What it is

The AWS credentials file holds aws_access_key_id and aws_secret_access_key pairs per profile. These keys can create, read, and delete cloud resources within their permissions.

Why it matters for AI context

An assistant that reads a committed credentials file can leak long-lived access keys. Attackers routinely scan for these keys, and exposure often results in resource abuse or data loss.

How to keep it out of AI tools

  1. Store credentials in ~/.aws/credentials, not the project.
  2. Prefer short-lived credentials (SSO, IAM roles) over long-lived keys.
  3. Add credentials and .aws/ to .gitignore.
  4. Add the same to your AI ignore file, and rotate any exposed key.
Add to your ignore file
.aws/
credentials

Ignore files that exclude this

FAQ

What should I do if an AWS key was exposed?
Deactivate and delete the key in IAM immediately, rotate to a new one, and review CloudTrail for unexpected activity.

Check your own project

158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:

Run the same local check with Offsend CLI:

brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-run

Everything runs locally. No file contents are uploaded.