We are building a service on top of AWS for our internal org to manage their AWS accounts based on the reference documentation here.
Ref : http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
Question : Referring to the document, our service is the equivalent of ‘ExampleCorp’. Hence, we have to share our AWS account number for assuming roles for our project aws accounts.
Is it a security concern to share our ‘AWS account number’ ? Can someone use this information (AWS Account Number) for malicious purpose ?
Should we create a AWS account number per project/user ?
(The only reference i found in internet related to this is the link below & it claims its ok to share –
Sharing AWS Account numbers is fairly safe among business partners. There is not much if anything that anyone can do with just the account number. To assume a role, the account number is required, but the authorizing account must also setup a trust relationship for the policy. Just be careful with which permissions to give to the IAM role for the partner.
The comment in the link that you referenced regarding tricking Amazon. They would need to know a lot more information than what was mentioned. Amazon is very smart and very careful in this regard.
You need to think thru why you are granting access to a third party to decide if separate accounts are required. For example, if you are purchasing a security / monitoring service from a third party, they will need to access the instances in your account(s) that have the instances.