Asking Vercel to rotate my AWS keys?

I had a critical path traversal vulnerability in a project which allowed attackers to leak the entire ../../../proc/self/environ file. Apart from my own .env vars, there were AWS keys, I assume added by Vercel:

AWS_ACCESS_KEY_ID=AS_______A
AWS_SECRET_ACCESS_KEY=Vp_______t
AWS_SESSION_TOKEN=[long session token string]

I’m in the process of rotating all my keys, but those belong to Vercel, so I can’t do that myself. I changed region in Functions, which I think could do something, but I don’t know how to verify that. The only way I can think of is to put the vulnerability back in, and use it myself to see if new leaked keys are the same ones as previous.

What are my options here? Or is changing functions region guaranteed to do this?

I’m sorry to hear about your attack, hopefully not too much damage was done!

I checked with our security team and can confirm you are safe from Vercel’s end. AWS Lambda functions must have a role attached, so those are dummy credentials with no permissions just to satisfy this requirement

Thank you Jacob! No damage whatsoever, to the extent that we know - the information came through responsible disclosure. We also by nature of the service did not have sensitive information in the service itself. That being said, leaking the entire .env is never good, and it was easy to imagine bad scenarios.

Very reassuring to hear what you said, I appreciate your fast response a lot!