2025-09-16 –, Main Room
According to AWS, approximately 66% of AWS security incidents begin with leaked access keys. Threat actors consistently search the internet for exposed credentials, rapidly exploiting any keys they discover. However, defenders can turn this very behavior into an advantage through honey tokens, deliberately exposed AWS access keys designed specifically to trigger alerts upon use.
While honey tokens can be incredibly useful for detecting attacker activity in your environment, not all honey tokens are built the same way. Some can even be trivial to bypass. In this session, we'll cover the nuances of AWS honey tokens in depth. We’ll discuss different types of honey tokens, how they work, potential detection evasion opportunities, and we’ll even share an open source tool to help you deploy resilient, evasion-proof honey tokens in your own environments.
Additionally, this session will dive into the internals of the AWS API, covering how some honey tokens can even alert when used with undocumented APIs, non-production endpoints, and more. Attendees will learn advanced strategies for detecting sophisticated threat actors.
Whether you’re just beginning to explore deception technology or you're a seasoned practitioner, this talk will cover the key things to know and help you stay one step ahead of threat actors.
Nick Frichette is a Staff Security Researcher at Datadog, where he specializes in offensive AWS security. He is known for finding multiple zero-day vulnerabilities in AWS services and regularly publishing on new attack techniques. In addition to his research, Nick is the creator and primary contributor to Hacking the Cloud, an open source encyclopedia of offensive security capabilities for cloud environments. He is also a part of the AWS Community Builder Program, where he develops content on AWS security.