www.lastweekinaws.com
Open in
urlscan Pro
2606:4700:20::ac43:465c
Public Scan
URL:
https://www.lastweekinaws.com/blog/are-aws-account-ids-sensitive-information/
Submission: On August 08 via api from US — Scanned from DE
Submission: On August 08 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
POST /blog/are-aws-account-ids-sensitive-information/#gf_1
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_1" id="gform_1" action="/blog/are-aws-account-ids-sensitive-information/#gf_1" data-formid="1" novalidate="" data-sparkloop-form-id="1">
<div class="gform-body gform_body">
<div id="gform_fields_1" class="gform_fields top_label form_sublabel_below description_below validation_below">
<div id="field_1_5" class="gfield gfield--type-email gfield--width-full field_sublabel_below gfield--no-description field_description_below hidden_label field_validation_below gfield_visibility_visible gfield_email_wrap"
data-field-class="gfield_email_wrap" data-js-reload="field_1_5"><label class="gfield_label gform-field-label" for="input_1_5">Email</label>
<div class="ginput_container ginput_container_email">
<input name="input_5" id="input_1_5" type="email" value="" class="large" placeholder="Email Address" aria-invalid="false">
</div>
</div>
<div id="field_1_3" class="gfield gfield--type-text field_sublabel_below gfield--no-description field_description_below field_validation_below gfield_visibility_hidden gfield_text_wrap" data-field-class="gfield_text_wrap"
data-js-reload="field_1_3">
<div class="admin-hidden-markup"><i class="gform-icon gform-icon--hidden"></i><span>Hidden</span></div><label class="gfield_label gform-field-label" for="input_1_3">rgsid</label>
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_1_3" type="text" value="" class="medium" aria-invalid="false"> </div>
</div>
<div id="field_1_6" class="gfield gfield--type-honeypot gform_validation_container field_sublabel_below gfield--has-description field_description_below field_validation_below gfield_visibility_visible gfield_honeypot_wrap"
data-field-class="gfield_honeypot_wrap" data-js-reload="field_1_6"><label class="gfield_label gform-field-label" for="input_1_6">Comments</label>
<div class="ginput_container"><input name="input_6" id="input_1_6" type="text" value="" autocomplete="new-password"></div>
<div class="gfield_description" id="gfield_description_1_6">This field is for validation purposes and should be left unchanged.</div>
</div>
</div>
</div>
<div class="gform_footer top_label"> <button type="submit" id="gform_submit_button_1" class="gform_button button"
onclick="if(window["gf_submitting_1"]){return false;} if( !jQuery("#gform_1")[0].checkValidity || jQuery("#gform_1")[0].checkValidity()){window["gf_submitting_1"]=true;} "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_1"]){return false;} if( !jQuery("#gform_1")[0].checkValidity || jQuery("#gform_1")[0].checkValidity()){window["gf_submitting_1"]=true;} jQuery("#gform_1").trigger("submit",[true]); }"><span>Sign
Me Up!</span></button> <input type="hidden" name="gform_ajax" value="form_id=1&title=&description=&tabindex=0&theme=gravity-theme">
<input type="hidden" class="gform_hidden" name="is_submit_1" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="1">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_1" value="WyJbXSIsImFjNTFmMzYzODNkM2I2MTMxNWViYTdjNTg3ZjAzYzlhIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_1" id="gform_target_page_number_1" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_1" id="gform_source_page_number_1" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>Text Content
* Skip to primary navigation * Skip to main content Lower My AWS Bill * About * Community * Contact * Contribute * Blog * Newsletter * Podcasts * Last Week in AWS * Screaming in the Cloud * Nominate a Guest * Merch * Resources * AWS Network Map * Sponsorships 02.16.2022 ARE AWS ACCOUNT IDS SENSITIVE INFORMATION? By Corey Quinn One of the often-debated questions in AWS is whether AWS account IDs are sensitive information or not and the question has been oddly-difficult to answer definitively. AWS is extremely clear that you… FacebookTweetLinkedInReddit Home Blog account id Are AWS account IDs sensitive information? Prev Next One of the often-debated questions in AWS is whether AWS account IDs are sensitive information or not and the question has been oddly-difficult to answer definitively. AWS is extremely clear that you should not share passwords to your account with others. They’ve also been clear that things like EC2 instance IDs, S3 bucket names, and other resource identifiers aren’t particularly sensitive either, and can be shared. We know this because they don’t ever redact that information in their examples. But what about account IDs? The late (and missed) Spencer Gietzen of Rhino Security Labs had a terrific post that explained that there is some sensitivity to AWS account IDs. His position was “while divulging the ID does not directly