Discover AWS Account IDs

To maintain security, AWS Account IDs should be handled carefully, even though they are not deemed confidential. While they are not secrets, they can lead to exposure of sensitive resources or data.

Are AWS Account IDs considered to be a secret?

AWS has long said that AWS Account IDs are not secret

While account IDs, like any identifying information, should be used and shared carefully, they are not considered secret, sensitive, or confidential information.

What is the risk of exposed AWS Account IDs?

Knowing an AWS Account ID can lead to discovering information that could be used to compromise an account. For example, knowing the AWS Account ID lets us find public resources (e.g., EBS or RDS snapshots, AMIs, etc.) that could contain credentials or other sensitive information.

Methods to Discover AWS Account IDs

Using valid AWS Access Keys

With valid AWS Access Keys, we can use an AWS CLI command

aws --profile dev sts get-caller-identity 
                                                                                 
{
    "UserId": "AIDAxxxxxxx",
    "Account": "111111111111",
    "Arn": "arn:aws:iam::111111111111:user/dev_user"
}

Using AWS Access Key ID

With just a valid AWS Access Key ID, we can use an AWS CLI command
You must have valid access keys configured for this to work (aws configure) but then, you can find the AWS Account ID with any valid Access Key ID

aws sts get-access-key-info --access-key-id AKIAxxxxxxxxxx
{
    "Account": "111111111111"
}

Using an S3 Bucket Name

Knowing the name of an AWS S3 bucket, we can use s3-account-search to identify the account ID
The bucket must be public or otherwise accessible by the IAM Role used

s3-account-search --profile dev arn:aws:iam::111111111111:role/s3-enumerator s3bucketnamehere
 
Starting search (this can take a while)
found: 1
found: 11
found: 112
found: 1123
found: 11234
found: 112345
found: 1123456
found: 11234567
found: 112345678
found: 1123456789
found: 11234567890
found: 112345678901

Using EC2 metadata

The EC2 metadata service (IMDS) provides the AWS Account ID in the instance identity document
This method requires code execution on the target EC2 as IMDS is a local service

curl http://169.254.169.254/latest/dynamic/instance-identity/document

{
  "accountId" : "111111111111",
  "architecture" : "x86_64",
  "availabilityZone" : "us-west-2b",
  "billingProducts" : null,
  "devpayProductCodes" : null,
  "marketplaceProductCodes" : null,
  "imageId" : "ami-xxxxxxxxxx",
  "instanceId" : "i-xxxxxxxxxx",
  "instanceType" : "t2.micro",
  "kernelId" : null,
  "pendingTime" : "2024-12-08T03:46:08Z",
  "privateIp" : "172.31.30.110",
  "ramdiskId" : null,
  "region" : "us-west-2",
  "version" : "2017-09-30"

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document

{
  "accountId" : "111111111111",
  "architecture" : "x86_64",
  "availabilityZone" : "us-west-2b",
  "billingProducts" : null,
  "devpayProductCodes" : null,
  "marketplaceProductCodes" : null,
  "imageId" : "ami-xxxxxxxxxx",
  "instanceId" : "i-xxxxxxxxxx",
  "instanceType" : "t2.micro",
  "kernelId" : null,
  "pendingTime" : "2024-12-08T03:46:08Z",
  "privateIp" : "172.31.30.110",
  "ramdiskId" : null,
  "region" : "us-west-2",
  "version" : "2017-09-30"

PreviousAWS Attacks and Techniques NextDiscover AWS IAM Users

Last updated 13 days ago