Armchair opinion, but shouldn't be too bad - it's identification, not authentication, just like your e-mail address is.

But probably best to not advertise it too much.

It is not hygienic, but with only the account-id you are fine. In the IAM rules the attacker can always just use a * on their end, so it does not make a difference. You have to be conscious to set proper rules for your (owner) end tho.