Key Conjurer: Our Policy of Least Privilege
Hi, my name is Reza Nikoopour and I’m a security engineer on the Security team at Riot. My team is responsible for securing Riot infrastructure wherever we’re deployed – whether that means internal or external data centers or clouds. We provide cloud security guidance to the rest of Riot, and we’re responsible for Key Conjurer, our open source AWS API programmatic access solution.
Key Conjurer uses AWS STS to create temporary AWS API credentials for accessing our AWS infrastructure programmatically. This solves the problem of having permanent credentials with 24/7 access to Riot AWS infrastructure on our developers’ machines. Permanent credentials present massive security concerns for an organization because they are difficult to manage, track, and rotate properly.
In this article, I’ll walk you through the problems that prompted us to build Key Conjurer, our iterations (including the technical details and final result), and the impacts of our solutions. Managing permanent credentials at scale is notoriously difficult. While handling access on an account is easy with few users, as accounts grow it becomes more difficult to scale proper access management.
Credentials aren’t rotated properly, ownership becomes difficult to track, and permission sets grow over time. This results in untracked keys which aren’t regularly reviewed and rarely have permissions reduced. It becomes a serious challenge to easily tell who has access to what, and even harder to take corrective action when something isn’t right.