This project creates one (or more) deception users with permissionless secret key pairs, and deploys controls to monitor for any activity from the dummy accounts.
The deployed architecture looks like:
-
Created user(s) are assigned a restrictive IAMs policy
{ "Action": "*", "Effect": "Deny", "Resource": "*" } -
Access key pairs are generated (and displayed via Terraform's output blocks - normally this would be a bad idea for keys; but, use-case...)
-
Any activity related to the key pairs is logged via CloudTrail (this project assumes full, multi-region CloudTrail is already active in your account. If not, start here)
-
When activity occurs, the Cloudwatch alarm is breaching, triggering a notification to SNS
-
N.B. Subscribing to the SNS topic is left as an exercise for the reader; we're not defining, nor predicting, how your use-case wants to consume the alerts.
Deployment is via Terraform.
Before deployment, there's two locations that you'll need to update.
provider "aws" {
version = "~> 2.0"
region = "eu-west-1"
profile = "ENTER-YOUR-PROFILE-HERE"
}
As suggested, you'll need to update your profile name. Or replace with static keys, but if you're interested in this project you probably understand why that could be a bad idea....
And depending on where your workloads reside, you may need to update your region to suit you needs
cloudtrail_logs = "YOUR CLOUDTRAIL LOG GROUP HERE"
Again, as suggested add the name of the CloudWatch Log Group that is fed the cloudtrail logs that you'll be monitoring for activity
Once updated, rename all *-dist files to lose the -dist and you should be good to go.
Now the project is configured to your needs, standard Terraform deployment process applies:
> terraform init
> terraform apply
If all successful, terraform should return your deception token(s) at the end of it's output:
Outputs:
key = "AKIA<redacted>"
secret = "<redacted>"
Terraform redact's sensitive values automatically. It's a good failsafe, but not appropriate for our needs as the key is already neutered. As the output "display_secret" suggest, run the command terraform output secret to force Terraform to spit the secret key from it's State file.
After deployment, any activity should raise the CloudWatch metric over it's threshold, pushing it into an alarm state.
And triggering an SNS notification, in my demo use-case, an email:
