Critical severity

How to fix exposed AWS access keys in client code

Your AWS access key (usually starts with `AKIA`) is in your client code. AWS credentials in a public place are treated as an emergency — AWS itself will often notify you and auto-quarantine the account. Fix: (1) rotate in IAM Console immediately; (2) audit CloudTrail for the last 30 days to find unauthorized use; (3) remove from codebase and git history; (4) move every AWS SDK call server-side, or use Cognito Identity Pools / STS for temporary, scoped credentials.

Why it matters

A leaked AWS key can result in: EC2 instances mining crypto ($10K+/day bills), S3 buckets deleted, data exfiltrated, account hijacked. AWS has a support process for the resulting bills but it is painful.

How to check

  1. 01Search bundle for `AKIA` (access key ID) and `aws_secret_access_key`.
  2. 02AWS Console → IAM → Users → Security credentials → Access keys → look at Last used.
  3. 03CloudTrail → Event history → filter by access key ID to see every action.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

AWS Console

IAM → Users → Your user → Security credentials → Make access key inactive → then Delete. Create a new one only if needed for server use.

Use STS for clients

Never ship static AWS keys to browsers. Use Cognito Identity Pools to issue short-lived, scoped credentials, or have your backend generate presigned URLs (for S3) or temporary tokens.

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

AWS access keys (AKIA prefix) are in my client JavaScript. This is critical. Walk me through: (1) rotating the key in IAM Console; (2) running CloudTrail queries to find what the key has been used for in the last 30 days; (3) auditing S3 buckets and EC2 instances for unauthorized changes; (4) removing the key from my codebase and git history with `git filter-repo`; (5) replacing the client usage with S3 presigned URLs or STS temporary credentials generated by my server.

FAQ

Frequently asked questions

I'm uploading files directly to S3 from the browser. How?
Generate a presigned PUT URL on your server with a short TTL (5 minutes). The browser uploads to that URL. The AWS key never touches the browser.
What if my git history still has the key?
The key remains compromised even after you rotate it — because an attacker might have already saved it. Rotate and consider the key permanently burned. For the history: `git filter-repo --replace-text` or BFG Repo-Cleaner.

Related fix guides

Fix these too

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

Exposed .git directory

An exposed .git directory lets attackers download your entire source history, including deleted secrets. Here is how to check and fix it.

Read more

Free tools

Check this yourself

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.

Read more

Platform guides

Building on these platforms?

Next.js security

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Read more

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Read more

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.