One of the often-debated questions in AWS is whether AWS account IDs are sensitive information or not and the question has been oddly-difficult to answer definitively.
AWS is extremely clear that you should not share passwords to your account with others. They’ve also been clear that things like EC2 instance IDs, S3 bucket names, and other resource identifiers aren’t particularly sensitive either, and can be shared. We know this because they don’t ever redact that information in their examples.
But what about account IDs?
The late (and missed) Spencer Gietzen of Rhino Security Labs had a terrific post that explained that there is some sensitivity to AWS account IDs. His position was “while divulging the ID does not directly expose an account to compromise, an attacker can leverage this information in other attacks.”
Scott Piper has been keeping an updated list of vendor account IDs that the vendors have disclosed in public to establish trust relationships with customers.
VP and Distinguished Engineer Eric Brandwine commented on Twitter that they aren’t sensitive information, but frustratingly, AWS employees saying things on Twitter isn’t exactly a source that’s going to work as far as being both official and definitive.
Perhaps some of the most unclear messaging has come from AWS itself. Documentation mentions account IDs in the same sections as security credentials, suggesting they’re of the same sensitivity. While it doesn’t assert that the account ID should be treated with that level of secrecy, it doesn’t challenge that assumption either.
Further confusing everyone, AWS blog posts often feature screenshots of the AWS console. There’s been a trend over the years of having the account IDs blurred out whenever they’re visible. Maybe that’s to reduce confusion when customers attempt to retype the account ID into their own environment, maybe it’s to obscure however the hell their internal AWS accounts are presented, or maybe it’s just author preference.
AWS account IDs are not sensitive information
I don’t particularly care whether or not the account IDs are sensitive, personally. If they are, great! If not, super! Just answer the question authoritatively so I can avoid the mental overhead of wondering whether I need to redact a screenshot or hide account IDs within encrypted secret stores. It occurred to me that this is something that only AWS themselves could authoritatively settle for us.
I decided to do the obvious-but-only-in-retrospect slicing of the Gordian Knot by bypassing all of the questioning of third party sources and instead going directly to AWS themselves for an answer. Credit where due; they didn’t laugh me out of the room, stonewall me, or express skepticism around the request. In fact, they were kind enough to indulge me!
So, settling this debate once and for all, I quote AWS’s Director of Worldwide Analyst Relations & Market Insight Steven Armstrong: “Account IDs are not considered sensitive. Based on your feedback, we’ve started updating our documentation to make this more clear.”
So there you have it. AWS account IDs are not considered sensitive and you need not worry about sharing them via screenshot, code snippet, ill-considered tweet, or any other medium that you’d like.
My thanks to AWS in general and Steven specifically for helping me put this long-standing question to bed so declaratively.
And just for the record, my AWS account ID is 024196225137.
