Description: The AWS API token provides you with a set of AWS API keys. Leave them in private code repositories, leave them on a developer's machine, or anywhere else API keys would be expected. An attacker who stumbles onto them will believe they are the keys to your cloud infrastructure. If they are used via the AWS API at any point, you will be alerted.
The great thing is that you don't need AWS in your environment to use this token, and there’s no way for an attacker to use it without setting off an alert.
Note: These alerts first pass through Amazon's logging infrastructure which may introduce a delay of between 2 and 30 minutes before the alert comes through.
Follow the steps below to create an AWS API Key Canarytoken:
Log in to your Console.
Select the Canarytokens tile.
Select the AWS API Key token from the list.
Over time, if you are using tokens correctly, you will deploy thousands of them all over the place. Make sure that your Reminder is as descriptive as possible, and we will remind the future you of where the token was dropped. Nothing sucks more than having a token fire an alert that reads “test" - and not knowing where you placed it.
Note: we chose "AWS API keys on Jim's Laptop" as the reminder
Download or copy the token and place it in its intended location.
Note: The file downloaded contains the AWS API credentials linked to your Canarytoken. The file is formatted such that it looks like a legitimate AWS credentials file.
An alert is triggered when the AWS API key is used.
You're done! ;-)