We have seen multiple times that users accidentally expose their AWS access key and secret key on Internet, e.g. GitHub. This is a really dangerous thing, as whoever get that key can do whatever you can do to your AWS account. Here are two examples, the exposed key was used by someone unknown to create large number of EC2 instance to do BitCoin mining.
Dev put AWS keys on Github. Then BAD THINGS happened
Ryan Hellyer’s AWS Nightmare: Leaked Access Keys Result in a $6,000 Bill Overnight
If it only costs your fortune, then you are lucky! The worst thing is that they can permanently remove everything you built. Code Space closed door just because of this.
Check out the Best Practices for Managing AWS Access Keys to secure your AWS key. If unfortunately it has already happened, then follow the guide of What to Do If Your Inadvertently Expose an AWS Access Key as soon as possbile.
Proactive prevention is very necessary, and passive monitor is also needed. CloudTrail keeps records of all AWS API calls, so it should always be enabled.
AWS KeyWatcher is a tool that I wrote to monitor the AWS API calls logged by CloudTrail, then scores them based on the established key profile to detect the suspicious traffics. Check it out on my GitHub if you are interested.