Sweet Deception: Mastering AWS Honey Tokens to Detect and Outsmart Attackers

No ratings

Presented at fwd:cloudsec Europe 2025 by

Nick Frichette

According to AWS, approximately [66% of AWS security incidents begin with leaked access keys](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf). Threat actors consistently search the internet for exposed credentials, rapidly exploiting any keys they discover. However, defenders can turn this very behavior into an advantage through honey tokens, deliberately exposed AWS access keys designed specifically to trigger alerts upon use. While honey tokens can be incredibly useful for detecting attacker activity in your environment, not all honey tokens are built the same way. Some can even be trivial to bypass. In this session, we'll cover the nuances of AWS honey tokens in depth. We’ll discuss different types of honey tokens, how they work, and potential detection evasion opportunities. Additionally, this session will dive into the internals of the AWS API, covering how some honey tokens can even alert when used with undocumented APIs, non-production endpoints, and more. Attendees will learn advanced strategies for detecting sophisticated threat actors. Whether you’re just beginning to explore deception technology or you're a seasoned practitioner, this talk will cover the key things to know and help you stay one step ahead of threat actors.