Great idea, we had part of a private repo accidentally made public at some point and these kind of honeypot keys would've been triggered pretty quickly and let us know. Would definitely be a cool way to know if something has been leaked.
Nice write up and 'how to' guide. I am going to implement this in our organisation.
All private repos here, but we once had some inadvertently commit a development '.env' file with credentials in it to our remote Git repo (they did it before we added '.env*' to our .gitignore file). We might start peppering our .env files with honeypot keys just to track if they have somehow been compromised outside the company.
This should also be called "how to get your account locked by AWS in 15 minutes or less."
AWS is not fond of finding AWS keys laying around (limited permissions or otherwise). I once committed a key to a GitHub repo and AWS called me within 15 minutes. I've seen cases where they will then lock your account (preventing it from creating new EC2 resources) until the key is deleted.
Seriously, don't do this.
EDIT: as others have mentioned, private repos would be fine (and a good idea).
The whole point is that AWS (nor any other outside party) would not find the keys. The article explicitly mentions:
On servers in a text file in ~/.aws/credentials (where a lot of tooling saves AWS credentials)
On your developer laptop in the same locations
In application or systemd environment variable configuration files
In files named ’credentials’ or in application configuration files in private, sensitive Github repos
Unless amazon somehow has access to private github repos, they should not see the keys
Recently Github crippled (unfortunately) the Search function so that you can't search something in all the repositories at once (if you try it says that you "Must include at least one user, organization, or repository").
I used to use it to find out how other people use different library functions in the wild and it helped me to find good code examples many times in the past (especially when there were no documentation on the API). I wonder if there is any other code searching service with comparable coverage and quality.
Yeah, putting the keys on Github seems pointless and contrived: there's no remediation to putting a known-bad key out in the open. What are you going to do: block their IP? Oh boy.
I see value in the other examples, though, because they are dead simple tripwires, and, unless AWS is scanning your instances, they should never see this and it shouldn't be a problem.
Using this method, you could have revoked AWS keys notify you if someone who recently quit your team or was fired is attempting to access your systems.
Yeah, I think it’s tricky to figure out how to place it somewhere that attackers would look but AWS tooling wouldn’t, by default, since otherwise they may be used in legitimate operation.
[+] [-] c4urself|9 years ago|reply
[+] [-] cyberferret|9 years ago|reply
All private repos here, but we once had some inadvertently commit a development '.env' file with credentials in it to our remote Git repo (they did it before we added '.env*' to our .gitignore file). We might start peppering our .env files with honeypot keys just to track if they have somehow been compromised outside the company.
[+] [-] sparky_|9 years ago|reply
[+] [-] cddotdotslash|9 years ago|reply
AWS is not fond of finding AWS keys laying around (limited permissions or otherwise). I once committed a key to a GitHub repo and AWS called me within 15 minutes. I've seen cases where they will then lock your account (preventing it from creating new EC2 resources) until the key is deleted.
Seriously, don't do this.
EDIT: as others have mentioned, private repos would be fine (and a good idea).
[+] [-] theamk|9 years ago|reply
[+] [-] jakobdabo|9 years ago|reply
I used to use it to find out how other people use different library functions in the wild and it helped me to find good code examples many times in the past (especially when there were no documentation on the API). I wonder if there is any other code searching service with comparable coverage and quality.
[+] [-] bjoernw|9 years ago|reply
[+] [-] osi|9 years ago|reply
[+] [-] tobz|9 years ago|reply
I see value in the other examples, though, because they are dead simple tripwires, and, unless AWS is scanning your instances, they should never see this and it shouldn't be a problem.
[+] [-] goblin89|9 years ago|reply
* Login credentials: feed in response to detected phishing emails
* SSH keys: have SSH trigger an alert if certain keys log in
* Database entries: filter out the special ones in legitimate queries
The pain, at least for a small organization, is in managing: reacting appropriately to alerts, ensuring honeytokens are properly rotated.
[+] [-] jxramos|9 years ago|reply
[+] [-] ratsz|9 years ago|reply
[+] [-] merb|9 years ago|reply
well that sounds clever.
[+] [-] alexsmolen|9 years ago|reply