AWS Honey Tokens Setup - Infisical

<Info> This setup is performed **once per organization** by an admin. After completing these steps, any project member can [create honey tokens](/documentation/platform/honey-tokens/usage) without repeating this process. </Info>

Prerequisites

Create an AWS App Connection with the following IAM permissions:

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "HoneyTokenIAMManagement",
      "Effect": "Allow",
      "Action": [
        "iam:CreateUser",
        "iam:DeleteUser",
        "iam:CreateAccessKey",
        "iam:DeleteAccessKey"
      ],
      "Resource": "arn:aws:iam::*:user/inf_ht_*"
    },
    {
      "Sid": "HoneyTokenStackVerification",
      "Effect": "Allow",
      "Action": ["cloudformation:DescribeStacks"],
      "Resource": "*"
    }
  ]
}

<Note> The IAM permissions are scoped to users prefixed with `inf_ht_`, which is the naming convention Infisical uses for honey token IAM users. </Note>

Connect

<Steps> <Step title="Open Honey Token settings"> Go to **Organization Settings** → **Product Settings**.

![AWS Honey Tokens section](/images/platform/honey-tokens/product-settings.png)

</Step> <Step title="Click Connect"> Click **Connect** to open the configuration modal.

![Click Connect](/images/platform/honey-tokens/connect.png)

</Step> <Step title="Fill required fields and save"> Configure:

- **App Connection** — select your AWS App Connection.
- **Webhook Signing Key** — auto-generated by default; customize it if needed. This key is used to validate webhook calls from AWS.

Optionally expand **Advanced Options**:

- **CloudFormation Stack Name** (default: `infisical-honey-tokens`)
- **AWS Region** (default: `us-east-1`)

Click **Save**.

![Configure and Save](/images/platform/honey-tokens/connecting.png)

</Step> <Step title="Deploy CloudFormation Stack"> Copy the command shown under **Deploy CloudFormation Stack**.

Run the command in a terminal with AWS credentials that can deploy CloudFormation stacks in your target account and region.

![Deploy CloudFormation Stack Command](/images/platform/honey-tokens/cloudformation-deploy.png)

</Step> <Step title="Verify deployment"> After the CloudFormation stack finishes deploying, click **Verify connection** in the **AWS Honey Tokens** section.

![Click Verify connection](/images/platform/honey-tokens/verify-connection-click.png)

Once verification succeeds, confirm the status badge is updated to **Verified**.

![Verified status badge](/images/platform/honey-tokens/verify-connection-verified-badge.png)

</Step> </Steps>

Manage

After setup is saved, the Connect button changes to Manage.

Use Manage any time you need to update:

AWS App Connection
Webhook signing key
CloudFormation stack name
AWS region

In the modal, you can also copy the pre-filled AWS CLI command under Deploy CloudFormation Stack and run it to create the stack.

You can also verify directly in AWS CLI:

bash

aws cloudformation describe-stacks \
  --stack-name infisical-honey-tokens \
  --query "Stacks[0].StackStatus"

You can only create honey tokens after the stack status is Verified.