Sharing AWS Account Number (for External ID)

Question

We are building a service on top of AWS for our internal org to manage their AWS accounts based on the reference documentation here.

Ref : http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

Question : Referring to the document, our service is the equivalent of 'ExampleCorp'. Hence, we have to share our AWS account number for assuming roles for our project aws accounts.

Is it a security concern to share our 'AWS account number' ? Can someone use this information (AWS Account Number) for malicious purpose ?

Or,

Should we create a AWS account number per project/user ?

Note : (The only reference i found in internet related to this is the link below & it claims its ok to share - https://acloud.guru/forums/aws-certified-solutions-architect-professional/discussion/-KRUT9T6gFZ4Ebyv0hLp/my-aws-account-id-should-it-remain-private).

Thanks

Answer 1

Sharing AWS Account numbers is fairly safe among business partners. There is not much if anything that anyone can do with just the account number. To assume a role, the account number is required, but the authorizing account must also setup a trust relationship for the policy. Just be careful with which permissions to give to the IAM role for the partner.

The comment in the link that you referenced regarding tricking Amazon. They would need to know a lot more information than what was mentioned. Amazon is very smart and very careful in this regard.

You need to think thru why you are granting access to a third party to decide if separate accounts are required. For example, if you are purchasing a security / monitoring service from a third party, they will need to access the instances in your account(s) that have the instances.

Answer 2

Is it a security concern to share our 'AWS account number' ? Can someone use this information (AWS Account Number) for malicious purpose ?

You will have to share your Account id if you need someone to provide you cross account access. That's how to establish a trust relationship. So there should be no security concerns around sharing your account number.

Or,

Should we create a AWS account number per project/user ?

No you don't. Just use one account to link to other projects.

Sharing AWS Account Number As External ID

This is No No! Generate a unique string for external ID for each cross account role you want to assume. Your external id is something that recognizes you assuming that role and which also establishes your trust relationship. If you just use your account numer as external ID and for some reason your IAM user credentials are compromised your linked accounts (with roles) are also potentially compromised. My suggestion would be generate new external ids for each project and possible (specifically for your usecase) generate IAM users per project and assign them policies to assume role for respective account projects only and other AWS services that may be required.