dev.to

Building a Cloud-Native S3 Honeypot Detection Pipeline on AWS

Building a Cloud-Native S3 Honeypot Detection Pipeline on AWS Table of Contents Introduction Step 1: Deploy a Private Honeypot Bucket Step 2: Log S3 Data Events with CloudTrail → CloudWatch Step 3: Create a CloudWatch Metric Filter Step 4: Alarm & SNS Notification Step 5: Lambda Automation to Tag VPC Testing the Pipeline Next-Level Enhancements Conclusion Introduction In this blog post, I’ll demonstrate how to build an end-to-end honeypot detection pipeline on AWS—catching unauthorized access to a decoy S3 file, alerting the team, and automatically tagging the attacker’s VPC. We’ll leverage AWS-native services like S3, CloudTrail, CloudWatch, Lambda, and SNS to create a turnkey security solution. Step 1: Deploy a Private Honeypot Bucket Create your S3 bucket Name: javierlabs-sensitive-docs Region: ap-southeast-2 Block all public access Upload decoy files: aws-keys.txt (fake credentials) passwords.csv internal-financials.xlsx README.txt (⚠️ Confidential banner) Lock it down & allow GuardDuty access: { "Version":"2012-10-17", "Statement":[ { "Sid":"AllowGuardDutyAccess", "Effect":"Allow", "Principal":{"Service":"guardduty.amazonaws.com"}, "Action":["s3:GetObject","s3:ListBucket"], "Resource":[ "arn:aws:s3:::javierlabs-sensitive-docs", "arn:aws:s3:::javierlabs-sensitive-docs/*" ], "Condition":{"StringEquals":{"AWS:SourceAccount":"070978211986"}} } ] } Step 2: Log S3 Data Events with CloudTrail → CloudWatch Enable CloudTrail S3 data events for read/write on your bucket. Send logs to CloudWatch Logs, using a log group like /aws/cloudtrail/honeypot-logs. Step 3: Create a CloudWatch Metric Filter In the /aws/cloudtrail/honeypot-logs log group: Pattern: { ($.eventName = "GetObject" || $.eventName = "HeadObject") && $.requestParameters.key = "aws-keys.txt" } Metric: Namespace: HoneypotDetection Name: AccessedAWSKeysFile Value: 1 Step 4: Alarm & SNS Notification From the metric (HoneypotDetection/AccessedAWSKeysFile), create an alarm: Trigger when >= 1 in 1 datapoint. Attach SNS action to topic honeypot-alerts. Name: AlertOnAWSKeysAccess. Confirm your email subscription in SNS. Step 5: Lambda Automation to Tag VPC TagAttackerIP Function import json, boto3 from datetime import datetime, timedelta LOOKBACK_MINUTES = 5 VPC_ID = "vpc-078816b7d00f13bd4" def lambda_handler(event, context): print("Alarm Event:", json.dumps(event, indent=2)) if event['detail'].get('alarmName') != 'AlertOnAWSKeysAccess': return {"status":"ignored"} region = event.get('region','ap-southeast-2') ct = boto3.client('cloudtrail', region_name=region) end = datetime.utcnow() start = end - timedelta(minutes=LOOKBACK_MINUTES) ip = None for action in ("GetObject","HeadObject"): resp = ct.lookup_events( LookupAttributes=[{"AttributeKey":"EventName","AttributeValue":action}], StartTime=start, EndTime=end, MaxResults=10 ) for evt in resp.get("Events",[]): p = json.loads(evt["CloudTrailEvent"]) if (p.get("eventSource")=="s3.amazonaws.com" and p.get("requestParameters",{}).get("key")=="aws-keys.txt"): ip = p.get("sourceIPAddress"); break if ip: break if not ip: return {"status":"no_ip_found"} print("Found attacker IP:", ip) ec2 = boto3.client('ec2', region_name=region) ec2.create_tags( Resources=[VPC_ID], Tags=[{"Key":"SuspectedAttackerIP","Value":ip}] ) return {"status":"success","ip":ip} IAM Policy: { "Statement":[ {"Action":"cloudtrail:LookupEvents","Effect":"Allow","Resource":"*"}, {"Action":"ec2:CreateTags","Effect":"Allow", "Resource":"arn:aws:ec2:ap-southeast-2:070978211986:vpc/vpc-078816b7d00f13bd4"} ] } Testing the Pipeline Trigger a HEAD/GET: curl -I https://javierlabs-sensitive-docs.s3.amazonaws.com/aws-keys.txt CloudWatch Alarm goes ALARM, email arrives. Lambda logs show “Found attacker IP: …”. VPC tags now include the attacker's IP address Next-Level Enhancements Persist hits to DynamoDB with TTL. Auto-block via WAF or Security Groups. Enrich with Threat Intel feeds. Deploy cross-region honeypots. Use CloudFront signed URLs for advanced deception. Conclusion By combining AWS-native logging, monitoring, and serverless automation, you can build a robust real-time honeypot detection and response platform with minimal overhead—ideal for any cloud security engineer’s portfolio. Happy hunting! Feel free to leave feedback or ask questions in the comments.

May 17, 2025 - 14:18
 0
Building a Cloud-Native S3 Honeypot Detection Pipeline on AWS

Building a Cloud-Native S3 Honeypot Detection Pipeline on AWS

Table of Contents

  1. Introduction
  2. Step 1: Deploy a Private Honeypot Bucket
  3. Step 2: Log S3 Data Events with CloudTrail → CloudWatch
  4. Step 3: Create a CloudWatch Metric Filter
  5. Step 4: Alarm & SNS Notification
  6. Step 5: Lambda Automation to Tag VPC
  7. Testing the Pipeline
  8. Next-Level Enhancements
  9. Conclusion

Introduction
In this blog post, I’ll demonstrate how to build an end-to-end honeypot detection pipeline on AWS—catching unauthorized access to a decoy S3 file, alerting the team, and automatically tagging the attacker’s VPC. We’ll leverage AWS-native services like S3, CloudTrail, CloudWatch, Lambda, and SNS to create a turnkey security solution.

