Critical: act in the next 60 seconds

AWS access key leaked? Disable it in IAM right now

Your AWS access key may be exposed. Here is the fastest possible recovery — three steps, no theory.

  1. Step 01

    Sign into the AWS Console → IAM → Users → find the user → Security credentials → Make the access key inactive.

  2. Step 02

    Create a new access key, update your server env vars, then delete the old one.

  3. Step 03

    Open CloudTrail. Look for unfamiliar API calls in the last 24 hours — especially RunInstances, CreateUser, GetCallerIdentity from unknown IPs.

Step 01 — Revoke

Kill the leaked credential first

IAM → Users → click the user that owns the key → Security credentials tab → Access keys section → Actions → Make inactive (faster than delete; reversible while you confirm). Then create a new key and delete the old one.

Open AWS IAM console

Step 02 — Rotate

Update the new key in the right place

Server-side env vars only — never in client code, never with NEXT_PUBLIC_.

Use AWS env vars on the server only
// Server-side. Never NEXT_PUBLIC_.
import { S3Client } from '@aws-sdk/client-s3';
const s3 = new S3Client({
  region: 'us-east-1',
  credentials: {
    accessKeyId: process.env.AWS_ACCESS_KEY_ID!,
    secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY!,
  },
});

Step 03 — Scan

Confirm nothing else leaked alongside it

Scan your live site for any other cloud credentials still sitting in your bundle.

How this usually leaks

  • 01Used directly in a frontend "upload to S3" feature instead of a presigned URL.
  • 02Committed in .aws/credentials accidentally added to git.
  • 03Stored in a config.json deployed to /public/ folder.
  • 04Pasted into a Lambda env var with overly broad IAM permissions, then exposed via a public Lambda URL.

FAQ

Frequently asked questions

Will AWS credit me for the abuse?
Sometimes. Open a billing support case immediately, share the timeline, and document that you rotated the key. AWS has historically credited customers for unauthorized usage when the leak is detected and remediated quickly.
Should I delete the IAM user entirely?
Only if the key was the user’s only purpose. Otherwise, deactivating the leaked key + creating a new one is enough. If unsure, deactivate the user too while you investigate.
How do I prevent uploading directly from a browser without exposing keys?
Use S3 presigned URLs. Your server creates a one-time, time-limited URL the browser uploads to. The AWS keys never leave your server.

Deeper dive

Long-term fixes for this leak class

Exposed AWS credentials

AKIA-prefixed AWS keys in a client bundle are a top-severity incident. Here is how to rotate, audit blast radius, and prevent recurrence.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

See what else leaked in the same deploy

Free scan. 70+ checks. Results in 60 seconds.