RedactOpsRedactOps

How AWS Access Keys End Up in Log Files (and How to Catch Them)

April 18, 2025 · 6 min read

AWS access keys are among the most dangerous secrets that can appear in log files. Unlike a database password that only works inside your network, an AWS access key works from anywhere on the internet — and a key with broad permissions can result in complete account compromise within minutes of exposure.

This is not a theoretical concern. The GitHub secret scanning team reports detecting millions of AWS key pairs per year in public repositories. The majority of real-world cloud breaches start with a leaked credential, and application logs are one of the most common sources.

How AWS keys end up in logs

The paths are surprisingly mundane:

  • Verbose SDK logging — AWS SDKs in debug mode sometimes log request headers, which include the signed credential string derived from the access key.
  • Environment variable dumps — Misconfigured applications that log their full environment on startup or crash will include AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
  • Error messages — When a request fails, some frameworks log the full request including auth headers.
  • Config exports — Terraform state files, CloudFormation outputs, and ~/.aws/credentials exports shared for troubleshooting.
  • CI/CD logs — Build pipelines that echo environment variables during debugging steps and then have public log access.

What AWS key patterns look like

AWS uses a consistent prefix scheme that makes programmatic detection reliable:

  • Access Key IDs start with AKIA (long-lived) or ASIA (temporary/STS) followed by 16 uppercase alphanumeric characters. Total length: 20 characters.
  • Secret Access Keys are 40-character base64 strings. They do not have a fixed prefix, which makes them harder to detect in isolation — they are usually flagged by proximity to the key ID or by key name context (AWS_SECRET, aws_secret_access_key).

The regex for access key IDs is precise enough to have a very low false positive rate:

(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}

This pattern covers the full range of AWS access key prefixes, not just AKIA. Each prefix corresponds to a different key type (IAM user, role, federated identity, etc.).

Why regex alone is not enough

The access key ID pattern is distinctive enough that regex detection works well. Secret access keys are harder. A 40-character base64 string could be many things — a file hash, a random token, an internal ID. Context matters: the same string is high-risk next to aws_secret_access_key = and low-risk as a standalone value.

Effective detection combines:

  • The high-precision key ID pattern
  • Key-value context detection (flag the value of any key named AWS_SECRET*, *SECRET_ACCESS*, etc.)
  • Proximity detection (if an access key ID appears nearby, treat the following base64 string as the secret)

Automating detection before data leaves the device

Manual review does not scale. An engineer reviewing a 50,000-line log file for AWS keys before sending it to a vendor will miss things. The only reliable approach is automated scanning at the point of export.

RedactOps runs 30+ built-in detection patterns — including the full AWS key pattern set — locally on every piece of content before it leaves the device. AWS access key IDs are replaced with <AWS_ACCESS_KEY>, and key-value pairs containing secret access keys are replaced with <AWS_SECRET_KEY>.

For organisations with custom AWS account structures or internal tooling that uses AWS-style key formats, custom rules can extend the built-in patterns. A rule is a name, a regex pattern, and a replacement placeholder — it takes about two minutes to add.

What to do if a key has already leaked

If you find an AWS access key in a log that has been shared externally:

  1. Deactivate the key immediately in the AWS IAM console — do not delete it yet, keep it for the audit trail.
  2. Check CloudTrail for any API calls made with that key in the past 90 days, paying particular attention to calls from unfamiliar IP addresses or regions.
  3. Review the key's permissions and assess the blast radius — what could an attacker have accessed?
  4. Issue new credentials and rotate any downstream systems that used the key.
  5. Delete the deactivated key once the rotation is confirmed working.

The window between a key appearing in a public location and it being used by an attacker is measured in minutes. Speed matters.