Know the identity behind an AWS canonical ID

0

Today while auditing a friends security settings, I found that an Amazon Folder (s3 bucket) with his most personal files had an unrecognised ACL entry.

A person (with id ending in f6995f) had "Write" access to the bucket. Weirdly no read or list access.

There's no name shown as username. Just an alphanumeric "canonical id" of the entity who has access.

What should he do? He can't contact AWS because

On the Basic Support Plan, you can create account and billing support cases and service limit increase requests, but you cannot create technical support cases.

Is there's a way to find out the person behind the canonical id? At least country/location/IP?

american-ninja-warrior

Posted 2019-03-22T16:06:24.640

Reputation: 211

Relevant: https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html

– schroeder – 2019-03-22T17:08:57.577

Answers

1

The AWS documentation at https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example4.html says:

The canonical user ID is the Amazon S3–only concept. It is a 64-character obfuscated version of the account ID.

Therefore you can't get anything out of the canonical user ID because it's almost certainly a one-way hash (e.g. SHA-256) of some other stuff including the user's ARN.

Try this command and see if you get a "DisplayName" element for the user:

$ aws s3api get-bucket-acl --bucket BUCKETNAME

Source: https://forums.aws.amazon.com/thread.jspa?threadID=286019
(Login required if you have AWS console cookies in your browser, so either log in when prompted or use a private window.)

Alastair Irvine

Posted 2019-03-22T16:06:24.640

Reputation: 278

Asked: 2019-03-22T16:06:24.640

Viewed: 651 times

Active: 2019-03-22T17:57:27.597