I'm having a panic attack.
AWS sent me a mail including: "*We became aware that your AWS Access Key ***************** along with your Secret Key are publicly available.*"
What do they mean by "publicly available" ? Are they pushed accidently to Github or another public code sharing repositories? If so how to Check where it does exist ( Who did that, how and when ) to prevent this from happening again?
How to concretely check if my credentials are not publicly exposed? I'm looking for a concrete workflow not the best practise advices.
I appreciate that you've asked for "concrete workflows, not the best practise advices" but the most concrete workflow you can follow right now is to access your IAM console, go to your access keys, and rotate those keys. Trying to verify whether AWS is wrong seems to me like you're just making excuses for a slip up, I don't mean to offend with that comment either. And no offense, but if you have publicly accessible access keys, in locations that you're unsure of (which I'm taking to be a major concern here, due to the flavour of your question) then you need to think about fixing the problem first, and then figuring out later where it happened, when you have time to sort it out.
In regards to your question about "what do they mean by publicly accessible?", what they mean is that someone on the internet, who should not have access to your AWS account credentials, could POTENTIALLY have access to your AWS account, through use of exposed credentials. I would make the (I think very logical) leap to say that if your credentials are exposed, then access to your account is exposed, depending of course on the scope of those credentials. IE: If your access keys were admin priv'd, then you need to switch those things out ASAP and you need to watch CloudTrail (if it's enabled) for unauthorised/unwanted API calls.