TLS certificates, unlike wine, do not get better with age. Refresh them before they hit the end of their lifecycle.
TLS, HTTPS. These are an important step in defence in depth. Get your entire domain on the https-only list at hstspreload.org, thank me later.
Github ransomware. It might be a misdirection to hide more surreptitious changes to the codebase for you to import into your cloud.
Your virtual-private-cloud private IP setup still has access to key API’s such as storage and messaging. Have you considered exfiltration through these?