I have had my SES key compromised because of Laravel accidentally being set to 'debug=true' which exposed the credentials, which has been fixed. It was an oversight on my part, however, doing full digging I see access requests to .env in my apache log file, I don't understand how or why. When I try to access the file I am unable. Any assistance would be greatly appreciated!
192.237.162.xx - - [17/Jul/2020:18:36:54 +0000] "GET /.env HTTP/1.1" 200 1288 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
As noted by others, misconfigurations could lead to the .env file being exposed. Bots will search for it, but if you can't access it from the web, neither can they.
To prevent this ever from happening again, start configuring a blacklist in your config/app using the debug_hide key. This is a must for all Laravel projects described in the documentation here. It allows you to obfuscate values for given .env keys.
If your environment gets exposed, you absolutely need to check if your database is accessible other than localhost, if so, you have to change your password and any other sensitive information like email settings.
If the APP_KEY gets exposed, you need to rotate it.
When changing the APP_KEY:
php artisan key:generate.If the encrypted data is not vital, as in terms of breaking functionality like logins, etc. Store your old app key somewhere (and make sure you don't lose it!) and regenerate a new key immediately. Then figure out a plan to convert your encrypted data with your new key.
A common misconception is that your passwords will be unusable after a key change, this is nonsense. Passwords are hashed, not encrypted.
Till today, I'm still shocked to see that the debug_hide key is still not present in the current default config/app. In my opinion, it is vital to hide the APP_KEY in the default configuration.