expose an account to compromise, an attacker can leverage this information in other attacks.” Scott Piper has been keeping an updated list of vendor account IDs that the vendors have disclosed in public to establish trust relationships with customers. VP and Distinguished Engineer Eric Brandwine commented on Twitter that they aren’t sensitive information, but frustratingly, AWS employees saying things on Twitter isn’t exactly a source that’s going to work as far as being both official and definitive. Perhaps some of the most unclear messaging has come from AWS itself. Documentation mentions account IDs in the same sections as security credentials, suggesting they’re of the same sensitivity. While it doesn’t assert that the account ID should be treated with that level of secrecy, it doesn’t challenge that assumption either. Further confusing everyone, AWS blog posts often feature screenshots of the AWS console. There’s been a trend over the years of having the account IDs blurred out whenever they’re visible. Maybe that’s to reduce confusion when customers attempt to retype the account ID into their own environment, maybe it’s to obscure however the hell their internal AWS accounts are presented, or maybe it’s just author preference. AWS ACCOUNT IDS ARE NOT SENSITIVE INFORMATION I don’t particularly care whether or not the account IDs are sensitive, personally. If they are, great! If not, super! Just answer the question authoritatively so I can avoid the mental overhead of wondering whether I need to redact a screenshot or hide account IDs within encrypted secret stores. It occurred to me that this is something that only AWS themselves could authoritatively settle for us. I decided to do the obvious-but-only-in-retrospect slicing of the Gordian Knot by bypassing all of the questioning of third party sources and instead going directly to AWS themselves for an answer. Credit where due; they didn’t laugh me out of the room, stonewall me, or express skepticism around the request. In fact, they were kind enough to indulge me! So, settling this debate once and for all, I quote AWS’s Director of Worldwide Analyst Relations & Market Insight Steven Armstrong: “Account IDs are not considered sensitive. Based on your feedback, we’ve started updating our documentation to make this more clear.” So there you have it. AWS account IDs are not considered sensitive and you need not worry about sharing them via screenshot, code snippet, ill-considered tweet, or any other medium that you’d like. My thanks to AWS in general and Steven specifically for helping me put this long-standing question to bed so declaratively. And just for the record, my AWS account ID is 024196225137. by Corey Quinn Corey is the Chief Cloud Economist at The Duckbill Group, where he specializes in helping companies improve their AWS bills by making them smaller and less horrifying. He also hosts the "Screaming in the Cloud" and "AWS Morning Brief" podcasts; and curates "Last Week in AWS," a weekly newsletter summarizing the latest in AWS news, blogs, and tools, sprinkled with snark and thoughtful analysis in roughly equal measure. MORE POSTS FROM COREY Back to the Blog AMAZON GENAI SERVICES By Corey Quinn I was in New York this week for the AWS Summit, and while it’s always great to catch up with readers (thanks to those of you who came out to the drinkup!), AWS friends, and others, I found myself rather taken aback by the overwhelming strength behind the Generative AI theme of the entire event. […] Read More about Amazon GenAI Services “APPARENTLY I STUTTERED: A COMPUTE OPTIMIZER CLARIFICATION” By Corey Quinn There have been some noises about this week’s newsletter issue in which I criticized the release of AWS Compute Optimizer offering RDS recommendations…Let me clarify my position and commentary on this feature announcement. Read More about “Apparently I Stuttered: A Compute Optimizer Clarification” CHANGING OF THE GUARD: “AWS APPOINTS MATT GARMAN AS CEO” By Corey Quinn This morning’s announcement that Adam Selipsky would be stepping down as AWS CEO, with longtime Amazonian Matt Garman stepping into the role, feels like a natural correction. Garman has long been seen as the heir apparent to AWS’s leadership. When Selipsky was named CEO in the last succession, my initial reaction was a baffled, “I’m sorry, who?” Read More about Changing of the Guard: “AWS Appoints Matt Garman as CEO” GET THE NEWSLETTER! Stay up to date on the latest AWS news, opinions, and tools, all lovingly sprinkled with a bit of snark. Email Hidden rgsid Comments This field is for validation purposes and should be left unchanged. Sign Me Up! The world of cloud takes itself far too seriously. We aim to change that. Lower my AWS bill, please! * Newsletter * Podcasts * Blog * Merch * Contribute * About * Contact * Sponsorships * Disclosures footprint-orange © 2024 The Duckbill Group. All Rights Reserved. Privacy Policy Cookie Policy Notifications