Description: Canarytokens can live in the cloud too, create an AWS S3 token and get notified on any access to it.
Follow the steps below to create an AWS S3 Canarytoken:
Step 1:
Log in to your Console.
Step 2:
Select the Canarytokens tile.
Step 3:
Select the AWS S3 Bucket token from the list.
Step 4:
Complete the fields below to setup your Canarytoken.
Bucket to monitor: The name of your S3 bucket.
Note: This name needs to be globally unique, if you are getting an error, try a different name here.
Automate creation: Selecting this option will automate the S3 creation by using your ID and secret. For manual setup check the optional section.
AWS access key ID & secret access key: Your AWS credentials, if you do not have this yet, read the
How to Manage your AWS Access Keys: Optional section.
AWS region: The region where you would prefer the bucket be created.
Manual Setup: Optional
Manual Creation means that we will prepare a setup script that you can run in your AWS environment to create your fake buckets.
- Setup and activate python virtual environment
-
virtualenv usermodenv
-
- Install awscli, boto3, and simplejson python modules
-
pip install awscli boto3 simplejson
-
- Display the help prompt for the canaryaws.py module that you downloaded from the token creation screen.
-
python canaryaws.py -h
-
- Create your new AWS S3 token using AWS Environment variables
-
python canaryaws.py -c
-
- Alternatively, create your new AWS S3 token using supplied AWS Credentials
-
python canaryaws.py -c -a [your_access_key] -s [your_secret_key] -r [your_region]
-
How to Manage your AWS Access Keys: Optional
To manage access keys when signed in as the root user
Sign in to the AWS Management Console as the root user.
In the navigation bar on the upper right, choose your account name or number and then choose My Security Credentials.
Select Policies and then Create policy
Copy and paste the following code block into the JSON tab, when complete select Next: tags.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:GetBucketAcl",
"s3:ListBucket",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketOwnershipControls",
"iam:CreateRole",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:PutRolePolicy",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:AddPermission",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:CreateLogGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
}
]
}
Enter your preference of tags and select Next:Review
Name your policy then select Create Policy.
At the IAM dashboard select Users then Add user.
Enter a Username for your new user, check Programmatic access as the Access type then select Next:permissions.
Select Attach existing policies directly and search for then check the policy you previously created.
Your user has now been created with the appropriate permissions and credentials created.
Copy or download the .csv in order to save the Access key ID & Secret access key, do this now due to the Secret access key not being available in future.
Step 5:
Your Canarytoken has now been created and ready to send alerts!
Alert:
An alert is triggered when the S3 bucket is accessed.
You're done! ;-)