Alert Annotation: AWS API Key Canarytoken No Source IP

Learn why some AWS API Key Canarytoken alerts show a hostname instead of an IP — often due to internal AWS services or IAM enumeration scans indicating token compromise.

Typically, when an AWS API Key Canarytoken is triggered, the alert includes the IP address which tried the key to access the AWS API:

In some cases, the AWS API Key Canarytoken is triggered by an internal AWS service and then AWS only reports a service hostname, rather than an IP address that triggered the key:

This can be observed in scans that enumerate permissions with tools such as enumerate-iam and should be considered a compromised token.