Account Disclosure by resource policy

SNS publish policy

Use the assign policy command to enumerate existing accounts. Create an SNS topic and an access policy where we specify the Account ID we want to test. If we don't receive an error then we have confirmed the existence of the account

Create SNS topic

aws sns create-topic --name <arbitrary name>

Create the following file locally and save it as a JSON file

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "grant-1234-publish",
    "Effect": "Allow",
    "Principal": {
      "AWS": "<account to test>"
    },
    "Action": ["sns:Publish"],
    "Resource": "<topic arn>"
  }]
}

Assign the policy to the bucket

aws sns set-topic-attributes --topic-arn <arn> --attribute-name 'Policy' --attribute-value file://<policy file>.json

Bucket policies

By trying to assign a role to a bucket we own it is possible to check if a specific user exists. Since the role is owned by a user we input the user account id we want to test (12 ciphers without hyphen) and an arbitrary role name. If the operation succeeds we have confirmed that the account exists

Create the following file locally and save it as a JSON file

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account to test>:role/test_role"
      },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::<bucket name>*"
    }
  ]
}

Assign the policy to the bucket

aws s3api put-bucket-policy --bucket <bucket name> --policy file://<policy file>.json