Full Report
With AWS access keys, there are two mandatory parts: the key id and the secret key. The format of the AWS access key is actually predictable, which is super interesting! The first four characters are a prefix for the type of key. This depends if it's for a role, a certificate, a regular access key or something else. After this, there is 16 bytes. If you base32 decode this you end up with 10 bytes. The account ID is encoded within the first 5 bytes of this but shifted by one bit. The author wrote a script that decodes the account given the key. The rest of the 5 bytes is still unknown. I'm guessing it's random data to ensure that the key is unique.
Analysis Summary
# Tool/Technique: AWS Access Key ID Account De-anonymization
## Overview
This technique involves reverse-engineering the structure of AWS Access Key IDs to extract the underlying 12-digit AWS Account ID. Historically, AWS Access Keys were considered opaque identifiers; however, research has demonstrated that they contain encoded metadata. This allows an analyst or attacker to identify the specific AWS account associated with a leaked or discovered key without making any API calls to AWS.
## Technical Details
- **Type:** Technique (Information Extraction / De-anonymization)
- **Platform:** Amazon Web Services (AWS)
- **Capabilities:** Decodes the 12-digit AWS Account ID from a 20-character Access Key ID.
- **First Seen:** Concept discussed in 2018/2020; refined python implementation published October 24, 2023.
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- **[T1087.004 - Account Discovery: Cloud Account]**
- **[TA0043 - Reconnaissance]**
- **[T1589.001 - Gather Victim Identity Information: Credentials]**
## Functionality
### Core Capabilities
- **Prefix Identification:** Recognizes the first four characters of the key to determine the entity type (e.g., `AKIA` for long-term access keys, `ASIA` for temporary session keys).
- **Base32 Decoding:** Processes the subsequent 16 characters of the key (following the prefix) using Base32 decoding to retrieve 10 bytes (80 bits) of raw data.
- **Bitwise Extraction:** Extracts the Account ID by isolating the first 5-6 bytes and performing a 1-bit right shift to account for encoding skew.
### Advanced Features
- **Deterministic Mapping:** The technique allows for offline Identification of the target organization or account owner if the account ID is already known through other OSINT means.
- **Zero-Log Discovery:** Since this is a mathematical transformation, the account ID can be identified without triggering AWS CloudTrail logs (which would occur if the `sts:GetCallerIdentity` API were used).
## Indicators of Compromise
*Note: This is a technique for analysis; however, the following are relevant identifiers.*
- **Key Prefixes:**
- `AKIA`: Long-term IAM user access key.
- `ASIA`: Temporary credentials (STS).
- **Pattern:** 20-character alphanumeric strings starting with documented prefixes.
## Associated Threat Actors
- This technique is widely used by **Cloud Security Researchers** and **Red Teamers**.
- Also utilized by **generic opportunistic threat actors** who scan public repositories (GitHub, Pastebin) for AWS keys to identify high-value targets.
## Detection Methods
- **Signature-based:** Standard regex patterns for AWS Access Keys (`(AKIA|ASIA)[0-9A-Z]{16}`).
- **Behavioral:** High-frequency scanning of public resources for these specific string patterns.
- **Honeytokens:** Deploying "decoy" AWS keys (e.g., via Canary Tokens) and monitoring for use.
## Mitigation Strategies
- **Prevention:** Use automated secrets scanning (e.g., GitHub Secret Scanning, AWS CodeGuru) to prevent keys from being committed to version control.
- **Hardening:** Implement AWS IAM Roles and Instance Profiles instead of static Access Keys where possible.
- **Response:** If a key is leaked, rotate the key immediately and assume the Account ID is now public knowledge.
## Related Tools/Techniques
- **AWS Session Token Analysis:** A related technique for reverse-engineering the structure of the `AWS_SESSION_TOKEN` to find region and timestamp data.
- **Social Engineering/OSINT:** Using the extracted Account ID to find the company name via public S3 bucket names or public AMIs associated with that ID.