Honeypots for infrastructure-as-a-service security

What is claimed is: 1 . A method, comprising: providing, by a compute instance, a plurality of honeypot servers, each honeypot server of the plurality of honeypot servers comprising a honeypot type; luring, by the compute instance, an attacker to establish a session with at least one honeypot server of the plurality of honeypot servers; receiving, by the compute instance, a first request from the attacker, the first request related to the instance and including a request characteristic; identifying, by the compute instance, a particular honeypot server of the plurality of honeypot servers based at least in part on the request characteristic and the honeypot type; establishing, by the compute instance, a session with the attacker for connection with the particular honeypot server; generating, by the particular honeypot server of the compute instance, a response to a second request from the attacker; causing, by the particular honeypot server of the compute instance, the response to be communicated to the attacker responsive to the second request; and recording, by the compute instance, data related to the attacker or data related to one or more interactions by the attacker with the particular honeypot server. 2 . The method of claim 1 , wherein the compute instance comprises an Infrastructure-as-a-Service (IaaS) compute instance. 3 . The method of claim 2 , wherein the IaaS compute instance is executed by a controller of an IaaS service provider corresponding to an IaaS service provider environment. 4 . The method of claim 3 , wherein the IaaS compute instance is executed by a third-party service provider outside of the IaaS servicer provider environment. 5 . The method of claim 4 , wherein the response to the second request is configured to appear to be from the IaaS service provider. 6 . The method of claim 1 , wherein the plurality of honeypot servers are implemented in respective containers of the compute instance. 7 . The method of claim 1 , wherein each container of the respective containers is configured to emulate a respective honeypot server of the plurality of honeypot servers. 8 . The method of claim 1 , wherein generating the response comprises using rules information to generate the response. 9 . The method of claim 1 , wherein the luring comprises exposing one or more ports over a public network. 10 . The method of claim 9 , wherein the one or more ports comprise at least one of a Secure Shell (SSH) port 21, a File Transfer Protocol (FTP) port 22, or an simple mail transfer protocol (SMTP) port 25. 11 . The method of claim 9 , wherein the one or more ports require one or more credentials that include at least one of a username-password pair, a certificate, a key, or a tenant identifier. 12 . The method of claim 1 , wherein the attacker is an automated bot. 13 . The method of claim 1 , wherein the attacker is a user using an application to generate at least one of the first request or the second request. 14 . The method of claim 1 , wherein receiving the first request or the second request comprises receiving the first request or the second request from a graphical user interface (GUI) based application. 15 . One or more computer-readable storage medium, comprising computer-executable instructions that, when executed by one or more processors of a compute instance, cause the one or more processors to perform operations comprising: providing a plurality of honeypot servers, each honeypot server of the plurality of honeypot servers comprising a honeypot type; luring an attacker to establish a session with at least one honeypot server of the plurality of honeypot servers; receiving a first request from the attacker, the first request related to the instance and including a request characteristic; identifying a particular honeypot server of the plurality of honeypot servers based at least in part on the first request characteristic and the honeypot type; establishing a session with the attacker for connection with the particular honeypot server; generating, by the particular honeypot server of the compute instance, a response to a second request from the attacker; causing, by the particular honeypot server of the compute instance, the response to be communicated to the attacker responsive to the second request; and recording data related to the attacker or data related to one or more interactions by the attacker with the particular honeypot server. 16 . The one or more computer-readable storage medium of claim 15 , wherein the operations further comprise: determining, by the particular honeypot server, an action corresponding to the second request, the action requesting instantiation of a virtual compute instance; and instantiating, by the particular honeypot sever, the virtual compute instance using at least one of computer resources, storage resources, or networking resources, wherein the response indicates successful instantiation of the virtual compute instance. 17 . The one or more computer-readable storage medium of claim 15 , wherein the operations further comprise determining, by the particular honeypot server, that the second request requests an action to be performed using a virtual compute instance, wherein the virtual compute instance is instantiated prior to receiving the second request, and wherein generating the response comprises generating the response by applying the action to the virtual compute instance. 18 . A computing system, comprising: a memory; and one or more processors configured to: provide, by a compute instance, a plurality of honeypot servers, each honeypot server of the plurality of honeypot servers comprising a honeypot type; lure, by the compute instance, an attacker to establish a session with at least one honeypot server of the plurality of honeypot servers; receive, by the compute instance, a first request from the attacker, the first request related to the instance and including a request characteristic; identify, by the compute instance, a particular honeypot server of the plurality of honeypot servers based at least in part on the request characteristic and the honeypot type; establish, by the compute instance, a session with the attacker for connection with the particular honeypot server; generate, by the particular honeypot server of the compute instance, a response to a second request from the attacker; cause, by the particular honeypot server of the compute instance, the response to be communicated to the attacker responsive to the second request; and record, by the compute instance, data related to the attacker or data related to one or more interactions by the attacker with the particular honeypot server. 19 . The computing system of claim 18 , wherein the rules information comprises a plurality of actions and, for each action in the plurality of actions, at least one response corresponding to an action identified in the second request; and further comprising identifying the response using the rules information. 20 . The computing system of claim 18 , wherein identifying the response using the rules information comprises: searching the rules information to find an entry in the rules information where an action corresponding to the entry matches the action; and using the entry to determine the response.