In 2021, Ben Bridts introduced a unique method for discovering the AWS Account ID of a public S3 bucket. The technique involves creating a VPC Endpoint for S3 and applying custom policies to determine the Account ID incrementally. By analyzing CloudTrail logs, one can infer whether the request was permitted or blocked, indicating the correct Account ID digits. The process can be time-consuming but can be expedited by modifying the VPC Endpoint policy to test all possibilities in parallel. This technique showcases the power of IAM policy conditions and offers insights into potential security vulnerabilities in cloud environments.
https://tracebit.com/blog/2024/02/finding-aws-account-id-of-any-s3-bucket/