All posts
September 15, 20251 min read

A single leaked AWS CLI profile can burn down months of work in seconds

The AWS CLI makes it easy to manage cloud infrastructure. It also makes it easy to store sensitive data in plain text, whether in ~/.aws/credentials or environment variables. Access keys, secret keys, and session tokens live there—often untouched, often unmonitored, often left behind on laptops, disks, and repos. The problem isn’t that people don’t know these files exist. The problem is that people forget they are the keys to everything. An AWS CLI profile is more than just a convenience flag f

Free White Paper

DPoP (Demonstration of Proof-of-Possession) + Just-in-Time Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The AWS CLI makes it easy to manage cloud infrastructure. It also makes it easy to store sensitive data in plain text, whether in ~/.aws/credentials or environment variables. Access keys, secret keys, and session tokens live there—often untouched, often unmonitored, often left behind on laptops, disks, and repos. The problem isn’t that people don’t know these files exist. The problem is that people forget they are the keys to everything.

An AWS CLI profile is more than just a convenience flag for scripts. It's a loaded security vault. And by default, it’s sitting unencrypted. Anyone who copies that file has the full ability to assume the associated IAM identity. If your profile belongs to a high-privileged service account, the blast radius is huge.

The attack surface grows when these profiles spread. A build server caches them. An old engineer’s laptop still holds them. A temporary contractor sets up a profile on their machine. Shared dev boxes get them copied over for quick debugging. Each copy becomes another point of compromise.

Continue reading? Get the full guide.

DPoP (Demonstration of Proof-of-Possession) + Just-in-Time Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Version control leaks are even worse. Engineers commit .aws/credentials files by accident every day. Search any public Git repo hosting service and you’ll find thousands of leaked keys. Tools exist to scan for these, but they are reactive measures. By the time they trigger, the damage is often complete. AWS rotates compromised keys quickly upon reports, but attackers work faster.

The minimal fix is to treat AWS CLI-style profiles like you treat TLS private keys. Encrypt them on disk. Lock down file permissions. Rotate them often. Only store them where they must be stored. Use short-lived credentials from AWS SSO or STS so that even if a profile leaks, it dies within minutes.

To move beyond patchwork, use tooling that keeps sensitive data out of local files entirely. Profiles shouldn’t live longer than the terminal session that requested them. Credential injection should happen only on-demand and in-memory. Centralized access control should give you full visibility into who runs what, with what credentials, and when.

With the right approach, you never need to risk having AWS CLI credentials sitting unprotected on disks. You can see it in action with hoop.dev—live, in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts