Traditional defensive strategies rely on detecting and responding to threats after they occur. However, proactive measures like active deception—particularly honeytokens—enable organizations to detect attackers early, even before significant damage occurs. AWS provides an ideal environment for seamlessly integrating these deception techniques into your security posture.
In this article, we explore how to design and deploy honeytokens within your AWS environment, using AWS Lambda functions to automatically detect unauthorized access attempts, providing early warnings of potential breaches.
What Are Honeytokens?
Honeytokens are decoy credentials or resources strategically placed within your infrastructure. Unlike traditional honeypots, honeytokens are lightweight, easy to manage, and directly embedded into existing systems. When attackers access or attempt to use these decoy credentials, they unknowingly trigger alarms, allowing your team to respond proactively.
Typical AWS honeytokens might include:
- Fake AWS access keys
- Decoy database credentials
- Bogus URLs or API endpoints
- Simulated S3 buckets
Why Deploy Honeytokens in AWS?
AWS’s rich suite of services makes it particularly effective for deploying honeytokens:
- AWS CloudTrail: Logs all AWS API calls, enabling visibility into attempted unauthorized activities.
- AWS Lambda: Serverless functions can automatically trigger alerts or actions based on honeytoken usage.
- Amazon CloudWatch and EventBridge: Facilitate real-time monitoring and event-driven responses.
Architecture Overview for AWS Honeytoken Deployment
Here’s how an effective honeytoken-based detection mechanism works on AWS:
- Deploy Honeytokens: Embed fake credentials in places likely targeted by attackers.
- Monitor Usage: AWS CloudTrail logs usage attempts, generating events in real-time.
- Automated Detection: AWS Lambda analyzes CloudTrail events for unauthorized honeytoken usage.
- Alert & Response: Lambda triggers alerts (via SNS, Slack, or email) and initiates automated defense mechanisms.
Step-by-Step Implementation
Step 1: Creating Honeytoken Credentials
Generate an AWS IAM user with no real permissions:
1
2
aws iam create-user --user-name honeytoken-user
aws iam create-access-key --user-name honeytoken-user
Important: Do not grant this user permissions.
Embed these keys strategically—such as in decoy files, application configuration files, or internal documentation that may attract an attacker’s attention.
Step 2: Set Up AWS CloudTrail Monitoring
Ensure CloudTrail is enabled to log all AWS API activities:
1
2
3
4
5
6
7
aws cloudtrail create-trail \
--name HoneytokenTrail \
--s3-bucket-name your-cloudtrail-bucket \
--is-multi-region-trail \
--enable-log-file-validation
aws cloudtrail start-logging --name HoneytokenTrail
Step 3: Configure CloudWatch EventBridge Rule
Create a rule to detect any usage of your honeytoken IAM credentials:
1
2
3
4
5
6
7
8
9
10
11
aws events put-rule \
--name HoneytokenUsageRule \
--event-pattern '{
"source": ["aws.cloudtrail"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"userIdentity": {
"accessKeyId": ["YOUR_HONEYTOKEN_ACCESS_KEY"]
}
}
}'
Replace YOUR_HONEYTOKEN_ACCESS_KEY with your actual honeytoken key ID.
Step 4: Implement AWS Lambda for Real-Time Alerting
Deploy a Lambda function to handle detections:
Example Lambda function (lambda_function.py):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import json
import boto3
import logging
logger = logging.getLogger()
logger.setLevel(logging.INFO)
def lambda_handler(event, context):
logger.info(f"Honeytoken triggered: {json.dumps(event)}")
send_security_alert(event)
def send_security_alert(event):
sns = boto3.client('sns')
topic_arn = 'arn:aws:sns:us-east-1:123456789012:HoneytokenAlerts'
detail = event['detail']
message = f"""
🚨 Honeytoken Access Detected! 🚨
User: {detail['userIdentity']['arn']}
Action: {detail['eventName']}
Region: {detail['awsRegion']}
Source IP: {detail['sourceIPAddress']}
Time: {detail['eventTime']}
"""
sns.publish(TopicArn=topic_arn, Message=message)
logger.info("Security alert sent via SNS.")
Tip: Use CloudWatch logs for tracking Lambda execution and debugging.
Step 5: Link Lambda to EventBridge Rule
Connect your Lambda function to the EventBridge rule:
1
2
3
aws events put-targets \
--rule HoneytokenUsageRule \
--targets "Id"="1","Arn"="arn:aws:lambda:us-east-1:123456789012:function:HoneytokenResponder"
Now, any unauthorized usage of your honeytoken credentials will trigger immediate alerts and automated responses.
Advanced Honeytoken Techniques on AWS
Enhance your deception strategy further by implementing:
- Decoy S3 buckets: Monitor attempts to access fake or misleading buckets.
- Fake Secrets Manager entries: Insert decoy secrets and monitor API calls.
- Simulated API Gateway endpoints: Deploy fake endpoints to detect automated scanning or reconnaissance activity.
Integrating Honeytokens with DevSecOps Practices
Embedding honeytokens into your DevSecOps pipeline ensures continuous and proactive threat detection. Automate honeytoken deployment and monitoring as part of your CI/CD pipelines, providing instant visibility into suspicious activities during development and deployment phases.
For guidance or to discuss deploying advanced AWS security techniques, feel free to contact Jon Price via LinkedIn →
Benefits of Honeytoken-Based Active Deception
- Early threat detection: Rapid identification of attackers.
- Reduced false positives: Any honeytoken access is inherently suspicious.
- Improved security posture: Actively deters and disrupts attacker reconnaissance.
- Scalable and cost-effective: Minimal resources required for high-value threat detection.
Conclusion
Integrating active deception with honeytokens into your AWS environment significantly elevates your proactive security capabilities. Leveraging AWS services like Lambda and CloudTrail for automated detection and response turns passive monitoring into active defense, allowing your organization to stay one step ahead of attackers.
Interested in implementing honeytokens in your AWS environment? Connect via LinkedIn →
Additional AWS Resources:
```