Life at Resolver

AWS Security GameDay

Remember remember, the 5th November…the Resolver developers took part in another AWS GameDay! Our team of 4 had a wide range of engineering, AWS, and most importantly, GameDay experience. Given that the Resolver team were prize-winners at the last GameDay in July, the pressure was on to keep up our reputation.

Like the last time, the premise of the day was that our team works for a fictitious start-up, ‘Unicorn Rentals’. However this time, the theme and focus of the day was on security. Each team would have to complete various tasks to win points, and the teams with the most points win prizes. There were noticeably more teams taking part this time – from just 6 in July to now 33! It was going to be tough to keep our prize-winning reputation.

At the start of the day, everyone logged in to receive our briefing from our AWS hosts. We were greeted with an SMS from the CEO of Unicorn Rentals, who was livid about being contacted while on holiday about multiple security issues in the company – isn’t this what we’d been hired for? We’d best get it sorted, a-sap.

Everyone then separated into our team Chime chats, and logged into our team dashboard to see what tasks awaited us (and where we could keep an eye on the all-important rankings and scoreboard.)

Well, it’s safe to say that Unicorn Rentals was not super secure, and would probably have incurred some serious GDPR fines. Our AWS account was riddled with security issues, from unencrypted databases, to passwords and credentials being reused, to EC2 instances being exposed to vulnerabilities, and even a suspicious previous employee who had been leaking our data to external markets!

AWS GameDays are suitable for anyone to take part, regardless of your AWS experience. Although it obviously helps if you know what you’re doing, two members of our team had little to no experience and were still able to get stuck in and start fixing some of the issues. Between our shared knowledge, the guidance from the task, and the recommended reading sent round before the event, we were able to effectively use the Secrets Manager service to start rotating credentials, Amazon Inspector to identify which of our EC2 instances had been compromised and needed rebuilding, IAM Access Analyzer to find suspicious “Uncle Danny” and shut down his account, and we all cheered when we finally stopped losing points due to unencrypted database snapshots! The more experienced members were even able to set up a Lambda function to automate some of the processes, for extra points.

Learning from the team’s experience last time, we decided to divide and conquer and tackle a task each. There were multiple “checkpoints” for each task, each worth more precious points, so there was plenty to keep us busy! But if any of us got stuck, or if we were waiting for instances to build or databases to copy, we were all on hand in the Chime chat to share screens, pair up or offer advice.

In the end, we came 16th out of the 33 teams. So no prizes this time, but only 2,000 points from top place, and there were only 100 points in it between the top 6 teams. So it was a tight battle, and we placed respectably.

The best thing about the GameDay for me was that it was a great opportunity to actually use the AWS services, without worrying about breaking anything or exposing your environment. There is so much fantastic training and documentation available on AWS, but the GameDay just gives you so much more understanding and context for what services to use, how they work, and what they’re capable of. I learnt so much from the GameDay, and feel so much more confident in using AWS now. And had a lot of fun in doing it!

By Elise Aston

Software Developer at Resolver