Why am I seeing this note?
Typically when an AWS API Key Canarytoken is triggered, the alert includes the IP address which tried the key to access the AWS API:
In some cases, the AWS API Key Canarytoken is triggered by an internal AWS service and then, AWS only reports a service hostname, rather than an IP that triggered the key:
This can be seen in scans to enumerate permissions with tools such as enumerate-iam, and should be considered a compromised token.