Coinbase Uses AWS Step Functions to Securely Deploy to AWS in Seconds

Cryptocurrencies provide decentralized access to funds and enable cash-like transactions that cannot be reversed by anyone except the party receiving the funds. These characteristics are part of what drives the increasing popularity of cryptocurrencies—not only among law-abiding investors but also among malicious actors, whose motives and opportunities for cryptocurrency theft only grow as cryptocurrencies become more widely used. Reports of cryptocurrency thefts to the FBI’s Internet Crime Complaint Center (IC3) totaled $182 million in 2018, a 212 percent increase over 2017 and likely just a fraction of the actual volume of worldwide cryptocurrency losses to fraud.

"Hacking into cryptocurrency exchanges is the world's biggest game of capture the flag,” says Graham Jenson, a senior infrastructure engineer at Coinbase, a digital currency wallet and platform with 30 million worldwide customers and trades totaling $220 billion. “As one of the largest exchanges, Coinbase is also one of the biggest targets.”

With an aim of operating as the trusted, safe, and legal center of the crypto-economy, Coinbase strives to be world class at security, compliance, technology, customer support, design, and more. This is why Coinbase has used Amazon Web Services (AWS) as its primary infrastructure provider since 2015—and why it recently incorporated additional AWS technologies as part of improving its software deployment processes.

To protect its customers from attacks, Coinbase engineers must be able to quickly, reliably, and securely deploy updates and new features for all company systems, with some software deployments needing 20 hours or longer to finish. To simplify and strengthen these processes, Coinbase used AWS Step Functions and AWS Lambda to build a common, reusable framework for what had been an ad hoc portfolio of deployers. (AWS Lambda is a serverless platform that runs code in response to events, and AWS Step Functions coordinates multiple AWS services into serverless workflows.)

"Using AWS Step Functions and AWS Lambda has increased our rate of successful mission-critical deployments from 90 to 97 percent," says Jenson.

“We have seen a significant reduction in trouble tickets. This is due to the visibility that AWS Step Functions gives our engineers.”

Graham Jenson, Senior Infrastructure Engineer, Coinbase

  • About Coinbase
  • Coinbase is a digital currency wallet and platform based in San Francisco. The company has 30 million customers and has supported trades of more than $220 billion in digital currencies like bitcoin, ethereum, and litecoin.

  • Benefits
    • Raised rate of successful deployments from 90 to 97%
    • Cut time needed to add new AWS accounts from days to seconds
    • Significantly increased number of resolved tickets
  • AWS Services Used

AWS Step Functions: “Exactly What I Needed”

In his search for ways to further strengthen security at Coinbase, Jenson identified an opportunity to improve the company’s automated deployment pipelines. "We had multiple deployers, each with different interfaces and complexities," says Jenson. "I wanted a common framework that would enable us to rapidly build deployers that could validate user input, securely release code to AWS, and stay out of the way of our engineers."

In the course of researching solutions, Jenson learned of AWS Step Functions. "As soon as I reviewed the documentation, I realized that Step Functions was exactly what I needed," says Jenson. "Step Functions can maintain state for up to a year, is highly scalable, and makes it easy to describe how to automatically handle and retry after specific errors."

Choosing to build its new class of deployers with a framework based on AWS Lambda and AWS Step Functions—and using AWS Identity and Access Management (AWS IAM) and Amazon Simple Storage Service (Amazon S3)—put Coinbase on a fast path to implementation, with only a brief initial learning curve. The first deployer Jenson's team built, an open-source AWS deployer called Odin, takes a description of a project release and safely and securely launches it into AWS using Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups.

"From idea to working implementation to migrating Odin onto the solution—all told, it was six months from conception to production," says Jenson. "But because we can reuse the code and framework Odin is built on, it took just a few weeks to put our next two deployers into production. It's only going to get faster from here on out."

Simplified Architecture with Step Functions

The new approach substantially reduced the complexity of Coinbase’s architecture, which in turn improves visibility for Jenson's team.

"Our previous deployers all had different web hooks, callbacks, Amazon S3 layouts, buckets, and AWS IAM roles and used different means of communicating and polling. It was really difficult to get the visibility we needed," says Jenson. "Now, with all of our deployers based on the same AWS Lambda and AWS Step Functions foundation, we operate and interact with them all the same way. We can actually watch the data flow through the Step Function, identify failures along particular paths, and take action to fix them."

This simplicity speeds the process of adding AWS accounts and improves security. "Using AWS Lambda with the AWS IAM assume role, we can onboard an AWS account with a single AWS IAM role, as opposed to an entire service with its own individual configuration," says Jenson. "With AWS Lambda and AWS IAM, we reduced the time needed to add new AWS accounts from days to seconds."

The new solution also simplifies auditability. "We can enable multiple accounts going through a single Step Function, which gives us a single audit trail for all deployments," says Jenson. "That makes it easy to understand what happened in all of the accounts and lets us enable new accounts with high security without having to re-implement the audit trail."

By empowering engineers to overcome obstacles independently, the solution is also reducing demands on the infrastructure team. "We have seen a significant reduction in trouble tickets about failed deploys," says Jenson. "This is due to the visibility that AWS Step Functions gives our engineers to let them diagnose and resolve their own issues."

What all of these internal, technical benefits add up to is stronger security and faster response to customer requests. "With deployers built on AWS Step Functions and AWS Lambda, our engineers can move code into production safely," says Jenson. "The upshot is that we can release new features more often, respond quicker to security threats, and more easily achieve our SLAs. This adds up to an even better, more secure, customer experience."

Learn More

Learn more about AWS Step Functions.