In some instances, folks might want to generate very large numbers of AWS API Key Canarytokens in CI pipelines and other ephemeral compute environments. In these setups, it's common for each job to create a new key (even if it exists for only a few minutes), which can cause the total number of issued keys to grow rapidly. We currently abstract this away to keep deployments working smoothly, but at larger scales, we've seen teams benefit from a few small adjustments in how keys are handled. The Console defaults to a 100k AWS API Key token limit, with options available if higher volumes are needed.
For customers running at this scale in ephemeral environments, we've found that enabling automatic key expiry allows teams to continue alerting on compromise while keeping the overall number of active keys relatively steady.
To enable automatic key expiry, the optional expiry parameter can be used when creating AWS API Key Canarytokens via the /api/v1/canarytoken/create API endpoint, where expiry is a string format supporting y, mo, w, d, and h.
For example, to create a new AWS API Key Canarytoken with a 6 months expiry:
curl https://EXAMPLE.canary.tools/api/v1/canarytoken/create \
-d auth_token=EXAMPLE_AUTH_TOKEN \
-d memo='Example AWS API Key Memo' \
-d kind='aws-id' \
-d expiry='6mo'