Module aws 

Offline AWS account-ID decode + canary-token classification (single source of truth shared by the scanner’s finding metadata and the verifier’s suppress-live-verification-for-canaries gate). Offline AWS account-ID recovery and canary-token classification.

This is the single source of truth for two credential-string-only facts about an AWS access-key ID, shared by every keyhog crate (scanner attaches them as finding metadata with no verify; verifier consults the canary check to refuse tripping a canary on --verify). It lives in keyhog-core — the one crate both keyhog-scanner and keyhog-verifier depend on — so there is exactly one decode and one canary list, never a fork.

1. Account decode. Every modern AWS access-key ID (AKIA… long-term, ASIA… temporary STS) has the 12-digit account number mathematically embedded in it, recoverable with a pure base32-decode + bit-shift — NO network call, NO STS GetCallerIdentity, and it works on LIVE and revoked keys. Algorithm matches the trufflesecurity write-up https://trufflesecurity.com/blog/research-uncovers-aws-account-numbers-hidden-in-access-keys: drop the 4-char prefix; base32-decode the body; the first 6 decoded bytes are a big-endian u48; account = (u48 & 0x7fff_ffff_ff80) >> 7, rendered as a 12-digit zero-padded decimal string.

2. Canary classification. An access key whose decoded account belongs to a known canary issuer (canarytokens.org / Thinkst and off-brand clones) is a tripwire: any live verification alerts whoever planted it. The baseline issuer list is Tier-B data embedded from data/aws-canary-accounts.toml and unioned at first use with a runtime-extension file pointed to by KEYHOG_AWS_CANARY_ACCOUNTS. Baseline source: https://trufflesecurity.com/blog/canaries.

Constants

CANARY_MESSAGE

Operator-facing note attached to a canary finding so the report explains why verification was skipped. Mirrors trufflehog’s responder message.

Functions

account_is_canary

True when account_id (a 12-digit AWS account string) belongs to a known canary-token issuer.

aws_account_from_key_id

Recover the 12-digit AWS account ID embedded in an access-key ID, fully offline. Returns None when key_id is not a well-formed AKIA…/ASIA… access-key ID (wrong length, wrong prefix, or a non-base32 body), so a caller can blindly try every credential and only act on Some.

finding_metadata

Build the offline metadata for an AWS-access-key finding: always { "account_id": "<12 digits>" } for a decodable AKIA…/ASIA… key, plus { "is_canary": "true", "canary_message": <note> } when the decoded account belongs to a known canary issuer. None when credential is not a well-formed AWS access-key ID.

key_id_is_canary

True when key_id is a decodable AWS access-key ID whose offline-decoded account belongs to a known canary issuer. The verifier uses this to refuse sending a live probe (which would trip the canary) without re-implementing the decode.