AWS credentials distributed publicly to enable client access to the SQS API were flagged by GitHub's automated secret-scanning and AWS Support requested their deletion, even though the credentials carried intentionally limited permissions. The operational workaround adopted — base64-encoding credentials before public distribution — bypasses automated scanning but provides no real security.
From 2024-pu-exploring — Exploring Amazon Simple Queue Service (SQS) for Censorship Circumvention
· §4.2
· 2024
· Free and Open Communications on the Internet
Implications
Avoid distributing static cloud API credentials to censored clients; prefer unauthenticated public endpoints, short-lived tokens vended by a broker, or IAM policies that grant write-only access to a known queue URL rather than full API key pairs.
Anticipate that automated secret-scanning (GitHub, truffleHog, etc.) will detect credentials embedded in public client code or forum posts; design credential distribution out-of-band or use anonymous access patterns from the outset.