taskcat includes the account ID in its output and logs. While the account ID is not as sensitive as a password or an access key, and is even shared when configuring cross-account access, an attacker can use that information to identify and exploit vulnerable IAM resources, as outlined in this Rhino Security Labs blog post.
Exposing an account ID could make it unsuitable for use in open-source projects, where the pipeline's output, including the would be made available to anyone on the internet.
This issue is to determine a methodology for creating AWS accounts for taskcat's end-to-end tests, whereas the build pipeline would run using GitHub Actions, but while limiting the attack surface.
taskcat includes the account ID in its output and logs. While the account ID is not as sensitive as a password or an access key, and is even shared when configuring cross-account access, an attacker can use that information to identify and exploit vulnerable IAM resources, as outlined in this Rhino Security Labs blog post.
Exposing an account ID could make it unsuitable for use in open-source projects, where the pipeline's output, including the would be made available to anyone on the internet.
This issue is to determine a methodology for creating AWS accounts for taskcat's end-to-end tests, whereas the build pipeline would run using GitHub Actions, but while limiting the attack surface.