AWS Account ID: An Attacker's Perspective

You’re an attacker. Determining an AWS Account ID is one of your first steps to attack an AWS environment. In this post, we’ll discuss 

• What AWS Account IDs are
• Why they’re useful for attackers
• How you might discover them

What's an AWS Account ID?

An AWS Account ID is a 12-digit number (e.g. 111222333444) that uniquely identifies an AWS account. AWS resources are identified by ARN strings (e.g. arn:aws:iam::111222333444:role/developer) that generally include the AWS Account ID.

While many people obfuscate their AWS Account IDs in online blogs and videos, AWS Account IDs are officially not considered secrets. However, as we will discuss below, they are useful for attackers to initiate attacks.

Why would I want to find them?

With just an AWS Account ID, you can potentially discover IAM users and roles within the AWS Account. This can be useful for

• Understanding what an AWS Account is used for (prod? dev? forensics? logging?)
• Finding misconfigured IAM principals to use as entry points into the account
• Finding IAM principals to move laterally to, once you’ve entered the environment 
• Determining which AWS services are used within the environment
• Determining third-party services with access to your target’s AWS environment

‍

Tools like Quiet Riot and Pacu are great for doing this in a scalable and automated way. All you need is a good wordlist of role names (e.g. service-linked role names, common surnames, etc.).

You’ll also leave no trace of your reconnaissance in the target account! This is because the mechanism here involves validating IAM principals in resource policies applied to resources in *your own AWS account*. CloudTrail will only log the activity in your own AWS account, not the target’s AWS account.

You’re only limited by AWS API rate limits. But even that can be scaled by opening more AWS accounts! You can have 10 in your organization and ask AWS to increase your quota.

How do I find them?

Whether you’re searching for a target to attack or have a specific target in mind, there are various ways to get hold of relevant AWS Account IDs.

AWS Account IDs aren’t considered secrets. So, they’re often publicly available in documentation, blog posts, videos, etc. As an example, you can find a Datadog AWS Account ID in their docs. Additionally, there are repositories of known AWS accounts, which also attribute the Account ID to vendors.

If you’re willing to be more exploratory, you may find Account IDs by sifting through public source code repositories. You may run into obviously fake Account IDs like 000000000000, but you can experiment with different regex patterns. Running a scanner like Gitleaks on source-code repositories can also find Account IDs in git histories.

There is also not *that much* entropy in AWS account IDs. Given there are 1 trillion possibilities, you can attempt to brute force validate them. Quiet Riot has a proof of concept of this and shares a list of ~35k valid Account IDs. The challenge with this approach, however, is attributing the Account ID to a vendor or organization.

You may also be able to determine AWS Account IDs from other AWS resources you find! 

• If you find an AWS Access Key ID, you can determine the associated Account ID using the sts:GetActionKeyInfo action.
• You can reverse engineer the AWS Account ID of a public S3 bucket.  
• You can find an Access Key ID in an S3 presigned URL even if the S3 bucket is not public. Then, you can use that access key to determine the Account ID.
• If you happen to breach an EC2 instance or access IAM user/role credentials, you can use the sts:GetCallerIdentity action to determine the Account ID.

‍

You can find resources like S3 buckets and AWS access keys in many ways. For example, there are repositories of public S3 buckets like Grayhat Warfare. You can also directly search for S3 buckets and access keys in public source code repositories. Even if these resources are not available in open-source repositories today, their git histories may still have access key IDs and S3 bucket names. Consider running a secret scanner like TruffleHog to fish them out. 

Conclusion

Finding relevant AWS Account IDs is an important step in attacking AWS environments. In this post, we reviewed

• What AWS Account IDs are
• Reconnaissance attackers can conduct given an AWS Account ID
• Mechanisms to find relevant AWS Account IDs

‍

Interested in applying an attacker’s mindset to secure cloud environments? Checkout the ZeusCloud repository and join our Slack community!

‍