Salient Engineering Logo
How to Deploy and Setup HoneyDrop Honeypot in AWS | Salient Engineering
products

How to Deploy and Setup HoneyDrop Honeypot in AWS

A straightforward guide to deploying the HoneyDrop honeypot in AWS to gain immediate visibility into malicious activities within your subnets.

Available in AWS
Free Trial with AWS

How to Deploy and Setup HoneyDrop Honeypot in AWS

Estimated Deployment Time: 5 Minutes

The Basics

The HoneyDrop appliance is a low-interaction honeypot designed to sit in your subnets and alert you the moment malicious activity occurs. It's incredibly flexible and can emulate several types of servers to lure attackers:

  • Windows SQL servers
  • Windows web servers
  • Linux MySQL servers
  • Linux web servers

The moment an attacker interacts with HoneyDrop, it instantly fires alerts to Slack, Discord, and Microsoft Teams. It also sends detailed logs to AWS CloudWatch, which you can use to trigger SNS notifications like emails, SMS messages, or even automated Lambda functions to quarantine compromised hosts.

Why Use HoneyDrop?

  • Instant Visibility: Know exactly what's happening inside your AWS VPC networks.
  • Agentless Security: Boost your security posture without the headache of installing agents on all your instances.
  • Distract Attackers: Lure bad actors away from your actual high-value systems.
  • Automated Response: Hook into CloudWatch to automate your incident response.
  • Actionable Intelligence: Immediately see the attacker's source IP and the exact credentials they tried to use.

Deployment Guide

Deploying HoneyDrop only takes a few minutes.

  1. Subscribe to the HoneyDrop appliance in the AWS Marketplace.
  2. Click Launch your software.
  3. Verify your region is correct, then click Continue to Launch.
  4. Choose Launch CloudFormation from the action dropdown, and hit Launch.
  5. Once you're redirected to the CloudFormation console, click Next to start creating the stack.
  6. Name your stack HoneyDrop. Set the services you want the honeypot to emulate to true.

You'll also need to configure these required networking parameters:

  • InstanceType
  • IsPublicSubnet
  • KeyPairName
  • ManagementCIDR
  • ServicesCIDR
  • SubnetId
  • VpcId

(Optional) Configure your alert notifications by entering your Slack, Discord, or Teams webhooks.

  1. Click Next, add any optional tags, and hit Submit to launch the stack.

That's it! Your honeypot is running. Try interacting with one of your enabled services to test it, and watch the alerts roll into your chat apps and AWS CloudWatch.

Setting Up CloudWatch Alarms

Want to receive an email the moment your honeypot is triggered? Here's how to set up an automated CloudWatch alarm:

  1. Create a Metric Filter: Head to CloudWatch Logs and select your HoneyDrop log group. Click Create Metric Filter. Set the filter pattern to src_host. Since every HoneyDrop event logs the attacker's source host, this guarantees the filter will catch every event.
  2. Create an SNS Topic: Go to the AWS Simple Notification Service (SNS) console. Click Create topic, choose a standard topic, and give it a name.
  3. Subscribe to the Topic: Click Create subscription inside your new topic. Set the protocol to Email, enter your email address, and hit Create subscription. (Make sure you check your inbox and click the confirmation link!)
  4. Create the Alarm: Go back to CloudWatch and open the All alarms page. Click Create alarm > Select metric. Find your new HoneyDropMetrics metric, configure the threshold (e.g., greater than 0), and select your SNS topic for the notification action. Give the alarm a name and save it.

Now, whenever an attacker touches your honeypot, you'll get an email alert immediately.

Troubleshooting

Not seeing alerts in CloudWatch Logs?

  • Double-check your subnet configurations and security groups. Make sure other hosts can reach the honeypot on the services you enabled.
  • Verify that the IAM role attached to your HoneyDrop instance includes the CloudWatchAgentServerPolicy.
  • Make sure you actually triggered an event by attempting to authenticate to one of the enabled services.

Frequently Asked Questions

Does HoneyDrop support multi-AZ or multi-region deployments?
It's a single EC2 instance, but you can deploy as many as you need into any VPC across any region.

Should I use my root account for deployment?
No, always use a non-root IAM user for deploying infrastructure.

Can I encrypt the appliance?
Yes, we strongly recommend encrypting the EBS volume when provisioning the instance.

Are my logs encrypted in transit?
Absolutely. All data sent to CloudWatch Logs is encrypted in transit.

How much does it cost to run?
You'll pay the standard AWS rates for EC2 and CloudWatch, plus the software fee. For instance, a t3.medium runs about $0.042/hr for compute and $0.05/hr for software, totaling roughly $0.092/hr.

How do I apply updates?
You don't need to—HoneyDrop automatically checks for and installs security patches every single day.