AWS wiped my account of 10 years, says open source dev • The Register
An open source developer is claiming AWS deleted his ten-year-old account, wiping all the data. He believes this was due to a botched test of a script designed to prune dormant accounts.
Abdelkader Boudih, who goes by the handle Seuros, is a software engineer who has produced numerous Ruby gems used in production systems worldwide, and even claims that the developers within Amazon’s cloud biz ask him regularly for help with Ruby issues.
However, that didn’t help save his account from being deleted without warning by the company, apparently due to a verification failure – though the developer suspects the real reason may have been a snafu during testing of a script by AWS itself.
On his blog, the developer explains how he received a verification request from AWS on July 10, with a five-day deadline. Over the next several days, he went back and forth with the cloud giant’s customer support, finally submitting ID and a utility bill.
The next day, AWS responded, claiming that his documentation was unreadable, and the day after that (July 23), the account was terminated, he says.
The cloud operator normally provides a 90-day grace period, during which an account can be reopened, before the account is “permanently closed” and all its content, including snapshots and backups, is wiped.
But despite repeated requests by Boudih to get temporary read-only access in order to back up his data, AWS finally disclosed on July 29 that all the resources had been terminated when the account was not verified in time.
However, the developer concedes that the bills for his cloud account were being covered by an AWS consultant who suddenly pulled their support. This arrangement had been in place for almost a year, with the benefactor paying about $200 per month to cover Boudih’s test infrastructure.
He claims that AWS still had the details of his personal payment card associated with the account, but refused to switch billing back to that card for 20 days, citing “privacy” concerns. It appears the cloud giant had some unexplained issue with the consultant and wanted them validated, but Boudih is somewhat circumspect about the exact details.
Later, an AWS insider contacted him to share what they knew regarding what actually happened – out of gratitude, the developer claims, because the cloud platform itself uses open source code Boudih created.
The informant told him that the company had been running a proof-of-concept algorithm to apply to “dormant” and “low-activity” accounts. The developer running the test typed --dry to execute a dry run only of the code, said to be standard practice across modern languages. But the proof-of-concept had been written in Java, which does not recognize --dry, and so the script executed for real, actually deleting user accounts.
Boudih questions whether this is what actually happened to his account, as he says the insider was “vague, worried about being identified.” He says that, if true, it would explain all the mysterious delays, the refusal to confirm whether his data was safe or not, and the inability of the support agents to actually do anything.
But regardless of the cause, the end result, he says, is that AWS wiped his entire testbed environment, including backups, plus documentation Boudih had created such as a programming book and tutorials.
An AWS spokesperson told The Register: “We always strive to work with customers to resolve account issues and provided advance warning of the potential account suspension. The account was suspended as part of AWS’s standard security protocols for accounts that fail the required verification, and it is incorrect to claim this was because of a system error or accident.”
If nothing else, this serves as a salutary reminder that you cannot rely on cloud platforms to keep your data safe – which is why many organizations will never put their mission-critical workloads into a public cloud – and that you should always have your own backups. ®
