
Early Warning Detectors Using AWS Access Keys as Honeytokens - StabbyCutyou
https://blog.komand.com/early-warning-detectors-using-aws-access-keys-honeytokens
======
c4urself
Great idea, we had part of a private repo accidentally made public at some
point and these kind of honeypot keys would've been triggered pretty quickly
and let us know. Would definitely be a cool way to know if something has been
leaked.

------
cyberferret
Nice write up and 'how to' guide. I am going to implement this in our
organisation.

All private repos here, but we once had some inadvertently commit a
development '.env' file with credentials in it to our remote Git repo (they
did it before we added '.env*' to our .gitignore file). We might start
peppering our .env files with honeypot keys just to track if they have somehow
been compromised outside the company.

------
sparky_
This is one of those rare ideas that is so stupidly simple, that it comes back
around to being brilliant. Setting this up myself tomorrow.

------
cddotdotslash
This should also be called "how to get your account locked by AWS in 15
minutes or less."

AWS is not fond of finding AWS keys laying around (limited permissions or
otherwise). I once committed a key to a GitHub repo and AWS called me within
15 minutes. I've seen cases where they will then lock your account (preventing
it from creating new EC2 resources) until the key is deleted.

Seriously, don't do this.

EDIT: as others have mentioned, private repos would be fine (and a good idea).

~~~
jakobdabo
Recently Github crippled (unfortunately) the Search function so that you can't
search something in all the repositories at once (if you try it says that you
"Must include at least one user, organization, or repository").

I used to use it to find out how other people use different library functions
in the wild and it helped me to find good code examples many times in the past
(especially when there were no documentation on the API). I wonder if there is
any other code searching service with comparable coverage and quality.

~~~
wahnfrieden
Works for me:
[https://github.com/search?q=test&type=Code&utf8=%E2%9C%93](https://github.com/search?q=test&type=Code&utf8=%E2%9C%93)
Is this not what you're talking about?

~~~
jakobdabo
Hmm, your link shows me the same "Must include at least one user,
organization, or repository" message that I've mentioned. Maybe they removed
the feature only for not logged in users. Can't check it right now as I don't
have my Github password on my phone.

~~~
natdempk
This is the case. I checked this via incognito mode.

------
goblin89
This is great for a simple setup. Obviously there’s no reason not to extend
this beyond AWS—

* Login credentials: feed in response to detected phishing emails

* SSH keys: have SSH trigger an alert if certain keys log in

* Database entries: filter out the special ones in legitimate queries

The pain, at least for a small organization, is in managing: reacting
appropriately to alerts, ensuring honeytokens are properly rotated.

------
jxramos
Nice application of disinformation! Keep up the good work.

------
ratsz
Using this method, you could have revoked AWS keys notify you if someone who
recently quit your team or was fired is attempting to access your systems.

------
merb
> On servers in a text file in ~/.aws/credentials (where a lot of tooling
> saves AWS credentials)

well that sounds clever.

~~~
alexsmolen
Yeah, I think it’s tricky to figure out how to place it somewhere that
attackers would look but AWS tooling wouldn’t, by default, since otherwise
they may be used in legitimate operation.

~~~
philsnow
non-[default] profile seems like it would work. I don't think aws-sdk/boto/etc
will use non-default creds if you don't explicitly tell it to.

