Skip to content
BlurFirst

How to Blur the AWS Console During Screen Sharing (Hide Account ID, ARNs & Secrets)

7 min read

Giving a live AWS walkthrough on a call? Here's how to hide the 12-digit account ID, IAM ARNs, access key IDs, resource names, billing figures and secrets in the AWS Management Console before you share your screen.

The safest way to hide account data in the AWS Management Console during a screen share is to blur the specific items in the page before you present — the 12-digit account ID and alias in the top-right menu, IAM ARNs, access key IDs, and resource names in your tables. BlurFirst paints each blur into the page as real pixels, so it survives Zoom, Google Meet, Microsoft Teams, Loom, OBS and even a screenshot of the shared feed.

The console is a single-page app that re-renders every time you switch service or region, so lean on anchored region blurs for the fixed chrome — the account menu and the region selector at the top-right — and use element blur or Scan for individual values. Start blurring with Ctrl/⌘ ⇧ Y and keep the panic hotkey Ctrl/⌘ ⇧ H in reach for anything that flashes into frame.

What the AWS console shows that you don't mean to share

  • Account ID and alias — the 12-digit account ID and your account alias sit in the top-right menu and appear in ARNs and Switch Role screens; together they identify your whole AWS org.
  • IAM identities — user and role ARNs like arn:aws:iam::123456789012:role/ProdAdmin and access key IDs (AKIA…) shown on the IAM and Security Credentials pages.
  • Resource names, IDs and tagsS3 bucket names, EC2 instance IDs (i-0abc123…) and their public IPs, RDS identifiers, and cost-allocation tags that name clients or environments.
  • Secrets in plain sight — a revealed value in Secrets Manager, a decrypted SSM Parameter Store SecureString, or a plaintext parameter you open on the call.
  • Billing figures — monthly spend, per-service costs and forecasts in Billing and Cost Explorer, which quietly disclose your scale and margins.

Blur the AWS console step by step

  1. 1

    Open the service and region you'll present

    Navigate to the exact console page before the call — EC2, S3, IAM, wherever you're headed — and note which region is selected so nothing surprises you mid-demo.

  2. 2

    Box-blur the account menu and region selector

    Drag a BlurFirst box over the top-right area that holds the account ID, alias and region selector. Because it's an anchored region blur, it keeps covering that chrome as the single-page app re-renders between services.

  3. 3

    Element-blur ARNs, key IDs and resource names

    Click an ARN, an access key ID, a bucket name or an instance ID in a table to frost just that element — the surrounding columns stay readable. Click again to reveal it if you need to.

  4. 4

    Run Scan to catch access keys and emails

    One click runs Scan (Pro), which detects API-key and access-key patterns and email addresses locally and blurs them. It won't recognise the 12-digit account ID, bucket names or ARNs as patterns, so cover those with a box or element blur yourself.

  5. 5

    Reveal secrets carefully, and keep panic ready

    If you must open a secret in Secrets Manager or decrypt an SSM parameter, blur the value first or avoid clicking Retrieve secret value. If one appears unexpectedly, press Ctrl/⌘ ⇧ H to blur the whole page instantly.

Sensitive itemWhere it appearsBest gesture
Account ID + aliasTop-right account menuBox-blur the account/region chrome
IAM ARNs + access key IDsIAM, Security CredentialsElement blur, or Scan for key IDs
S3 bucket / EC2 IDs + IPsResource lists and tablesElement blur per row
Secret / parameter valueSecrets Manager, SSMElement blur before revealing
Cost + billing figuresBilling, Cost ExplorerBox-blur the charts and totals
What to hide in the AWS console, and the gesture that fits.

Why IAM permissions don't cover a screen share

IAM policies, permission boundaries and SCPs decide what the signed-in principal can do. On a screen share the signed-in principal is *you*, so the audience sees everything your role can see — the account ID, every ARN, every dollar figure. Those controls were built to gate access, not to manage what a viewer watching your screen reads. In-page blurring works at the presentation layer instead: it controls what the viewer sees, no matter what your own access is.

Reuse your AWS console blurs on every login

If you demo or support from the console regularly, set the structural blurs once. BlurFirst Pro's per-site auto-apply re-applies your saved boxes (the account menu, the region selector) automatically each time you open console.aws.amazon.com, and they survive the single-page-app re-render as you move between services. The profile stores only a CSS selector for each region, never the account ID or resource names inside it, so nothing sensitive is written to disk or uploaded.

Frequently asked questions

Can I blur just the account ID and keep the console visible?

Yes. Box-blur the top-right account menu, or element-blur the account ID wherever it appears. The rest of the console stays fully readable for your walkthrough, and you can reveal an element again with a click.

Will the blurs survive switching services and regions?

Region blurs are anchored to a screen area, so they keep covering the account and region chrome as the console re-renders between services. Per-site auto-apply (Pro) brings your structural blurs back automatically each time the page reloads.

Can BlurFirst hide a secret value in Secrets Manager or SSM?

Yes, as long as the value is inside the browser tab. Blur the element before you click Retrieve secret value or decrypt a SecureString. Remember that blurring only hides it on the call — if a secret was exposed elsewhere, rotate it.

Does Scan detect AWS access keys automatically?

Scan detects API-key and access-key patterns and email addresses locally and blurs them in one click. It won't recognise the 12-digit account ID, ARNs or bucket names as patterns, so cover those manually with a box or element blur.

Does anything I blur get sent to a server?

No. BlurFirst runs entirely in your browser and its only network request is a license check. Nothing you blur leaves the page, and Scan runs locally, so account data never goes anywhere.

Blur it before you share it.

Hide any field, region or message on a page before your next call. Nothing you blur leaves your browser.

Add to Chrome