AWS Credentials File Security

The AWS credentials file (typically ~/.aws/credentials on Linux & Mac, or C:\Users\You\.aws\credentials on Windows) is the default location for storing access keys used to access Amazon Web Services.

Access to this file grants access to everything that your access keys allow access to in Amazon Web Services - which might be as critical as data backups in s3, development servers, source code, or even (though really keys for these should not be stored locally), production systems.

The credentials file is one of the most important files that malware or hackers attempt to access.

If you use the command line tools, or many other tools that store data in AWS or Amazon S3, then it's very likely that your credentials are stored in this file – the aws configure command used in many guides stores credentials here, and there is no simple alternative.

Protect the file with a Canary

A Canary (or 'honeypot') is something that looks attractive to hackers, but instead of providing any real access sends you an alert warning you of their presence.

This gives you critical time to protect your systems, and limit the scope of a breach.

We can create a fake set of canary AWS credentials using traitorbird, place them in the credentials file alongside genuine ones, and as soon as a hacker attempts to use them you will be alerted, warning you that the credentials file has been compromised.

Create Canary Credentials with Traitorbird

1. Create Token

After creating an account, choose "create token" to create a new canary token credential from your tokens list. A normal account costs $49/year or local equivalent – we don't offer a free trial, but contact us if you have any questions or problems and we'll sort it out.

2. Enter Name and Details

Then enter a name and description for this token, and any additional email addresses that you want to send alerts to. Confirm to complete the token creation:

The name will be included in alerts sent about this token. It should tell you where the token is used, so if an alert occurs you know which device has been attacked.

The description is not included in alerts, but you can make any additional notes here to help you remember details about this token.

Your own email address is included by default in alerts. If you need to, you can change any of these details later from the tokens list.

3. Copy the Token Credentials

Finally, Copy the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from the confirmation screen. We'll now place these canary credentials into our credentials file. If you need to, you can view these again later via "show details" > "show token credentials and setup instructions" from your token list.

Add the new Canary Credentials Using aws configure

You can edit the ~/.aws/credentials file manually in your editor of choice, but if you are already using the aws command line tools, then it's easy to add your credentials with the aws configure command. The --profile option sets the name of the profile these credentials will be stored in. You don't want to use 'default', or overwrite any existing profile name, but you can use this random suggestion:

You don't have to enter a default region, but doing so makes it easier to test the canary later. Leave the default output format blank.

The result should be a new section added to your credentials file, like this:

Alerts if the File is Compromised

If malware or another miscreant gains access to the credentials file, when they attempt to use them, you'll receive an alert email.

To test this alert, and see what it'll look like, you can try running an AWS CLI command using the profile name you used to save the credentials:

Hopefully you will never receive such an alert for real, but with the canary in place you can rest with a little bit more peace of mind.

If you have any questions or comments about using AWS canary tokens just get in touch and we'll do our best to help!

Traitorbird

Contents