Great idea, we had part of a private repo accidentally made public at some point and these kind of honeypot keys would've been triggered pretty quickly and let us know. Would definitely be a cool way to know if something has been leaked.
Nice write up and 'how to' guide. I am going to implement this in our organisation.
All private repos here, but we once had some inadvertently commit a development '.env' file with credentials in it to our remote Git repo (they did it before we added '.env*' to our .gitignore file). We might start peppering our .env files with honeypot keys just to track if they have somehow been compromised outside the company.
This should also be called "how to get your account locked by AWS in 15 minutes or less."
AWS is not fond of finding AWS keys laying around (limited permissions or otherwise). I once committed a key to a GitHub repo and AWS called me within 15 minutes. I've seen cases where they will then lock your account (preventing it from creating new EC2 resources) until the key is deleted.
Seriously, don't do this.
EDIT: as others have mentioned, private repos would be fine (and a good idea).
The whole point is that AWS (nor any other outside party) would not find the keys. The article explicitly mentions:
On servers in a text file in ~/.aws/credentials (where a lot of tooling saves AWS credentials)
On your developer laptop in the same locations
In application or systemd environment variable configuration files
In files named ’credentials’ or in application configuration files in private, sensitive Github repos
Unless amazon somehow has access to private github repos, they should not see the keys
Recently Github crippled (unfortunately) the Search function so that you can't search something in all the repositories at once (if you try it says that you "Must include at least one user, organization, or repository").
I used to use it to find out how other people use different library functions in the wild and it helped me to find good code examples many times in the past (especially when there were no documentation on the API). I wonder if there is any other code searching service with comparable coverage and quality.
Hmm, your link shows me the same "Must include at least one user, organization, or repository" message that I've mentioned. Maybe they removed the feature only for not logged in users. Can't check it right now as I don't have my Github password on my phone.
Yeah, putting the keys on Github seems pointless and contrived: there's no remediation to putting a known-bad key out in the open. What are you going to do: block their IP? Oh boy.
I see value in the other examples, though, because they are dead simple tripwires, and, unless AWS is scanning your instances, they should never see this and it shouldn't be a problem.
The idea is to use private repos on Github, not public ones, which just tell you that yes, someone can read a public repo and misuse a key. Not that your private repos have potentialyl been compromised.
Using this method, you could have revoked AWS keys notify you if someone who recently quit your team or was fired is attempting to access your systems.
Yeah, I think it’s tricky to figure out how to place it somewhere that attackers would look but AWS tooling wouldn’t, by default, since otherwise they may be used in legitimate operation.
