Account IDs

If you have a target there are ways to try to identify account IDs of accounts related to the target.

Brute-Force

You create a lest of potential account IDs and aliases and check them

# Check if an account ID exists
curl -v https://<acount_id>.signin.aws.amazon.com
## If response is 404 it doesn't, if 200, it exists
## It also works from account aliases
curl -v https://vodafone-uk2.signin.aws.amazon.com

You can automate this process with this tool.

OSINT

Look for urls that contains <alias>.signin.aws.amazon.com with an alias related to the organization.

Marketplace

If a vendor has instances in the marketplace, you can get the owner id (account id) of the AWS account he used.

Snapshots

• Public EBS snapshots (EC2 -> Snapshots -> Public Snapshots)

• RDS public snapshots (RDS -> Snapshots -> All Public Snapshots)

• Public AMIs (EC2 -> AMIs -> Public images)

Errors

Many AWS error messages (even access denied) will give that information.

References

• https://www.youtube.com/watch?v=8ZXRw4Ry3mQ