Find an AWS Account ID from any S3 Bucket
AWS account IDs alone cannot be used to gain access or control over resources. However, they can be used by security professionals to identify potential targets, particularly when searching for exposed AWS resources without adequate security controls. Account IDs can also contribute to the effectiveness of social engineering attacks or targeted phishing campaigns. In AWS environments where other vulnerabilities or misconfigurations exist, an account ID could be used to escalate privileges or bypass resource-based policies that include account IDs as a condition.
Disclaimer: This tool is provided for educational and security research purposes only. Use only with explicit permission from the owners of the AWS resources.
- Find an AWS Account ID from any S3 Bucket
- Assist in security assessments and research
- Supports AWS CLI profiles
- An AWS account
curl -I bucket-name.s3.amazonaws.com
- Look for the x-amz-bucket-region header in the response
- Set the region to the same region as the S3 bucket in the dropdown at the top of the page
- Under VPC > Your VPCs click Create a VPC
- Select VPC only
- Click Create VPC
- Under Under VPC > Subnets click Create subnet
- For the VPC ID select the VPC you just created
- Click Create subnet
- Under EC2 > Instances click Launch instances
- Select Amazon Linux (Default settings including t2.micro are OK)
- Under Key pair select an existing key pair name or create a new key pair
- Under Network settings ensure the Network and Subnet are set to the VPC and subnet you created earlier
- Under Firewall select Create security group
- Check Allow SSH traffic from Anywhere and Allow HTTPS traffic from the internet
- Click Launch instance
- After the instance has been created select the instance and under Instance state select Start instance
- Under VPC > Endpoints click Create endpoint
- Select AWS services
- Under Services find and select the com.amazonaws.<YOUR_REGION>.s3 amazon Interface service
- Under VPC select your VPC
- Under Additional settings
- Check Enable DNS name
- Uncheck Enable private DNS only for inbound endpoint
- In Subnets check the box for the Availability Zone with your subnet in the dropdown
- In Security groups select the security group you created with your EC2 instance
- In the Policy select Custom and copy the policy.py from here
- Click Create endpoint
- Under VPC > Elastic IPs click Allocate Elastic IP address
- Click Allocate
- After the IP address is allocated select it and under Actions select Associate Elastic IP address
- Select Instance
- Under Instance choose your EC2 instance
- Under Private IP address choose the IP address in the dropdown
- Click Associate
- Under IAM > Roles click Create role
- Select AWS Service
- Under Use Case in Service or use case select EC2
- Click Next
- Under Permissions policies find and select AdministratorAccess and AWSCloudTrail_FullAccess
- Click Next
- Give your role the name ec2-role
- Click Create role
- Under EC2 > Instances select your instance
- Under Actions > Security select Modify IAM role
- In the IAM role dropdown select the role you just created ec2-role
- Click Update IAM role
- Under IAM > Roles click Create role
- Select AWS account
- Under An AWS account select This account (YOUR_ACCOUNT_ID)
- Click Next
- Under Permissions policies find and select AdministratorAccess
- Click Next
- Input a Role name and Description
- Click Create role
- Under CloudTrail > Trails click Create trail
- Input a Trail name
- Select Create new s3 bucket
- Under Log file SSE-KMS encryption uncheck Enabled
- Click Next
- Under Events check Management events and Data events
- Under Data events > Data event > Data event type in the Select a source dropdown select S3
- Click Next
- Click Create trail
- Install pip
sudo yum install python3-pip -y
- Install boto3
pip3 install boto3
- Install git
sudo yum install git -y
- Clone this Githib repository
git clone https://github.com/marksowell/aws-account-finder.git
- Navigate to the aws-account-finder project directory
cd aws-account-finder
- Configure AWS CLI (Configuration and credential file settings)
vi ~/.aws/credentials
Ensure the aws_access_key_id, aws_secret_access_key, and aws_session_token (if you are using temporary credentials) are set under [default] or a profile you will specify in the aws-account-finder.py script
vi ~/.aws/config
Ensure the region = YOUR_REGION and output = json are set under [default] or a profile you will specify in the aws-account-finder.py script - Test to ensure AWS CLI is configured correctly
aws sts get-caller-identity
*Remember to use a profile if you set one with--profile <PROFILE_NAME>
- Ensure you can assume the AWS account role you created earlier
aws sts assume-role --role-arn "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/<YOUR_ROLE>" --role-session-name "test"
*Remember to use a profile if you set one with--profile <PROFILE_NAME>
- The aws_account_finder.py script relies on 2 environment variables that can be set with the following 2 commands
export AWS_REGION='<YOUR_REGION>'
export ROLE_ARN='arn:aws:iam::<YOUR_ACCOUNT_ID>:role/<YOUR_ROLE>'
Alternatively, they can be set in your .bash_profile usingvi ~/.bash_profile
, adding the 2 lines above, and applying the changes by logging out and back in or running the commandsource ~/.bash_profile
- Run the aws_account_finder.py script
python aws_account_finder.py <profile> <bucket>
python aws_account_finder.py default bucket-name
- How to find the AWS Account ID of any S3 Bucket by Sam Cox
- The Final Answer: AWS Account IDs Are Secrets by Daniel Grzelak
- Finding the Account ID of any public S3 bucket by Ben Bridts