Showing posts from February, 2022

A “Safety Net” for AWS Canarytokens

The AWS API Key Canarytoken (paid and free) is a great way to detect attackers who have compromised your infrastructure. The full details are in a previous blogpost , but in short:  You go to and generate a set of valid AWS API credentials; Simply leave those in ~/.aws/config on a machine that's important to you Done! If that machine is ever breached, the sort of attackers who keep you up at night will look for AWS API credentials, and they will try them.  And when they do, we let you know that you’ve been breached. When you receive an email/SMS/Slack message letting you know that the AWS API key that you left only on BuildServer-7 in Server-room #12 just got used to login to AWS, you know you have a problem.  The underlying Canarytoken infrastructure relies on AWS APIs logging their own execution to CloudTrail. This lets us identify: which IP made the call; which API was executed (including both the service name and function); plus other details about