What is this?
The AWS API Canarytoken is one of our favourite detection techniques. We give you a valid AWS API key and you place it on your secret key signing server. If the key is ever used to login to AWS, we let you know and you realize immediately that someone has access to your precious \\key-sign-FS1.
We do this by creating a valid AWS API key, and then neutering it so its powerless. We then track AWS logs to see if the key is ever used.
But... AWS logging is not always complete, so its possible for an attacker to run esoteric commands that will use that key (still useless to her) without creating an AWS log event (and therefore without creating an alert).
This.wont.do.
Our AWS safety-net code will check several times per day if your deployed (defanged) key was ever used. If it was, and if we did not see a regular API event using the key, we raise the safety-net alert.
Does this mean it's not so bad?
Actually, while we pride ourselves on being non-alarmist, this alert is pretty serious. It means that the key you placed somewhere was used to authenticate to AWS and that in all likelihood, the attacker was sophisticated enough to attempt to use an API that AWS typically doesn't log. It implies a level of competence that should raise an eyebrow (or an incident responder or two).
What is the source-IP of the attacker?
While we are able to grab the source-IP of an attacker who uses the vanilla AWS-API Canarytoken, the safety-net, as a tool of last resort, is only able to tell us that the key we thought would not be used, was used. This gives us an important thread to pull on but has limited bonus information.