AWS credential files
AWS credential files store access keys that grant programmatic access to cloud accounts. Exposure to an AI tool can lead to account takeover.
What it is
The AWS credentials file holds aws_access_key_id and aws_secret_access_key pairs per profile. These keys can create, read, and delete cloud resources within their permissions.
Why it matters for AI context
An assistant that reads a committed credentials file can leak long-lived access keys. Attackers routinely scan for these keys, and exposure often results in resource abuse or data loss.
How to keep it out of AI tools
- Store credentials in ~/.aws/credentials, not the project.
- Prefer short-lived credentials (SSO, IAM roles) over long-lived keys.
- Add credentials and .aws/ to .gitignore.
- Add the same to your AI ignore file, and rotate any exposed key.
Add to your ignore file
.aws/
credentialsIgnore files that exclude this
FAQ
- What should I do if an AWS key was exposed?
- Deactivate and delete the key in IAM immediately, rotate to a new one, and review CloudTrail for unexpected activity.
Check your own project
158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:
Run the same local check with Offsend CLI:
brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-runEverything runs locally. No file contents are uploaded.