AWS Account ID detected as a secret although it's not a secret

[AXDOOMER]

IDs

AWS Account ID

Description

Would anyone consider AWS account IDs as a secret? Yet Trivy flags them as a secret (severity: High).

AWS' documentation says "While account IDs, like any identifying information, should be used and shared carefully, they are not considered secret, sensitive, or confidential information." (AWS doc: Viewing account identifiers - AWS Account Management)

A blog on Zeuscloud says "AWS Account IDs aren’t considered secrets. So, they’re often publicly available in documentation, blog posts, videos, etc. As an example, you can find a Datadog AWS Account ID in their docs. Additionally, there are repositories of known AWS accounts, which also attribute the Account ID to vendors." (AWS Account ID: An Attacker's Perspective)

The guy who runs flaws.cloud and flaws2.cloud says finding the ID of an account has no negative consequences. (Reddit: Is it really necessary to strip the AWS account ID from tutorials)

In a blog, quoting an AWS representative, it says "So, settling this debate once and for all, I quote AWS’s Director of Worldwide Analyst Relations & Market Insight Steven Armstrong: “Account IDs are not considered sensitive. Based on your feedback, we’ve started updating our documentation to make this more clear.”" (Blog: Are AWS account IDs sensitive information?)

So in the end, we can conclude that AWS account IDs are not secret. Knowing the AWS account ID of a company could probably help a malicious adversary by an iota, thus its impact is at most low. I believe leaking an AWS account ID would help an adversary discovery-wise, but considering it a secret is akin to considering an email address or an internet username as a secret. In all practicality, what can an attacker do? They don't have the account's password.

Reproduction Steps

Scan an HCL file that defines `aws_account_id` in its list of inputs. 

Note that Trivy won't detect an AWS account ID if it's an URL.

Target

Filesystem

Scanner

Secret

Target OS

No response

Debug Output

TODO

Version

0.35.0

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

Thanks for sharing the detailed documents and blogs. It makes sense. I created an issue. #4492

[AXDOOMER]

Thank you

[knqyf263]

But it is interesting because we took the rule from the AWS tool. We thought AWS considered AWS accounts as a secret.
https://github.com/awslabs/git-secrets/blob/99d01d58ebcc06e237c0e3f3ff5ae628aeef6aa6/git-secrets#L240

[AXDOOMER]

I think I'll open an issue on their repository and ask them. They added AWS account ID detection 8 years ago according to the git history. Their stance on it might have changed.

[knqyf263]

Thanks! It would be helpful for us. We just followed their approach, and the document says differently.

[knqyf263]

We have removed the rule, but we can revert it if awslabs/git-secrets answers it should be a secret.
#4494