# Enumerate AWS Account IDs
## Are AWS Account IDs considered to be a secret?
* [AWS has long said that AWS Account IDs are not secret](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-identifiers.html)
> While account IDs, like any identifying information, should be used and shared carefully, they are not considered secret, sensitive, or confidential information.
## What is the risk of exposed AWS Account IDs?
* Knowing an AWS Account ID can lead to discovering information that could be used to compromise an account. For example, knowing the AWS Account ID lets us find public resources (e.g., EBS or RDS snapshots, AMIs, etc.) that could contain credentials or other sensitive information.
***
## Methods to Enumerate AWS Account IDs
### Using valid AWS Access Keys
* With valid AWS Access Keys, we can use an AWS CLI command
{% code overflow="wrap" %}
```bash
aws --profile dev sts get-caller-identity
{
"UserId": "AIDAxxxxxxx",
"Account": "111111111111",
"Arn": "arn:aws:iam::111111111111:user/dev_user"
}
```
{% endcode %}
***
### Using AWS Access Key ID
* With just a valid AWS Access Key ID, we can use an AWS CLI command
* You must have valid access keys configured for this to work but these can be from your own account i.e., it doesn't need to be credentials from the same account as the access key id found
{% code overflow="wrap" fullWidth="false" %}
```sh
aws sts get-access-key-info --access-key-id AKIAxxxxxxxxxx
{
"Account": "111111111111"
}
```
{% endcode %}
***
### Using an S3 Bucket Name
* Knowing the name of an AWS S3 bucket, we can use [s3-account-search](https://www.techwithtyler.dev/cloud-security/tools/s3-account-search) to identify the account ID
* The bucket must be public or otherwise accessible by the IAM Role used
{% code overflow="wrap" %}
```bash
s3-account-search --profile dev arn:aws:iam::111111111111:role/s3-enumerator s3bucketnamehere
Starting search (this can take a while)
found: 1
found: 11
found: 112
found: 1123
found: 11234
found: 112345
found: 1123456
found: 11234567
found: 112345678
found: 1123456789
found: 11234567890
found: 112345678901
```
{% endcode %}
***
### Using EC2 metadata
* The EC2 metadata service (IMDS) provides the AWS Account ID in the [instance identity document](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/retrieve-iid.html)
* This method requires code execution on the target EC2 as IMDS is a local service
{% tabs %}
{% tab title="IMDSv1" %}
{% code overflow="wrap" %}
```bash
curl http://169.254.169.254/latest/dynamic/instance-identity/document
{
"accountId" : "111111111111",
"architecture" : "x86_64",
"availabilityZone" : "us-west-2b",
"billingProducts" : null,
"devpayProductCodes" : null,
"marketplaceProductCodes" : null,
"imageId" : "ami-xxxxxxxxxx",
"instanceId" : "i-xxxxxxxxxx",
"instanceType" : "t2.micro",
"kernelId" : null,
"pendingTime" : "2024-12-08T03:46:08Z",
"privateIp" : "172.31.30.110",
"ramdiskId" : null,
"region" : "us-west-2",
"version" : "2017-09-30"
```
{% endcode %}
{% endtab %}
{% tab title="IMDSv2" %}
{% code overflow="wrap" %}
```bash
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document
{
"accountId" : "111111111111",
"architecture" : "x86_64",
"availabilityZone" : "us-west-2b",
"billingProducts" : null,
"devpayProductCodes" : null,
"marketplaceProductCodes" : null,
"imageId" : "ami-xxxxxxxxxx",
"instanceId" : "i-xxxxxxxxxx",
"instanceType" : "t2.micro",
"kernelId" : null,
"pendingTime" : "2024-12-08T03:46:08Z",
"privateIp" : "172.31.30.110",
"ramdiskId" : null,
"region" : "us-west-2",
"version" : "2017-09-30"
```
{% endcode %}
{% endtab %}
{% endtabs %}
***
### Using Amazon Bedrock API Keys
**Short-Term API Keys**
Option 1
* You must have valid access keys configured for this to work but these can be from your own account i.e., it doesn't need to be credentials from the same account as the access key id found
{% code overflow="wrap" %}
```zsh
aws --profile attacker sts get-access-key-info --access-key-id ASIA[REDACTED]
{
"Account": "111111111111"
}
```
{% endcode %}
Option 2
* Otherwise, we can discover the account id without any credentials
{% code overflow="wrap" %}
```zsh
echo $AWS_BEARER_TOKEN_BEDROCK | base64 -d | LC_ALL=C sed -n 's/.*X-Amz-Security-Token=\([^&]*\).*/\1/p' | python3 -c "import sys, urllib.parse; print(urllib.parse.unquote(sys.stdin.read().strip()))" | base64 -d
```
{% endcode %}
**Long-term API Keys**
{% code overflow="wrap" %}
```zsh
echo $AWS_BEARER_TOKEN_BEDROCK | base64 -d
```
{% endcode %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-attacks-and-techniques/enumerate-aws-account-ids.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
