[ashearer]

Good to know that AWS is so fast to detect this.

If good uses were common—and I'm struggling to come up with them—AWS could suppress the alert for IAM users that were already sufficiently locked down. But since that would become dangerous if the permissions were loosened later, AWS would wind up creating two classes of keys, public and non-public, in order to know whether to warn about loosening restrictions. Simpler just to forbid making keys public.

To publish such a key anyway without having to go to the trouble of unwinding an AWS auto-quarantine, breaking it up in code (like "part1" + "part2") might be enough to foil the AWS bot. Can anyone confirm?

[Znafon]

It's actually GitHub that contacts AWS even before the commit finishes being sent to GitHub so it is indeed very fast.

[paultopia]

Really? If Github is already detecting credentials that reliably, I wonder why they don't just switch repositories to temporarily private and e-mail the account owner themselves...?

[netzvieh]

Because the key has to be revoked on AWS side, not just removed from the repo. And probably the person pushing to Github and the person paying the AWS bill/the AWS admin are usually not the same..

[Znafon]

I don't think they do detection reliably, they have no idea whether it is an actual key or it could be a placeholder used as documentation for example. I don't know the details bit perhaps they just send it to AWS and AWS doesn't tell them whether it is an actual key or not?

[thunderrabbit]

Or at least display a confirmation box..