← All controls

53 Honeytoken credential file

A fake but plausible cloud credential — an AWS canarytoken in a ~/.aws/credentials file, a deploy-notes file, a backup runbook — planted where an intruder would look and referenced by no real automation. Any use of the key is hostile by construction: there is no legitimate caller. The alert goes to a mailbox outside the tenant being defended, and the placement is recorded in a register so a triggered alert maps back to the file that leaked.

Caveats

Setup steps

  1. Token type
    AWS keys
    alert email
    out-of-band mailbox
  2. Filename/content plausible; never referenced by any real automation

  3. Register: token id, placement, date, owner

Ongoing maintenance

How to verify

  1. Use the honeytoken yourself (from a clean context) and confirm the alert fires with enough context to act on. An untested canary is indistinguishable from a dead one.

v0.1.0Detect policy #30 · #33, #16 ↗