How to redact aws access keys from markdown
- Step 1Open the redactor — Go to /markdown-tools/md-secret-redactor and paste the doc or drop the single
.mdfile (one per run). - Step 2Keep AKIA ids uppercase — The pattern is case-sensitive (
AKIA[0-9A-Z]{16}). Real AWS key IDs are uppercase, so genuine keys match; a deliberately lowercased example will not be redacted. - Step 3Set scope — Leave
scanAlloff for keys inside fenced ``` blocks (the usual case for CLI transcripts). Enable it if a key id appears inline in prose or a heading. - Step 4Run and confirm AWS placeholders — Each
AKIA...becomes[REDACTED_AWS_KEY]. A secret key on a line likeaws_secret_access_key = ...becomesaws_secret_access_key=[REDACTED]via the keyword rule. - Step 5Sweep for naked secret keys — A 40-char secret on its own line (no keyword) is NOT redacted. Search for
[A-Za-z0-9/+]{40}strings and redact them by hand if needed. - Step 6Rotate in IAM, then publish — Redacting the doc does not disable the key. Deactivate/delete the access key in IAM and create a fresh one before publishing.
AWS credential shapes and detection
How the redactor handles each AWS credential form. "Keyword only" means it is caught solely because a recognized keyword (secret/password/api_key/token) immediately precedes the value.
| AWS credential | Example | Detected? | Becomes |
|---|---|---|---|
| Access key ID | AKIAIOSFODNN7EXAMPLE | Yes (direct) | [REDACTED_AWS_KEY] |
| Secret access key (40 char) | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY | Keyword only | aws_secret_access_key=[REDACTED] (if prefixed) |
| Lowercase id | akiaiosfodnn7example | No | (unchanged — case-sensitive) |
| Session token (long base64) | FwoGZXIvYXdz... | Keyword only | Only if behind token=/secret= |
Temporary ASIA... key | ASIAIOSFODNN7EXAMPLE | No | Pattern matches AKIA only, not ASIA |
| Account ID / ARN | arn:aws:iam::123456789012:user/x | No | Not a secret; left intact |
What the redactor actually detects
The five regex patterns the redactor applies, in the exact order it applies them, taken from lib/markdown/markdown-engine.ts. There are no other patterns — anything not matched here is left untouched.
| Pattern (what it matches) | Example that matches | Replaced with | Order |
|---|---|---|---|
AWS access key id: AKIA + 16 uppercase letters/digits (case-sensitive) | AKIAIOSFODNN7EXAMPLE | [REDACTED_AWS_KEY] | 1 |
Keyword assignment: api_key, api-key, apikey, token, secret, password, passwd, pwd, authorization followed by =/:/space, then an 8+ char value | api_key = abcd12345678 | <keyword>=[REDACTED] (separator normalized to =) | 2 |
Bearer + an 8+ char token | Bearer eyJhbGci... | Bearer [REDACTED] | 3 |
Three-segment JWT: eyJ + 10+ chars, dot, 10+ chars, dot, 10+ chars | eyJhbGci....eyJzdWIi....SflKxw... | [REDACTED_JWT] | 4 |
PEM private-key block: -----BEGIN ... KEY----- ... -----END ... KEY----- | an RSA/EC/OPENSSH key block | [REDACTED_PRIVATE_KEY] | 5 |
Scope: which parts of the document are scanned
The single scanAll option controls scope. Default (off) restricts redaction to fenced `` code blocks only; on scans the entire document. Inline backtick` spans and 4-space indented code are treated as prose, not code blocks.
| Document region | scanAll: false (default) | scanAll: true |
|---|---|---|
| Fenced ``` code block | Scanned | Scanned |
| Prose / paragraph text | Left untouched | Scanned |
Inline backtick code span | Left untouched (counts as prose) | Scanned |
| 4-space indented code block | Left untouched (only ``` fences count) | Scanned |
| Headings, tables, blockquotes | Left untouched | Scanned |
Cookbook
AWS-specific runs against the real engine. Uses AWS's own documentation example values, which are safe to publish.
aws configure transcript
The access-key ID is matched directly; the secret key is matched only because aws_secret_access_key contains the secret keyword.
Input: ```bash $ aws configure AWS Access Key ID: AKIAIOSFODNN7EXAMPLE aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ``` Output: ```bash $ aws configure AWS Access Key ID: [REDACTED_AWS_KEY] aws_secret_access_key=[REDACTED] ```
Naked secret key is missed
Without a keyword, the 40-char secret looks like random base64 and matches no pattern. This is the #1 AWS gap.
