repo. The credential format, not the contractor, is the failed control.

· 6 min read
Contractor pushed the boundary keys

Opening position

A CISA contractor with administrative privileges published AWS GovCloud keys to GitHub. The identity belonged to a contractor. The environment was GovCloud. The exposure vector was a public code repository. That is the confirmed perimeter of this incident.

GovCloud exists to hold workloads that cannot sit in commercial AWS. Administrative credentials inside that environment are not general-purpose secrets. They are boundary keys. When a boundary key is published to a public surface, the boundary stops existing in a meaningful sense at the moment of publication. Whether the key was discovered by an external party, when, and what was done with it is not confirmed. The exposure itself is sufficient to treat the credential as compromised.

The actor inside the failure is a contractor with administrative rights. That is the identity to anchor on. Not CISA as an institution, not GitHub as a platform, not AWS as a provider. A human principal, granted administrative authority over a regulated cloud tenancy, moved a credential outside the tenancy and into a public namespace. Everything else in this writeup follows from that single action.

What actually failed

An administrative credential for AWS GovCloud was present on a public GitHub repository. That is the observable system state. The credential was generated, was held by the contractor, and was committed to a repository that was reachable from the public internet. The push to that repository succeeded. The credential was retrievable by anyone with the URL.

Whether the repository was a personal account, an organisation, or a fork is not confirmed. Whether the commit was made directly or arrived through a merge is not confirmed. Whether the key was scoped to a single service, a single account, or held broader privilege across the tenancy is not confirmed beyond the label of administrative. The fact under analysis is the placement, not the journey.

The behaviour that needed to be prevented was the export of a long-lived, high-privilege GovCloud credential to an uncontrolled surface by a contractor identity. That behaviour was not prevented. Detection of the exposure, the time between publication and discovery, and the party that surfaced it first are not confirmed. From the outside, the only signal is that the key was there.

Why it failed

A long-lived administrative credential existed in a form that could be copied into a file and pushed to a remote repository. That is the load-bearing condition. If the only way to act as a GovCloud administrator was through short-lived, identity-federated sessions tied to the contractor’s workstation and policy context, there would be no static string to leak. The credential existed as a static string. The contractor handled it as one.

The contractor identity carried administrative authority over GovCloud without a control that prevented the credential material from leaving the environment in which it was issued. Whether any data loss prevention, secret scanning, or pre-commit enforcement was present on the contractor’s machine or on the destination repository is not confirmed. What is confirmed is that none of them, individually or together, blocked the publication. A control that does not stop the behaviour is not a control.

The trust model treated the contractor as a sufficient endpoint for an administrative GovCloud key. The contractor’s local environment, personal tooling, and choice of remote repository were inside the blast radius of that decision. Once the key left the issuing system, every downstream property of GovCloud, including its separation from commercial AWS and its regulated workload posture, depended on the contractor’s individual handling. That dependency was not validated continuously. It was assumed.

The mechanism is a long-lived static credential issued to a human identity with administrative scope, handled outside any enforced channel that prevents export. The credential’s portability is the failure condition. A string that can be read can be copied. A string that can be copied can be pushed. Every security property after that point depends on the handler, not on the issuing system.

The contractor identity sat at the boundary between the administrative authority granted by GovCloud and the contractor’s own workstation, tooling, and remote services. That boundary was not enforced by the credential format. Administrative authority was packaged as a value the contractor could hold, move, and publish. The act of publication did not require privilege escalation, did not require bypassing a runtime control, and did not require coordination with another principal. It required a commit and a push.

Whether the contractor intended to publish the credential, whether the file was meant for a private repository and was misrouted, whether the repository was intentionally public is not confirmed. The mechanism does not require intent. It requires only that the credential exist in a form that survives outside the issuing system, and that no enforcement intercepts its movement between the workstation and the public namespace. Both conditions held. The presence of any compensating control on the contractor’s endpoint, the GitHub organisation, or the GovCloud tenancy is not confirmed. The outcome confirms that none was effective at the egress point.

The pattern is: high-privilege authority issued as a transferable artifact to an individual identity, with no enforcement at the egress point of that artifact. The artifact is the failure surface. Wherever an administrative grant is materialised as a string, a file, or a token that can be copied without re-authentication, the grant has been delegated to whatever environment now holds the artifact. The handler’s hygiene becomes the boundary. The handler’s mistakes become exposures.

The same mechanism applies to any cloud tenancy that issues static access keys to a human principal, to any signing key written to a developer workstation, to any service account credential downloaded as a file and reused across sessions. The control surface in each case is identical. A privileged credential exists as portable data. The handler is trusted to keep the data contained. Containment becomes a property of the handler’s environment, not of the credential itself. The issuing system has no further visibility once the artifact leaves.

GovCloud changes the impact, not the mechanism. The regulated posture of the environment is the reason the boundary matters, not the reason the boundary held or failed. A contractor with administrative authority over a commercial tenancy, exporting a static key to a public repository, presents the same mechanical failure. The regulated context raises the consequence ceiling. It does not raise the floor of the control. The control floor is set by the credential format. Static long-lived keys held by humans set that floor at the level of the weakest workstation in the chain.

Administrative authority over a regulated cloud environment cannot be issued as a static credential to a human identity and remain a boundary. The credential format is the control. If the credential survives outside the session that produced it, the boundary has already been delegated to every system that handles the credential downstream. Identity federation with short-lived, policy-bound sessions is the minimum condition for administrative access to GovCloud. Anything weaker is a trust assertion about the handler, not a control on the system.

Contractors operating with administrative scope require the same enforcement surface as internal administrators, with stricter egress controls, because the handling environment is not owned by the organisation that issued the authority. Secret scanning at the repository, secret detection at the push event, and refusal to issue long-lived credentials at the identity layer are three separate controls. Their absence is not three independent gaps. It is one decision to treat the contractor’s environment as a sufficient containment layer for an administrative GovCloud principal. That decision is the finding.

The credential is compromised. Treat it as compromised regardless of whether external use is confirmed. Rotate, revoke, and audit every action taken under that principal across the full exposure window, including the period before publication where the credential existed in unmanaged form. Then remove the option of issuing static administrative keys to any human identity in GovCloud. The remediation is not the rotation. The rotation only resets the same failure condition. The remediation is the removal of the format that made the rotation necessary.

Share

Keep Reading

Stay in the loop

New writing delivered when it's ready. No schedule, no spam.