
Independently deploy customized honeyservices in AWS to trigger alerts on unauthorized access. It utilizes a dedicated CloudTrail for precise detection and notification specifically for honeyservices activity.
Before deploying HoneyTrail, you must configure the tool according to your specific needs. Below is an example of the shared.auto.tfvars.json.example file included in this repository:
{
"enable_s3_event_selector": true,
"enable_dynamodb_event_selector": false,
"enable_lambda_event_selector": false,
"enable_sns": true,
"destination_email": "example@example.com",
"source_email": "",
"vpnapi_key": "",
"ses_identity": [""]
}
enable_s3_event_selector: Set to true to deploy an S3 bucket as a deception service. enable_dynamodb_event_selector: Set to true to deploy a DynamoDB table as a deception service. enable_lambda_event_selector: Set to true to deploy a Lambda function as a deception service. enable_sns: If true, alerts are sent via AWS SNS. This requires no other AWS service. destination_email: Mandatory. The email address where alerts will be sent. source_email: Required if using SES (SNS disabled) for notifications. vpnapi_key: Optional. If using SES (SNS disabled), you can specify a vpnapi.io key to include IP address information in the notifications. ses_identities: Required if using SES (SNS disabled), these are the identities the lambda will use to send the email.
HoneyTrail requires Terraform, here's a onliner to install it in CloudShell:
git clone https://github.com/tfutils/tfenv.git ~/.tfenv && mkdir -p ~/bin && ln -s ~/.tfenv/bin/* ~/bin/ && export PATH="$HOME/bin:$PATH" && tfenv install 1.9.8 && tfenv use 1.9.8
git clone https://github.com/adanalvarez/HoneyTrail/
terraform init to initialize the Terraform configuration.terraform apply to deploy the HoneyTrail services to your AWS environment.HoneyTrail includes a few components designed to detect attackers:
A CloudTrail monitors these services using an advanced event selector that focuses exclusively on specific activities such as accessing the S3 file, invoking the Lambda function, or querying the DynamoDB table. When an attacker interacts with any of these services, a CloudTrail log is generated and stored in an S3 bucket configured with Event Notifications. This feature triggers a Lambda function that is set up to alert you via Simple Notification Service (SNS) or Simple Email Service (SES), depending on the chosen configuration.

When an attacker interacts with any of the deployed services, a CloudTrail log is created and an alert is triggered. Alerts will be sent to the destination_email via SNS or SES, depending on your configuration.
Using SNS: This method sends alerts directly to an email without needing any extra setup. Using SES: If you choose SES, you can get more detailed notifications. Plus, if you use a free API key from vpnapi.io, the notifications will also include additional information about the IP address of the requester. However, this setup requires a previously configured SES identity.
$ claude mcp add HoneyTrail \
-- python -m otcore.mcp_server <graph>