Sorry to hear about the security trouble you are having. That sucks. FWIW, this is most likely an isolated incident. If the keys had leaked from the Hub you could expect a tsunami of similar complaints from thousands of other users. We take security extremely seriously. Likewise, Amazon's security team would have been all over this and I'd be in the middle of a very sweaty conference call with them right now.

Sadly, security is only as strong as the weakest link. The weakest link is probably not TurnKey, but your PC computer. Most security issues these days come from compromised a client-side because the attack surface of a typical PC is so large and difficult to defend.

I suggest you ask Amazon to reimburse those costs. For what it's worth TKLBAM can't be the source of the leak because it doesn't store general purpose AWS keys but uses a special set of DevPay credentials that you can't spin EC2 instances with. An attacker couldn't even access regular S3 storage with the TKLBAM keys.

That means you should be able to revoke the AWS keys you put into the Hub's cloud deployment system without that having any effect on TKLBAM.

For the cloud deployment functionality, you can replace the root keys with more restricted IAM keys but that wouldn't really solve anything. If an attacker has access to your desktop he can still use the IAM keys to spin off instances so that won't really solve the issue.

Sorry I can't do more to help. Good luck!

Cheers, Liraz