What is this?
The AWS API Canarytoken is one of our favourite detection techniques. We give you a valid AWS API key, and you place it on your secret key‑signing server. If the key is ever used to log in to AWS, we alert you immediately - you then know someone has accessed your precious \\key-sign-FS1.
We do this by creating a valid AWS API key and then neutering it so it's powerless. We then track AWS logs to see if the key is ever used.
But… AWS logging is not always complete, so it's possible for an attacker to run esoteric commands that use that key (still useless to them) without creating an AWS log event - and therefore without creating an alert.
This.won't.do.
Our AWS safety‑net code checks several times per day whether your deployed (defanged) key was ever used. If it was, and if we did not see a regular API event using the key, we raise the safety‑net alert.
Does this mean it's not so bad?
Actually, while we pride ourselves on being non‑alarmist, this alert is pretty serious. It means the key you placed somewhere was used to authenticate to AWS, and that, in all likelihood, the attacker was sophisticated enough to attempt an API that AWS typically doesn't log. That level of activity should raise an eyebrow (or an incident responder or two).
What is the source IP of the attacker?
We can capture the source IP of an attacker who uses the vanilla AWS‑API Canarytoken. The safety‑net, however, is a tool of last resort: it tells us that the key we thought would not be used was used. That gives us an important thread to pull on, but it has limited additional information.