DEV Community

Cover image for Building a Cloud-Native S3 Honeypot Detection Pipeline on AWS
Javier Seng
Javier Seng

Posted on

Building a Cloud-Native S3 Honeypot Detection Pipeline on AWS

#discuss #beginners #javascript #programming

Building a Cloud-Native S3 Honeypot Detection Pipeline on AWS

Table of Contents

  1. Introduction
  2. Step 1: Deploy a Private Honeypot Bucket
  3. Step 2: Log S3 Data Events with CloudTrail → CloudWatch
  4. Step 3: Create a CloudWatch Metric Filter
  5. Step 4: Alarm & SNS Notification
  6. Step 5: Lambda Automation to Tag VPC
  7. Testing the Pipeline
  8. Next-Level Enhancements
  9. Conclusion

Introduction
In this blog post, I’ll demonstrate how to build an end-to-end honeypot detection pipeline on AWS—catching unauthorized access to a decoy S3 file, alerting the team, and automatically tagging the attacker’s VPC. We’ll leverage AWS-native services like S3, CloudTrail, CloudWatch, Lambda, and SNS to create a turnkey security solution.

Step 1: Deploy a Private Honeypot Bucket
Create your S3 bucket

  • Name: javierlabs-sensitive-docs
  • Region: ap-southeast-2
  • Block all public access
  • Upload decoy files:

aws-keys.txt (fake credentials)
passwords.csv
internal-financials.xlsx
README.txt (⚠️ Confidential banner)

Lock it down & allow GuardDuty access:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AllowGuardDutyAccess",
      "Effect":"Allow",
      "Principal":{"Service":"guardduty.amazonaws.com"},
      "Action":["s3:GetObject","s3:ListBucket"],
      "Resource":[
        "arn:aws:s3:::javierlabs-sensitive-docs",
        "arn:aws:s3:::javierlabs-sensitive-docs/*"
      ],
      "Condition":{"StringEquals":{"AWS:SourceAccount":"070978211986"}}
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Step 2: Log S3 Data Events with CloudTrail → CloudWatch

  • Enable CloudTrail S3 data events for read/write on your bucket.
  • Send logs to CloudWatch Logs, using a log group like /aws/cloudtrail/honeypot-logs.

Step 3: Create a CloudWatch Metric Filter

In the /aws/cloudtrail/honeypot-logs log group:
Pattern:

{ ($.eventName = "GetObject" || $.eventName = "HeadObject")
  && $.requestParameters.key = "aws-keys.txt" }
Enter fullscreen mode Exit fullscreen mode

Metric:

  • Namespace: HoneypotDetection
  • Name: AccessedAWSKeysFile
  • Value: 1

Step 4: Alarm & SNS Notification
From the metric (HoneypotDetection/AccessedAWSKeysFile), create an alarm:

Trigger when >= 1 in 1 datapoint.

Attach SNS action to topic honeypot-alerts.

Name: AlertOnAWSKeysAccess.

Confirm your email subscription in SNS.

Step 5: Lambda Automation to Tag VPC
TagAttackerIP Function

import json, boto3
from datetime import datetime, timedelta

LOOKBACK_MINUTES = 5
VPC_ID = "vpc-078816b7d00f13bd4"

def lambda_handler(event, context):
    print("Alarm Event:", json.dumps(event, indent=2))
    if event['detail'].get('alarmName') != 'AlertOnAWSKeysAccess':
        return {"status":"ignored"}

    region = event.get('region','ap-southeast-2')
    ct = boto3.client('cloudtrail', region_name=region)
    end = datetime.utcnow()
    start = end - timedelta(minutes=LOOKBACK_MINUTES)

    ip = None
    for action in ("GetObject","HeadObject"):
        resp = ct.lookup_events(
            LookupAttributes=[{"AttributeKey":"EventName","AttributeValue":action}],
            StartTime=start, EndTime=end, MaxResults=10
        )
        for evt in resp.get("Events",[]):
            p = json.loads(evt["CloudTrailEvent"])
            if (p.get("eventSource")=="s3.amazonaws.com"
                and p.get("requestParameters",{}).get("key")=="aws-keys.txt"):
                ip = p.get("sourceIPAddress"); break
        if ip: break

    if not ip: return {"status":"no_ip_found"}
    print("Found attacker IP:", ip)

    ec2 = boto3.client('ec2', region_name=region)
    ec2.create_tags(
        Resources=[VPC_ID],
        Tags=[{"Key":"SuspectedAttackerIP","Value":ip}]
    )
    return {"status":"success","ip":ip}
Enter fullscreen mode Exit fullscreen mode

IAM Policy:

{
  "Statement":[
    {"Action":"cloudtrail:LookupEvents","Effect":"Allow","Resource":"*"},
    {"Action":"ec2:CreateTags","Effect":"Allow",
     "Resource":"arn:aws:ec2:ap-southeast-2:070978211986:vpc/vpc-078816b7d00f13bd4"}
  ]
}
Enter fullscreen mode Exit fullscreen mode

Testing the Pipeline
Trigger a HEAD/GET:

curl -I <honeypot url>

CloudWatch Alarm goes ALARM, email arrives.

Lambda logs show “Found attacker IP: …”.

VPC tags now include the attacker's IP address

Next-Level Enhancements
Persist hits to DynamoDB with TTL.

Auto-block via WAF or Security Groups.

Enrich with Threat Intel feeds.

Deploy cross-region honeypots.

Use CloudFront signed URLs for advanced deception.

Conclusion

By combining AWS-native logging, monitoring, and serverless automation, you can build a robust real-time honeypot detection and response platform with minimal overhead—ideal for any cloud security engineer’s portfolio.

Happy hunting!
Feel free to leave feedback or ask questions in the comments.

Top comments (0)