Keeping AWS account ID secret

An AWS Account ID can be shared, when required.

Like the documentation says, the main thing anyone can use your AWS Account Number for is to construct ARN's. For example, if I had an AWS Account which held an AWS Lambda function, and someone on another account, who I had explicitly granted permission to, wanted to manipulate it, they would use by account number in the ARN.


Again, this is totally limited by the permissions applied on your account. Even if I had a full ARN, unless you give my AWS account access, I won't be able to do anything with it.

API Keys are the things that grant remote control of things, and are dangerous.

Knowing an AWS account ID doesn't expose you to any attack in itself, but it can make it easier for an attacker to obtaining other compromising information.

Rhino Security Labs demonstrate a potential compromise vector via misconfigured IAM roles in a blog post here:

AWS account IDs uniquely identify every AWS account and are more sensitive than you might think. While divulging the ID does not directly expose an account to compromise, an attacker can leverage this information in other attacks. A reasonable effort should be made to keep AWS account IDs private, but in practice, they are often exposed to the public unintentionally.


This post — and the accompanying script we have released – address using an AWS account ID to identify existing roles. As an extension of this concept, attackers can go a step further and assume misconfigured IAM roles to gain unauthorized access.

This will only be effective in the case where a user allows role assumption from * or from a too-wide range of resources, but in my experiences IAM permissions are complex and reasonably hard to audit well, and attacks like this are hard to detect:

This bruteforcing technique and script will generate a large amount of “iam:AssumeRole” CloudTrail logs in the account you are using for enumeration. Any account you target will not see anything in their CloudTrail logs until you successfully assume a misconfigured role, so that means enumeration is completely log-free on the target account.

In other words - it's not intrinsically a risk, but it does meaningfully reduce the attack surface of your account to keep the ID out of the public eye.