Step 1: Deploy a Private Honeypot Bucket
Create your S3 bucket

  • Name: javierlabs-sensitive-docs
  • Region: ap-southeast-2
  • Block all public access
  • Upload decoy files:

aws-keys.txt (fake credentials)
passwords.csv
internal-financials.xlsx
README.txt (⚠️ Confidential banner)

Image description

Lock it down & allow GuardDuty access:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AllowGuardDutyAccess",
      "Effect":"Allow",
      "Principal":{"Service":"guardduty.amazonaws.com"},
      "Action":["s3:GetObject","s3:ListBucket"],
      "Resource":[
        "arn:aws:s3:::javierlabs-sensitive-docs",
        "arn:aws:s3:::javierlabs-sensitive-docs/*"
      ],
      "Condition":{"StringEquals":{"AWS:SourceAccount":"070978211986"}}
    }
  ]
}

Step 2: Log S3 Data Events with CloudTrail → CloudWatch

  • Enable CloudTrail S3 data events for read/write on your bucket.
  • Send logs to CloudWatch Logs, using a log group like /aws/cloudtrail/honeypot-logs.

Step 3: Create a CloudWatch Metric Filter

In the /aws/cloudtrail/honeypot-logs log group:
Pattern:

{ ($.eventName = "GetObject" || $.eventName = "HeadObject")
  && $.requestParameters.key = "aws-keys.txt" }

Metric:

  • Namespace: HoneypotDetection
  • Name: AccessedAWSKeysFile
  • Value: 1

Step 4: Alarm & SNS Notification
From the metric (HoneypotDetection/AccessedAWSKeysFile), create an alarm:

Trigger when >= 1 in 1 datapoint.

Attach SNS action to topic honeypot-alerts.

Name: AlertOnAWSKeysAccess.

Confirm your email subscription in SNS.

Image description

Step 5: Lambda Automation to Tag VPC
TagAttackerIP Function

import json, boto3
from datetime import datetime, timedelta

LOOKBACK_MINUTES = 5
VPC_ID = "vpc-078816b7d00f13bd4"

def lambda_handler(event, context):
    print("Alarm Event:", json.dumps(event, indent=2))
    if event['detail'].get('alarmName') != 'AlertOnAWSKeysAccess':
        return {"status":"ignored"}

    region = event.get('region','ap-southeast-2')
    ct = boto3.client('cloudtrail', region_name=region)
    end = datetime.utcnow()
    start = end - timedelta(minutes=LOOKBACK_MINUTES)

    ip = None
    for action in ("GetObject","HeadObject"):
        resp = ct.lookup_events(
            LookupAttributes=[{"AttributeKey":"EventName","AttributeValue":action}],
            StartTime=start, EndTime=end, MaxResults=10
        )
        for evt in resp.get("Events",[]):
            p = json.loads(evt["CloudTrailEvent"])
            if (p.get("eventSource")=="s3.amazonaws.com"
                and p.get("requestParameters",{}).get("key")=="aws-keys.txt"):
                ip = p.get("sourceIPAddress"); break
        if ip: break

    if not ip: return {"status":"no_ip_found"}
    print("Found attacker IP:", ip)

    ec2 = boto3.client('ec2', region_name=region)
    ec2.create_tags(
        Resources=[VPC_ID],
        Tags=[{"Key":"SuspectedAttackerIP","Value":ip}]
    )
    return {"status":"success","ip":ip}

IAM Policy:

{
  "Statement":[
    {"Action":"cloudtrail:LookupEvents","Effect":"Allow","Resource":"*"},
    {"Action":"ec2:CreateTags","Effect":"Allow",
     "Resource":"arn:aws:ec2:ap-southeast-2:070978211986:vpc/vpc-078816b7d00f13bd4"}
  ]
}

Testing the Pipeline
Trigger a HEAD/GET:

curl -I https://javierlabs-sensitive-docs.s3.amazonaws.com/aws-keys.txt

CloudWatch Alarm goes ALARM, email arrives.

Lambda logs show “Found attacker IP: …”.

VPC tags now include the attacker's IP address

Image description

Image description

Next-Level Enhancements
Persist hits to DynamoDB with TTL.

Auto-block via WAF or Security Groups.

Enrich with Threat Intel feeds.

Deploy cross-region honeypots.

Use CloudFront signed URLs for advanced deception.

Conclusion

By combining AWS-native logging, monitoring, and serverless automation, you can build a robust real-time honeypot detection and response platform with minimal overhead—ideal for any cloud security engineer’s portfolio.

Happy hunting!
Feel free to leave feedback or ask questions in the comments.

Read More

Tags:

Previous Article

Why the Future of AI Note Taking is Local, Offline, and Open Source: Taking Back...

Next Article

Breaking Up With ORMs – Part One: Reclaiming Control with Custom SQL Adapters

Related Posts

Unveiling European Union Public License 1.2: Balancing Fair Code and Open Source Innovation

Unveiling European Union Public License 1.2: Balancing ...

May 14, 2025  0

How to Schedule Daily Local Notifications in Ionic 3?

How to Schedule Daily Local Notifications in Ionic 3?

May 11, 2025  0

First Aid Essentials: What Climbers Should Always Carry by Mountaineering Buffs like Cesar Alcantara

First Aid Essentials: What Climbers Should Always Carry...

May 12, 2025  0