A short note on AWS KEY ID
As I was playing with AWS authentication and authorization system, I had realized that most of its inner working and data structures are not documented.
I was trying to find if someone had already published on this matter and found some research by Scott Piper
https://summitroute.com/blog/2018/06/20/aws_security_credential_formats
and Aidan Steele
Specifically, Aidan was trying to find how account_id
is encoded within the aws_access_key_id
: For example, ASIAY34FZKBOKMUTVV7A
some how encodes the account id "609629065308"
Aidan wrote he almost got it right, but got it wrong on some edge cases. I believe Aidan got very close to the correct solution and it just needs a bit (see below 😃) of tweaking:
- The first four characters (
ASIA
in this example) are indeed a documented prefix that depends on the type of the key
- The rest of the string, typically 16 bytes long, is Base32 encoded, see
which yields 80 bits of data, or 10 bytes.
- The account ID fits well within 5 bytes, however, that data is shifted by one bit! (skewing Aidan’s original calculation a bit, pun much intended)
putting it all together into a python script:
import base64
import binascii
def AWSAccount_from_AWSKeyID(AWSKeyID):
trimmed_AWSKeyID = AWSKeyID[4:] #remove KeyID prefix
x = base64.b32decode(trimmed_AWSKeyID) #base32 decode
y = x[0:6]
z = int.from_bytes(y, byteorder='big', signed=False)
mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False)
e = (z & mask)>>7
return (e)
print ("account id:" + "{:012d}".format(AWSAccount_from_AWSKeyID("ASIAQNZGKIQY56JQ7WML")))
You can play with it online https://www.online-python.com/sKWIRkMh5E
Executing this script against aws_access_key_id: ASIAY34FZKBOKMUTVV7A
yields the expected account id "609629065308"
remaining questions and the road ahead
- What is encoded (if at all) within the remaining data bits of the
aws_access_key_id
- Would love people trying out the script and send feedback if they stumble upon edge cases
I believe it is very important that the security community can get some visibility into AWS authentication and authorization systems and protocols, currently largely a black box. This can be done either through AWS releasing more info (preferablly), or via reverse engineering such as shown in this article.
So if you are able to find out more about this topic, please let the security world know!
UPDATED 25/10/2023: Fixed a bug in bitmask + formatting of ID to add leading 0s so it will always be 12 digits. Thank you Tejas Zarekar for testing and reporting!
Updated 28/1/2024: Seems like the logic for old keys starting with I/J is different.
Updated 7/8/2024: For an in-depth analysis of AWS Session Token, see