Identify the AWS Account ID from a Public S3 Bucket

The ability to expose and leverage even the smallest oversights is a coveted skill. A global Logistics Company has reached out to our cybersecurity company for assistance and have provided the IP address of their website. Your objective? Start the engagement and use this IP address to identify their AWS account ID via a public S3 bucket so we can commence the process of enumeration.

• Basic Linux command line knowledge

• Knowledge of a technique that can be used to find AWS Account IDs
• Understanding what a tool does by performing a code review

If threat actors get their hands on an AWS Account ID, they can try to identify the IAM roles and users tied to that account. They can do this by taking advantage of detailed error messages that AWS services return when inputting an incorrect username or role name. These messages can verify if an IAM user or role exists, which can help threat actors compile a list of possible targets in the AWS account. It's also possible to filter public EBS and RDS snapshots by the AWS Account ID that owns it.

Attackers leverage SNS's deep integration into automated workflows and its broad permissions to silently deliver confidential information outside the organization. The service's legitimate business purpose provides perfect cover for malicious activity, as data exfiltration disguised as routine notifications rarely raises suspicions among security teams focused on traditional attack vectors like direct database access or file transfers. This technique has proven particularly effective because most organizations implement robust monitoring for their databases and storage systems while neglecting to scrutinize the content and recipients of their notification streams, creating a blind spot that experienced adversaries are quick to exploit.