diff --git a/pre_commit_hooks/detect_aws_credentials.py b/pre_commit_hooks/detect_aws_credentials.py
index aae0734..9ef8fec 100644
--- a/pre_commit_hooks/detect_aws_credentials.py
+++ b/pre_commit_hooks/detect_aws_credentials.py
@@ -31,7 +31,7 @@ def get_aws_secrets_from_env() -> Set[str]:
     for env_var in (
         'AWS_SECRET_ACCESS_KEY', 'AWS_SECURITY_TOKEN', 'AWS_SESSION_TOKEN',
     ):
-        if env_var in os.environ:
+        if env_var in os.environ and os.environ[env_var]:
             keys.add(os.environ[env_var])
     return keys
 
@@ -84,7 +84,7 @@ def check_file_for_aws_keys(
             for key in keys:
                 # naively match the entire file, low chance of incorrect
                 # collision
-                if key and key in text_body:
+                if key in text_body:
                     bad_files.append(BadFile(filename, key[:4].ljust(28, '*')))
     return bad_files
 
diff --git a/tests/detect_aws_credentials_test.py b/tests/detect_aws_credentials_test.py
index 777fb48..46e5b36 100644
--- a/tests/detect_aws_credentials_test.py
+++ b/tests/detect_aws_credentials_test.py
@@ -47,6 +47,8 @@ def test_get_aws_credentials_file_from_env(env_vars, values):
         ({'AWS_SECRET_ACCESS_KEY': 'foo'}, {'foo'}),
         ({'AWS_SECURITY_TOKEN': 'foo'}, {'foo'}),
         ({'AWS_SESSION_TOKEN': 'foo'}, {'foo'}),
+        ({'AWS_SESSION_TOKEN': ''}, set()),
+        ({'AWS_SESSION_TOKEN': 'foo', 'AWS_SECURITY_TOKEN': ''}, {'foo'}),
         ({'AWS_DUMMY_KEY': 'foo', 'AWS_SECRET_ACCESS_KEY': 'bar'}, {'bar'}),
         (
             {'AWS_SECRET_ACCESS_KEY': 'foo', 'AWS_SECURITY_TOKEN': 'bar'},