By leveraging the s3:ResourceAccount policy condition, we can identify the AWS account ID associated with a public S3 bucket.
To test this, you can use Grayhat Warfare’s list of public S3 buckets.
You will need a role with
s3:ListBucket permissions, and you can specify the target bucket as the resource for your policy. Alternatively you can set a resource of ‘*’ to quickly test multiple buckets.
user@host:$ s3-account-search arn:aws:iam::123456789123:role/s3-searcher <bucket name> Starting search (this can take a while) found: 1 found: 12 *** snip *** found: 123456789123