AWS Credential Seeds

AWS credential files are very enticing; if somebody with a curious mind were to find such a file, they would be compelled to give it a try, just in case they were the keys to the kingdom.


Using AWS credentials as a deceptive asset can be valuable for several reasons.

Firstly, it can act as a decoy for cyber attackers who are attempting to steal sensitive data or disrupt operations. By providing fake or outdated credentials, it can waste the attacker’s time and resources, making it harder for them to achieve their objectives.

Secondly, using AWS credentials as a deceptive asset can also help organizations to identify and monitor unauthorized access attempts. The Seedata.IO platform will monitor activity on the fake credentials, so that security teams can detect and respond to any suspicious activity, potentially preventing a security breach.


Deploying AWS Credential seeds follows the same sequence for deploying any seeds type. Full instructions on this are available here


Put them in github repositories. Put them in OneDrive or G-Drive folders, or leave them in your workstations download folder

Overall, using AWS credentials as a deceptive asset can be a useful tool for organizations looking to enhance their security posture and protect against cyber threats.

How to test them

The easiest way is to use the built-in test feature within the Seedata.IO platform. This will perform a login attempt using the credentials, and lead to an alert at Baseline level.

If you want a more hands-on test, there are two key stages:

Install AWS-CLI on your workstation: Full instructions are available here : 

Issue an AWS-CLI command, using your seed AWS credentials as authentication for the request. Within your terminal, issue a command such as below, substituting your seed AWS credentials in place of <XXXX> and <YYYY>

AWS_ACCESS_KEY_ID=<XXXX> AWS_SECRET_ACCESS_KEY=<YYYY> aws sts get-caller-identity

There will be a short delay, as the event needs to pass through a number of AWS services (likely, no more than 10 minutes), then you will see a Baseline event on the seedata.IO dashboard and any alerts you may have configured