improve anonymization for accountId (#2523)

rtpascual · web-flow · commit ce8e4fc23987 · 2025-02-19T11:52:25.000-08:00
* improve anonymization for accountId

* PR feedback
diff --git a/.changeset/stupid-coats-smoke.md b/.changeset/stupid-coats-smoke.md
@@ -0,0 +1,5 @@
+---
+'@aws-amplify/platform-core': patch
+---
+
+improve anonymization for accountId
diff --git a/packages/platform-core/src/usage-data/account_id_fetcher.test.ts b/packages/platform-core/src/usage-data/account_id_fetcher.test.ts
@@ -48,4 +48,27 @@ void describe('AccountIdFetcher', async () => {
     assert.strictEqual(mockSend.mock.callCount(), 1);
     mockSend.mock.resetCalls();
   });
+
+  void test('returns different account UUID based on account buckets', async () => {
+    const mockSend = mock.method(STSClient.prototype, 'send', () =>
+      Promise.resolve({
+        Account: '123456789012',
+      } as GetCallerIdentityCommandOutput)
+    );
+
+    // different accountIdFetcher to avoid returning cached account UUID
+    const accountIdFetcher1 = new AccountIdFetcher(new STSClient({}));
+    const accountIdFetcher2 = new AccountIdFetcher(new STSClient({}));
+
+    const accountId1 = await accountIdFetcher1.fetch();
+    mock.method(STSClient.prototype, 'send', () =>
+      Promise.resolve({
+        Account: '123456789901', // should fall in different account id bucket
+      } as GetCallerIdentityCommandOutput)
+    );
+    const accountId2 = await accountIdFetcher2.fetch();
+
+    assert.notStrictEqual(accountId1, accountId2);
+    mockSend.mock.resetCalls();
+  });
 });
diff --git a/packages/platform-core/src/usage-data/account_id_fetcher.ts b/packages/platform-core/src/usage-data/account_id_fetcher.ts
@@ -24,11 +24,8 @@ export class AccountIdFetcher {
         new GetCallerIdentityCommand({})
       );
       if (stsResponse && stsResponse.Account) {
-        const accountIdBucket = Number(stsResponse.Account) / 100;
-        this.accountId = uuidV5(
-          accountIdBucket.toString(),
-          AMPLIFY_CLI_UUID_NAMESPACE
-        );
+        const accountIdBucket = stsResponse.Account.slice(0, -2);
+        this.accountId = uuidV5(accountIdBucket, AMPLIFY_CLI_UUID_NAMESPACE);
         return this.accountId;
       }
       // We failed to get the account Id. Most likely the user doesn't have credentials

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@aws-amplify/platform-core': patch
 +---
++
 +improve anonymization for accountId