Check out this free automated tool that hunts for exposed AWS secrets in public repos

A free automated tool that lets anyone scan public GitHub repositories for exposed AWS credentials has been released.

Before you say anything, yes, we're pretty sure similar programs and services are out there – including GitHub's own built-in secrets scanner – but hey, where's the harm in highlighting today the fact that this sort of software is easily available?

Security engineer Anmol Singh Yadav built AWS-Key-Hunter after he found more than 100 exposed AWS access keys, some with high privileges, in public repositories, "just waiting to be exploited," as he wrote in a blog about the discovery and the custom-built tool. 

Leaked security keys can be abused by criminals to hijack people's cloud accounts and access their AWS resources. This leads to all manner of evil deeds: Stealing compute power, illegally mining for cryptocurrency, exfiltrating financial details and other sensitive data, and then demanding a ransom payment, and changing system configurations, just to name a few. 

As we said, there are existing techniques and tools that make it easier to find leaked secrets – presumably your own so you can take the necessary steps to revoke the compromised access key and create a new one.

Github Dorking, for example, refers to the practice of using GitHub's advanced search operators to construct queries that can locate environment files, JSON configurations, and source code files potentially containing credentials. However, because it relies on static keyword searches, this method may not effectively reveal secrets that have been obfuscated or encoded.

My goal was never to weaponize it but rather to raise awareness about how common these exposures are and encourage better security hygiene

There's also TruffleHog, an open-source tool that scans Git repositories for high-entropy strings and credential patterns to help identify potential hardcoded AWS keys. High-entropy strings are character sequences designed to be extremely unpredictable, a critical feature for ensuring strong security.

However, TruffleHog isn't designed for real-time monitoring and may sometimes generate false positives "due to its reliance on entropy-based detection," Yadav argued. 

So he developed an automated AWS key detection tool that continuously monitors GitHub repositories for exposed keys and sends real-time alerts when it detects a secret. As opposed to TruffleHog, Yadav's tool is designed to keep a live watch over selected repos for leaks, particularly those somehow missed by GitHub's own scanning service.

More specifically, AWS-Key-Hunter periodically retrieves commits from target repositories and scans for AWS keys in both plaintext and base64-encoded formats. When it identifies an exposed key, it sends an immediate alert to a dedicated Discord channel. The program has some limitations, such as it looks only at .env, , ini, .yml, .yaml, and .json files, and has some incomplete matching of access keys, so it may not be perfect for you – but the code's there to improve and adapt if you so wish.

And while Yadav says this type of automated tool "helps catch leaks before attackers do," it could also be weaponized, if pointed at another user's public repos.

• Cryptojackers steal AWS credentials from GitHub in 5 minutes
• Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days
• Crooks stole AWS credentials from misconfigured sites then kept them in open S3 bucket
• Gang gobbles 15K credentials from cloud and email providers' garbage Git configs

There is a big disclaimer on the blog and Yadav's GitHub. 

"This tool was created for educational and experimental purposes only," he wrote. "They are not intended to be used for malicious activities or to harm others in any way."

But criminals are an innovative bunch, especially when a free tool or proof-of-concept is presented to them, and aren't always keen to follow the don't-use-for-evil rules.

When asked if he was concerned about the tool being weaponized, Yadav told The Register "this was intended as a social experiment to understand the scale of publicly exposed AWS keys on GitHub."

Yadav said he was surprised by what he found when searching for exposed secrets, and added that his findings underscore the need for better security awareness. 

"I completely understand the risks associated with such tools, which is why I included clear disclaimers to emphasize ethical use," Yadav said. "My goal was never to weaponize it but rather to raise awareness about how common these exposures are and encourage better security hygiene." ®