AWS is a stable and secure cloud system. However, its safety and security must always be taken care of not only by the supplier but also by the user, i.e. you! The accidental leakage of keys or access by unauthorized persons is a recipe for disaster, both from a technological and business standpoint. So how do you approach this topic? See how Riot Games approached the matter.
Security with AWS STS. Case studies Riot Games
3 minutes of reading
AWS is a stable and secure cloud system. However, its safety and security must always be taken care of not only by the supplier but also by the user, i.e. you! The accidental leakage of keys or access by unauthorized persons is a recipe for disaster, both from a technological and business standpoint. So how do you approach this topic? See how Riot Games approached the matter.
Riot Games is a Los Angeles-based computer game development studio which is a type of business that most certainly requires appropriate IT security. Initially, the company only used permanent AWS access keys. This solution is by far the most convenient, you enter the data once and that’s it. However, it has significant disadvantages, which Riot Games learned the hard way.
4 hours of horror
Once upon a time, a Riot Games engineer accidentally entered a passkey directly into some code. Then, on his personal GitHub, he made it public in the repository. This key gave unauthorized persons access to the company’s infrastructure for 4 hours!
By the time Riot Games realized and fixed its mistake, there was already significant damage done. During the 4 hours of chaos, an unauthorized user used as many as 1,283 AWS spots to mine bitcoin!
This is a classic example of why It doesn’t matter if a company is small or large. Such security deficiencies always have consequences. In the case of Riot Games, things could have been much more severe – Firstly if the key was publicly available for a longer period of time, and second, if the uninvited guest decided to make far more serious changes than simply mining cryptocurrency.
AWS STS as a security for access keys
How easy is it to protect your infrastructure first? They use AWS STS. This is a service that allows you to create temporary keys for AWS IAM users which are only active for 1 to 12 hours.
Riot Games went a step further and used this service to create their own tool: Key Conjurer.
This tool has two versions, one for browsers and one for the console. After two-step verification, it gives access keys that are active for a selected period of time. Thanks to this solution, developers don’t have to worry that the keys will inadvertently be leaked. After the selected period of time, they simply become inactive.
Effective and cheap
After introducing Key Conjurer, Riot Games reduced the number of permanent keys to a minimum. In 2018, this reduction was as high as 72.8% (from 853 to 232 permanent keys). Currently, employees mainly use temporary keys to introduce changes, thus increasing the security of the infrastructure. In addition, this solution is also cheap (serverless).
So if you want to use a similar solution in your company, Key Conjurer has been publicly available since 2019 and is constantly updated. At Welastic, we can also help you increase the security of your AWS infrastructure using AWS STS and our proven infrastructure management processes.
