Code Room
On-callMediumoc-g133
Subject Credential leakLevel Mid–Senior~35 minCommon in Security interviewsIndustries Technology, Software development

Question

At 02:14 UTC GitHub's secret-scanning partner alert fires: a long-lived AWS access key (AKIA...) for the prod 'data-pipeline' IAM user was pushed to a public repo 40 minutes ago in a commit by a contractor. CloudTrail now shows that same key making GetCallerIdentity, then ListBuckets, then GetObject calls from an IP in a hosting ASN you've never seen, ~9 minutes ago. GuardDuty has a 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' finding pending. The key has AdministratorAccess via an attached policy. How do you triage, contain, and remediate?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.