I built this because Canarytokens.org has a published static bypass — TruffleHog identifies their AWS keys without triggering them by pattern-matching the key format. It's in TruffleHog's own README.
The other issue is CloudTrail latency. Median ~2-3 minutes. For a compromised AI agent that can enumerate credentials and pivot in under 10 seconds, that's too slow.
Snare plants fake credentials that fire at resolution time — before any API call, before CloudTrail sees anything. The awsproc canary uses AWS's credential_process feature: a shell command that runs when the SDK resolves credentials. The callback fires before the first packet leaves the machine.
Three precision canaries by default: awsproc (AWS), ProxyCommand (SSH), fake server URL (k8s). All fire on active use only, near-zero false positives from your own tooling.
Happy to dig into the implementation or threat model in the comments.
trevxr•1h ago
The other issue is CloudTrail latency. Median ~2-3 minutes. For a compromised AI agent that can enumerate credentials and pivot in under 10 seconds, that's too slow.
Snare plants fake credentials that fire at resolution time — before any API call, before CloudTrail sees anything. The awsproc canary uses AWS's credential_process feature: a shell command that runs when the SDK resolves credentials. The callback fires before the first packet leaves the machine.
Three precision canaries by default: awsproc (AWS), ProxyCommand (SSH), fake server URL (k8s). All fire on active use only, near-zero false positives from your own tooling.
Happy to dig into the implementation or threat model in the comments.