Input: ```text AKIAIOSFODNN7EXAMPLE wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ``` Output: ```text [REDACTED_AWS_KEY] wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ``` (the key id went; the secret stayed — add a keyword or redact manually)
Temporary ASIA key is not caught
STS temporary credentials use an ASIA prefix. The pattern matches AKIA only, so temporary keys slip through.
Input: ```ini aws_access_key_id=ASIAIOSFODNN7EXAMPLE ``` Output (unchanged — ASIA not matched, and aws_access_key_id ends in _id not a keyword): ```ini aws_access_key_id=ASIAIOSFODNN7EXAMPLE ```
Lowercase example is preserved
A deliberately lowercased key in a tutorial stays as-is because the AWS pattern is case-sensitive.
Input: ```text akiaiosfodnn7example ``` Output (unchanged): ```text akiaiosfodnn7example ```
Key id mentioned in prose needs scanAll
If a sentence names the AKIA id, default scope skips it because only fenced blocks are scanned.
Input: Replace `AKIAIOSFODNN7EXAMPLE` with your own key id. scanAll: false → unchanged scanAll: true → Replace `[REDACTED_AWS_KEY]` with your own key id.
Edge cases and what actually happens
Naked 40-char secret access key
Not detectedNo standalone pattern — it is indistinguishable from random base64. Caught only when keyword-prefixed (aws_secret_access_key=). Sweep manually.
Lowercase `akia...`
Not detectedThe pattern is case-sensitive (AKIA[0-9A-Z]{16}). Real keys are uppercase, but lowercased examples are missed.
Temporary `ASIA...` STS key
Not detectedThe pattern matches the AKIA prefix only. Temporary credentials with ASIA are not redacted.
`aws_access_key_id=AKIA...`
RedactedExpected — the AKIA value is caught by the AWS pattern regardless of the surrounding key name.
Session token (long base64) with no keyword
Not detectedMatches no pattern on its own. Only redacted behind token=/secret=.
Key id in prose, scanAll off
PreservedBy design — default scope is fenced code blocks. Enable scanAll for prose mentions.
ARN or account ID
PreservedNot a secret; ARNs and 12-digit account IDs are intentionally left intact.
Doc over Free tier limits
RejectedFree is 1 MB / 500,000 chars / 1 file. Split with md-splitter or upgrade.
Key already pushed to a public repo
Action requiredRedacting the doc does not disable the key. Deactivate it in IAM immediately and rotate.
Frequently asked questions
What AWS credential does it detect directly?
The access-key ID: AKIA followed by 16 uppercase letters/digits, replaced with [REDACTED_AWS_KEY]. It is case-sensitive.
Does it catch the secret access key?
Only when a keyword precedes it, e.g. aws_secret_access_key = ..., via the generic keyword rule. A naked 40-char secret matches no pattern.
Why is the secret key so hard to detect?
It is 40 characters of base64 with no fixed prefix, indistinguishable from random data. Reliable detection needs a keyword anchor or entropy analysis, which this tool does not do.
Are temporary ASIA keys caught?
No. The pattern matches the AKIA prefix only. STS temporary credentials (ASIA...) are not redacted.
Does case matter?
Yes. The pattern requires uppercase AKIA + uppercase/digit characters. A lowercased example is not matched.
Does it scan keys mentioned in prose?
Only with scanAll on. By default it scans fenced `` code blocks, where CLI transcripts and .env` snippets sit.
Is the doc uploaded for scanning?
No. It runs in your browser, so a tutorial draft with live IAM keys stays local.
Should I rotate a key after redacting?
Always. A leaked AWS key is compromised the moment it is exposed. Deactivate it in IAM and create a new one — redaction alone is not enough.
Does it check Git history?
No. It rewrites the current document only. Use BFG or git-filter-repo for history, then rotate.
Can I scrub several docs at once?
No. acceptsMultiple is false — one document per run.
Can I add a pattern for the secret key?
No. The only control is scanAll. There is no custom-pattern field; pair with gitleaks for entropy-based secret-key detection.
What related tools help with cloud docs?
Rewrite image paths with md-image-path-rewriter, validate links with md-link-validator, and lint with md-lint.
Privacy first
All Markdown processing runs locally in your browser using JavaScript. No file is ever uploaded to JAD Apps servers — only metadata counters are saved for signed-in dashboard stats.