Publishing Fake AWS API Keys on My Site

I recently discovered, which helps detect if your infrastructure has been breached through various methods. For example, lets me generate fake AWS API keys and receive an email notification when they are used. So I did exactly that just to see what would happen.

I published the fake AWS API keys to my site under I chose .env because this is a file that is commonly scanned for by scripts/bots due to accidental uploads. I knew someone would find the credentials eventually and I was curious how quickly and frequently they would be accessed.

At the time of writing this blog post, this is what the .env file contains:

$ curl


Around 2 minutes after deploying out this file, I received my first email notification from That was fast! It just goes to show that people are constantly scanning for credentials on the internet. Within an an hour or so I had ~10 notifications.

The notification emails from provide useful details about the attackers using the AWS API keys. Here’s an example notification I received: notification showing python usage

We can see based on the user agent that whoever used these AWS keys was doing this automatically using Python.

I also got another notification that shows that the attacker was using Powershell: notification showing powershell usage

It’s worth noting that User Agent strings can be spoofed, so take these screenshots with a grain of salt.

There is a guide here if you’re interested in trying this out for yourself: