Some security bad practices, but it happens to the best of us. Glad you got that figured out though.
I always tell my devs on the first day, "leaving AWS keys in a public repository is as bad as showing up drunk to work". Mainly because the last guy to leave our AWS keys in the open was drunk at work.
its really sad to see how many AWS Keys are public in github right now. A quick github search reveals many, many key pairs that were checking as recently as this week.
Amazon are apparently scanning themselves. If they are doing this then they might figure that the quantity of exposed keys will undermine their reputation. That is quite something in itself.
Amazon AWS support have (at least on here) a reputation for refunding fraudulent usage that stemmed from compromised keys. If that is in fact a policy they follow, it's in their best interests to cut down on leaked AWS credentials.
I'm guilty of this for an old project and only discovered when Amazon sent me email telling me it was public so Amazon seems to be searching Github (the web?) for mentions of the keys.
I always tell my devs on the first day, "leaving AWS keys in a public repository is as bad as showing up drunk to work". Mainly because the last guy to leave our AWS keys in the open was drunk at work.