Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

While I wouldn't publicly hand out my account IDs as a general practice, I think you have to expect that some of them will be disclosed at some point. As more third party vendors and SaaS platforms move away from IAM users and access keys to using role assumption as the preferred method of integration (as they should!), the account ID of at least the account you use as their integration point is now known by another party, who have their own dependencies, vulnerabilities, etc.


This is what I’m curious to learn. What can an attacker do with an AWS account ID? How is that any different from knowing someone’s email address?


If the account and its resources are properly configured - not much.

But that can be easier said than done for many organizations, especially when you have lots of different teams configuring their own environments.


Once I have an AWS account ID, my next trick is to grant cross-account bucket policies to discover role names in the account.


How does this work?


If you put a role ARN in the principal section of a bucket policy, AWS will check if the role exists and fail the policy update request if not. Even if it's not in the same account. Don't know if there's another way but you can manually enumerate roles from there


Useful social engineering datapoint




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: