Amazon Honeycode

Table of Contents

Amazon Honeycode is a spreadsheet like app building tool. It actually lives outside the AWS account, but can be linked to your AWS account for some AWS API actions.

From the Blog Post announcing it:

This new fully-managed AWS service gives you the power to build powerful mobile & web applications without writing any code. It uses the familiar spreadsheet model and lets you get started in minutes. If you or your teammates are already familiar with spreadsheets and formulas, you’ll be happy to hear that just about everything you know about sheets, tables, values, and formulas still applies.
Amazon Honeycode includes templates for some common applications that you and other members of your team can use right away (source)

Service Summary

Service Name: Amazon Honeycode
Service Family: Business Applications
Supports Resource Policies: No
Service Pricing: Priced per User outside of AWS
Service Webpage: https://www.honeycode.aws/
Status: BETA

Security Risks

This is a reasonably new service, and one that doesn’t leverage many of the AWS primitives. End-Users can sign up for Honeycode without establishing an AWS account, and connecting to AWS must be done via Honeycode. This means the data you store is in an Amazon managed account, so consider your tenancy requirements.

App level logging seems to be nonexistent. So getting an audit trail of who changed what cells may be difficult.

At this time, Honeycode automations cannot trigger AWS Actions (ex cell update invoking a Lambda). However this seems like fundamental capability that even Alexa supports so I expect it to show up soon.

Effectively Leveraging Honeycode

AWS User Guide include info about the API calls, how authentication works, etc.
Honeycode supports Single Sign On, but the documentation on that is sparse by AWS standards (seriously, at publish time this said “Yes, Honeycode currently supports single sign-on (SSO) using Active Directory. To request more information, contact us”).

Suggested Compliance Rules around Honeycode

None yet.

CloudTrail events of significance

As documented in Boto3 and the developer guide, the number of AWS API calls are limited to getting the data on a specific screen or invoking an automation. Neither of these warrant generating a security event. However if you want to discover Honeycode usage in your environment, a search on "eventSource": "honeycode.amazonaws.com" will show that to you.