Is it dangerous to reveal my EC2 instance ID?

Question

In Stack Overflow answers (like this), I often take screenshots which include Instance ID's belonging to me. Is it a bad idea to reveal these?

As an aside, this article on the anatomy of an instance-id is quite interesting: http://www.jackofallclouds.com/2009/09/anatomy-of-an-amazon-ec2-resource-id/ — Roberto Tyley, Apr 02 '15 at 09:45

score 10 · Answer 1 · answered Feb 03 '14 at 14:55

I do see times where AWS Support folks will reply to someone in the forums with "Can you post your instance ID?" and then they'll reply back with things like "yep, I see your instance is off, etc."...so I'd presume that it isn't something that non-AWS tech support can take advantage of and use against you, or their support staff would ask for it via a private message or similar, and would (hopefully) scrub anything from the forums that could harm/hack an instance.

Course, that's an educated assumption on my part, so take it as you will.

Agreed, if it were a security concern their techs wouldn't be asking for it in public. — ceejayoz, Feb 03 '14 at 15:02

score 0 · Answer 2 · answered Mar 27 '23 at 01:06

It's generally believed that AWS Instance IDs are obfuscated counters. This means that the ID may convey information about when the instance was created (and hence how long has been running). If you have very long-lived instances then this could potentially attract attention (that those instances might be less likely to have current security patches).

As it's not an address, the ID shouldn't be sufficient to probe the instance with traffic. The ID also shouldn't be sufficient to manipulate the instance through the AWS API, without authentication and explicit permissions to unlock it. If someone does obtain elevated access then it is likely to be comparatively easy for them to determine the ID. In other words, the security of IDs (by themselves) does not seem highly valuable.

However, the ID could provide at least some value to a potential attacker (helping them map the infrastructure with one less API call), and potentially helping them connect specific information that you disclosed in online posts (along with your profile, e.g. email address and organisational affiliations). There is a philosophy of security in depth, that even a very small hurdle should not be removed from the path of potential adversaries.

score 0 · Answer 3 · answered Feb 18 '14 at 04:35

0

I agree - and the only way giving out your instance ID would be "bad" is if you gave someone AWS Access and Secret Keys or console permissions (IAM or Root) and manipulated your resources that way.

answered Feb 18 '14 at 04:35

Scott Moore

561
1
4
11

score 0 · Answer 4 · answered Feb 18 '14 at 08:23

Making your AMI publicly available isn't going to give anyone easy access to your machine.

It's nowhere near as bad as handing over your private key, or the public IP address that ssh listens on.

Having said that, someone might be able to take advantage of a bug, or otherwise exploit AWS...starting with the AMI id.

I'm not suggest I know of any such exploits, or that they're very likely to happen, just that you need to make a judgement call on the risk vs effort of blurring out that data.

Is it dangerous to reveal my EC2 instance ID?

4 Answers4

Linked