Ensure one IAM user is created as Canarytokens within your AWS account in order to implement proactive security defense by using threat deception technology. Deception technology automates the creation of security traps (decoys) which are mixed with existing cloud resources to provide an extra layer of protection that can be used to prevent attackers from gaining access to your AWS resources and/or applications. In this case the IT assets used as decoys are IAM access keys, a set of credentials used to sign programmatic requests that you make to AWS API. These API access keys, also known as Canarytokens, are created with special configuration and limited permissions to help you detect when your AWS cloud resources and applications have been breached by having attackers announce themselves.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Your AWS API access keys represent an attractive target for attackers and malicious users. Knowing that, you can create Canarytokens (i.e. valid access keys with a very limited set of permissions) and leave them as bait on different targets such as web applications, code repositories, EC2 instances, etc. If attackers breach one of these targets, they will find the access keys and attempt to use them. And when such credentials are used by attackers, a notification alert will inform you of their actions so you can use this information to take measures and secure your AWS environment and/or applications.
Canary access tokens are IAM access key pairs associated with an AWS IAM user account that has no API or console privileges, hence the IAM user account must have the following configuration: one or more access keys, no permissions (managed and/or inline policies) and no console privileges (no user password enabled). To determine if there are any IAM user access keys used as Canarytokens within your AWS account, perform the following actions:
Remediation / Resolution
To configure and use a set of IAM access keys as Canarytokens in your AWS account, you have to create a new IAM user account with no privileges and no access to the AWS Management Console, and generate AWS API access keys for that user. Once the IAM user account is configured, use Amazon CloudWatch and Amazon CloudTrail to build a notification system that will send you alerts whenever someone attempts to use those access keys for any AWS API actions. To create the IAM user account and the notification system required, perform the following actions:
- AWS Documentation
- Managing IAM Users
- Managing Access Keys for IAM Users
- Getting Credential Reports for Your AWS Account
- Creating a Trail For Your AWS Account
- Creating and Updating a Trail with the AWS Command Line Interface
- Sending Events to CloudWatch Logs
- What is Amazon Simple Notification Service?
- Using Amazon CloudWatch Alarms
- AWS Command Line Interface (CLI) Documentation
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Canary Access Token
Risk level: Very High