Sweet Deception: Mastering AWS Honey Tokens to Detect and Outsmart Attackers
Nick Frichette
fwd:cloudsec Europe 2025 · Day 2 · Main Room
Nick Frichette, a security researcher at Datadog, delivered a technically deep examination of **AWS access key honey tokens** — their implementation mechanisms, detection capabilities, known weaknesses, and strategies for building a more resilient deception program. The talk goes beyond the surface-level "sprinkle fake credentials and wait" narrative to reveal critical architectural details: not all API operations log to CloudTrail, some honey token providers inadvertently reveal themselves through IAM ARN naming conventions, and alternative detection mechanisms like the **credential report** and **GetAccessKeyLastUsed** API offer fundamentally different trade-offs in alerting speed versus coverage. With AWS's own Customer Incident Response Team reporting that leaked access keys account for 66% of initial access in incidents (20% of which are root credentials), the talk makes a compelling case for understanding honey tokens at the engineering level.
AI review
A masterclass in understanding the engineering behind AWS honey tokens, systematically dismantling popular implementations and proposing concrete improvements. Frichette combines deep AWS internals knowledge with practical offensive tradecraft to reveal that many deception programs are more fragile than their operators believe.