53 Honeytoken credential file
A fake but plausible cloud credential — an AWS canarytoken in a ~/.aws/credentials file, a deploy-notes file, a backup runbook — planted where an intruder would look and referenced by no real automation. Any use of the key is hostile by construction: there is no legitimate caller. The alert goes to a mailbox outside the tenant being defended, and the placement is recorded in a register so a triggered alert maps back to the file that leaked.
Caveats
Setup steps
-
- Token type
AWS keys- alert email
out-of-band mailbox
-
Filename/content plausible; never referenced by any real automation
-
Register: token id, placement, date, owner
-
Ongoing maintenance
- automatable: script Quarterly: trip each honeytoken to prove it still alerts; rotate tokens that have fired.
How to verify
Use the honeytoken yourself (from a clean context) and confirm the alert fires with enough context to act on. An untested canary is indistinguishable from a dead one.
v0.1.0Detect policy #30 · #33, #16 ↗