For those who don't have the time to read the entire thing.
The “Shadow Resources” attack vector, which has since been addressed by AWS, stemmed from the automatic generation of S3 buckets by various AWS services, including:
> [...] the researchers note that their findings demonstrate the importance of treating potential identifiers, such as AWS account IDs, as secrets
Which seems to be pretty opposite to the prevailing opinion, at least in some circles. For example the comments here [0] about how to get the account ID for an arbitrary S3 bucket, where many said it was essentially a nothing burger, similar to IP's or emails.
Regardless of who is correct, I think it's a telling example of the "dangers" with identifiers that are kinda-public-kinda-private. I'm guessing at least part of the root cause of this bug are AWS engineer's not thinking about the fact that account ID's aren't fully private.
The “Shadow Resources” attack vector, which has since been addressed by AWS, stemmed from the automatic generation of S3 buckets by various AWS services, including:
- CloudFormation
- Glue
- EMR
- SageMaker
- ServiceCatalog
- CodeStar