AWS Keys will be triggered whenever an API call is made using the access keys.
Applies universally across all environments where API calls can be executed.
When AWS keys are used, each usage generates a corresponding log event that is sent to AWS. These log events play a crucial role in detecting the utilization of AWS Keys, serving as a monitoring mechanism to safeguard against unauthorized access or potential security breaches within AWS environments. Using this mechanism/feature canary tokens work and report if someone has used the AWS Keys.
Keep the indicators.md file handy, as it contains the indicators of how the file is a canary token.
To identify whether an AWS key is a canary token, follow these steps:
- Obtain the Access Key ID and utilize the GetAWSAccountID.py script to retrieve the AWS Account ID. .
- Compare the retrieved AWS Account ID with the specified canary token identifier,
992382622183. If the Account ID matches this value, it indicates that the AWS key is indeed a canary token.
