Honeypots made for a cloud native world.
Only low-interaction ones currently (but see this issue).
- Pick an AWS VPC you want to deploy the honeypot to
- Pick a subnet from that VPC to deploy the honeypot to
- Get the
honeypot.yamlCloudformation stack template from the latest of the aws-cloudformation Github Releases - Deploy the stack template, inputting the VPC id and subnet id as stack parameters
You should get 1 Fargate task running on ECS for the honeypot itself and an associated Eventbridge event bus.
When hit with GET requests, the task will publish events to the event bus.
You can add an Evenbridge rule to the event bus to react to the events.
For example, you could add a rule targeting events with source cloud-native-honeypot that invokes an SNS topic, which then notifies humans of the events.
There are several alternatives to this that are worth considering
Reserving an ip address with an ENI, then alerting on any flow logs with a matching destination ip address is another way to achieve the same effect.
However it's less extensible than the approach here, as it can't be generalized to become a "high-interaction" honeypot that emulates a realistic server.
If you have the means, paying for a honeypot from a vendor (e.g. ThinkstCanary) is likely a better option.
There are other open source options out there to self-host (e.g. T-Pot) but I didn't find any that seemed easy to deploy and integrate into cloud resources.
Check out the subproject README.md files for more information