AWS - Accounts Unauthenticated Enum

アカウントID

ターゲットがある場合、そのターゲットに関連するアカウントIDを特定しようとする方法があります。

ブルートフォース

潜在的なアカウントIDとエイリアスのリストを作成し、それらをチェックします。

# Check if an account ID exists
curl -v https://<acount_id>.signin.aws.amazon.com
## If response is 404 it doesn't, if 200, it exists
## It also works from account aliases
curl -v https://vodafone-uk2.signin.aws.amazon.com

You can automate this process with this tool.

OSINT

Look for urls that contains <alias>.signin.aws.amazon.com with an alias related to the organization.

Marketplace

If a vendor has instances in the marketplace, you can get the owner id (account id) of the AWS account he used.

Snapshots

• Public EBS snapshots (EC2 -> Snapshots -> Public Snapshots)

• RDS public snapshots (RDS -> Snapshots -> All Public Snapshots)

• Public AMIs (EC2 -> AMIs -> Public images)

Errors

Many AWS error messages (even access denied) will give that information.

References

• https://www.youtube.com/watch?v=8ZXRw4Ry3mQ