Early Warning Detectors Using AWS Access Keys as Honeytokens
November 30, 2016 | Jen Andre | Komand Tech
Deception lures are all of the rage these days, and when deployed properly, are extremely low overhead to maintain and trigger little to no false alarms. Honeytokens, closely related to honeypots, are ‘tripwires’ that you leave on machines and data stores as early warning indications of a breach. Using AWS IAM access keys, we can create nearly limitless honeytokens for attackers to stumble upon - and it’s easy and free!
Knowing that AWS IAM access keys are of high value to targets, the idea is to leave valid (but permissionless) access keys as ‘lures’ on machines, Github repos, or anywhere really. When attackers breach a target, they will find these keys, and attempt to use them. When such a key is used, you (the defender) know that some bad stuff is happening.
Using some of AWS’s features (such as CloudWatch and Cloudtrail), I’ll show you how to build notifications when someone attempts to use these keys for any AWS API actions (which will fail), triggering the alarm.
Step 1: Create AWS IAM Credentials with no permissions
Using IAM, either via the console or API, create a user account that has no permissions and generate one or more access keys. To be extra safe, you can do this on a ‘dummy’ AWS account that is completely separate from your normal infrastructure.
To reiterate, it’s important this account has no privileges including no console privileges. It doesn’t need to! We can configure alerts on API failures, as described below.
Step 2: Setup CloudTrail & CloudWatch to notify on key usage
Now that you have your keys for your bogus account, it’s time to set up notifications in AWS when those keys are used. We'll use the builtin capabilities of CloudTrail (Amazon's audit trail logging system) and CloudWatch (its built-in monitoring/alert system) to accomplish this.
First things first: You need to record API events using CloudTrail. Nothing special here, the UI will configure it for you: