Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Account automation and temporary AWS credential service - GRC328 - AWS re:Inforce 2019

2,213 views

Published on

Riot Games struggled with providing new AWS accounts and API access that met its security requirements, so it built an account provisioning service to ensure that all accounts are created consistently with the required security controls. Riot also built a credential service where developers can grab temporary API keys with one command. This works wherever the developers work, and the credentials automatically expire each day. Riot now provisions new accounts with security guardrails within an hour, and the number of permanent AWS API keys is reduced by 70 percent. Learn how to build similar services using AWS Organizations, AWS Step Functions, AWS Lambda, Amazon CloudFront, and Amazon API Gateway.

  • Be the first to comment

  • Be the first to like this

Account automation and temporary AWS credential service - GRC328 - AWS re:Inforce 2019

  1. 1. HOW RIOT GAMES DOES ACCOUNT CREATION AND AWS API ACCESS
  2. 2. Agenda About Us Cloud Accounts Permanent Credentials Moving Forward
  3. 3. Agenda About Us Cloud Accounts Permanent Credentials Moving Forward
  4. 4. Reza Nikoopour William Green SECURITY ENGINEER RIOT GAMES SENIOR SECURITY ENGINEER RIOT GAMES About Us
  5. 5. About Us
  6. 6. 100 MILLION Monthly Active Players MORE THAN 7.5 MILLION Peak Concurrent Users About Us 27 MILLION Daily Active Players MORE THAN About Us
  7. 7. 100 AWS Accounts MORE THAN About Us 30 Global Offices MORE THAN 30 Datacenters About Us MORE THAN About Us
  8. 8. Agenda About Us Cloud Accounts Permanent Credentials Moving Forward
  9. 9. Cloud Accounts: History of AWS at Riot 2014 Riot adopts AWS (shared account model)
  10. 10. Cloud Accounts: History of AWS at Riot 2014 Riot adopts AWS (shared account model) 2015 Riot moves to multi- account model
  11. 11. Cloud Accounts: History of AWS at Riot 2014 Riot adopts AWS (shared account model) 2015 Riot moves to multi- account model 2018 Riot leverages AWS Organizations to handle 100+ accounts
  12. 12. Manual CreationCloud Accounts: Manual Account Creation
  13. 13. Manual CreationCloud Accounts: Manual Account Creation
  14. 14. Cloud Accounts: Semi-Automated Creation
  15. 15. Cloud Accounts: Fully Automated
  16. 16. Cloud Accounts: AWS Step Functions and Lambda
  17. 17. Cloud Accounts: Manual Costs
  18. 18. Cloud Accounts: Semi-Automated Costs
  19. 19. Cloud Accounts: Fully Automated Costs
  20. 20. Cloud Accounts: Secure By Default Repeatable process Ensures all accounts get into security tooling Infrastructure as code Visibility into account provisioning
  21. 21. Agenda About Us Cloud Accounts Permanent Credentials Moving Forward
  22. 22. Permanent Credentials: AWS IAM Overview
  23. 23. wat
  24. 24. Permanent Credentials: Keys Leaking
  25. 25. sad
  26. 26. Key Conjurer
  27. 27. Key Conjurer Stats 2017 before key cleanup: 873 after key cleanup: 783 reduction: 10.3%
  28. 28. Key Conjurer Stats 2018 before key cleanup: 853 after key cleanup: 232 reduction: 72.8% 2017 before key cleanup: 873 after key cleanup: 783 reduction: 10.3%
  29. 29. Key Conjurer Behind the Scenes
  30. 30. Key Conjurer WebUI
  31. 31. Key Conjurer CLI
  32. 32. Key Conjurer CLI Demo
  33. 33. Key Conjurer V1
  34. 34. Key Conjurer V2
  35. 35. Key Conjurer Metrics
  36. 36. Key Conjurer V1 Cost
  37. 37. Key Conjurer V2 Cost
  38. 38. Key Conjurer: Secure By Default Reduced permanent keys by ~73% Devs only have access to AWS when needed User authZ same in browser and CLI Limits blast radius
  39. 39. Key Conjurer Open Source - https://github.com/RiotGames/key-conjurer
  40. 40. Agenda About Us Cloud Accounts Permanent Credentials Moving Forward
  41. 41. Moving Forward: Cloud Accounts Seamless customer experience Create Self Service Portal (SSP) Integrate with VPC Team Integrate with Direct Connect Team
  42. 42. AWSRoleMoving Forward: Permanent Credentials Service to service STS credentials Built in AWS LambdaDrop in replacement for current automation Jenkins is our primary target
  43. 43. HOW RIOT GAMES DOES ACCOUNT CREATION AND AWS API ACCESS
  44. 44. Thank you! Reza Nikoopour rnikoopour@riotgames.com William Green wgreen@riotgames.com
  45. 45. Thank you! Reza Nikoopour rnikoopour@riotgames.com William Green wgreen@riotgames.com @MARKOFU

×