My general assumption is not that they’re random, but at least that they’re not correlated; in particular that Amazon is not in the habit of handing out, like, account IDs 676363687000 - 676363687999 to a single organization. Even if they did hand out a sequential batch of 1000 account IDs, it would be more likely to be 676363687541 - 676363688540 than a set with a single consistent prefix.

Odds are that an account wildcard match like 676363687* will just match a few hundred entirely random AWS accounts.

> in particular that Amazon is not in the habit of handing out, like, account IDs 676363687000 - 676363687999 to a single organization

Honestly, wouldn't surprise me that much if they were willing to accommodate this if for sufficiently large accounts. It'd still pretty sketchy to design your access control around, but it wouldn't be unrealistic.

I once was involved in creating two (linked) amazon accounts at the "same" time, and ended up with account IDs of which the first 4 digits are identical.

A namespace you and only 100 million other accounts share - probably reasonable to just grant access to “1234*”.

Even if it's not that doesn't mean pattern matching IDs is good.

Oh god, no. Seems like a bad idea indeed! But might give some insight into their system.

it's irrelevant whether they're "cryptographically" random, all that matters is that account IDs are not controlled by the user and therefore have no logical relation to any access-control policies the user may wish to implement

If it's sequential, that somehow seems worse?