Reputation: 85
Is there a security issue with including an AWS account ID in an S3 name?
I would like to use the following naming convention for AWS S3 buckets in my account:
appName-environment-logicalName-region-accountID
e.g. myApp-prod-dataUploads-useast1-12345678901
Are there security concerns associated with using the account ID in this way? Would it be better to use an account alias instead of the account number, or is that also a concern since the alias is linked to the account?
As I type this, I've found this blog post that recommends against using IDs in S3 names, but it doesn't mention aliases.
Upvotes: 4
Views: 2046
Answers (2)
Reputation: 85
I ultimately opened a support case with AWS to ask about the security implications of using account numbers or aliases in bucket names. Since my organization is particularly concerned about data security, we will avoid using account numbers in S3 names.
AWS support communication below:
Please know that, there is no AWS documentation that will say you can’t use account ID in the name of the S3 bucket. As per the bucket naming rules [1], numbers are allowed in the bucket name syntax and thus syntactically, it should not be an issue. But if the bucket will be shared with public, then the account ID would be exposed to public as well. This can allow guessing some of your resources ARNs as an account ID is a part of many AWS resources. So, It would simply allow unnecessary risks.
Hence, If you want or your use case require this you can use the account ID in the name of the bucket. But please note that it is generally not recommended approach from a security point of view as you will be unnecessarily sharing your account IDs to any party you share the bucket name with.
I would like to mention that, account alias is not a part of the ARNs so it does not pose as big of a security risk as compared to the account id which is a part of ARNs. So, you can include your account alias in your bucket name while creation if you need it for identification.
Additionally, I would request you to refer to the below attached documentation to know more on naming rules for S3 an bucket [1].
Reference:
=====================
[1] Bucket Naming Rule - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
Upvotes: 2
Reputation: 13162
The question if Account IDs are sensitive information has been discussed for a very long time. Corey Quinn has written an interesting blog about it and quotes an AWS representative (emphasis mine):
So, settling this debate once and for all, I quote AWS’s Director of Worldwide Analyst Relations & Market Insight Steven Armstrong: “Account IDs are not considered sensitive. Based on your feedback, we’ve started updating our documentation to make this more clear.”
That means you can use them freely in your S3 bucket names, although you will make it an iota easier for potential attackers to figure out where to guess usernames and passwords.
Upvotes: 5
Related Questions
- Why does S3 bucket ARN not contain AWS account number?
- Is there any security risk using AWS account alias?
- Presigned URL for private S3 bucket displays AWS access key id and bucket name. Is this a security issue?
- Amazon S3 access for other AWS accounts
- Sharing AWS Account Number (for External ID)
- amazon s3 name Key Name misunderstaning
- AWS Bucket Policy, IS it secure to deny by username?
- Could an S3 filename and bucket be a security risk if public?
- Impact of AWS Account Identifiers
- are authenticated urls at s3 secure?