I'm used to working in a context where you have to deal with audits and it makes sense to weigh that cost, but for video games, couldn't they throw it in EC2 or fargate in an account with nothing else and forget about it? It doesn't need to have access to anything important (it might not need access to anything at all if you're not persisting any player data). If the only open port is the game server, patch schedules can be somewhere between late and never.
No it's deffinately not as easy as that. You need to manage those servers, manage the updates, security patches, roll out updates to the game server... Because it will need updates because things break or need security updates etc. Managing things like that means it needs to be within the existing infrastructure.
Imagine with every old game they just threw up an ec2 and left it rotting, they'd have hundreds of out of date servers running vulnerable software, it would be a nightmare.
Videogames also by very definition attract the kind of people who will want to hack the servers for fun; which in extreme cases will also involve RCE on the player's computers:
But what I'm saying is why do they need to install updates? If the only open port is your software, who cares if curl or ssh or whatever is out of date. Worst case, you shut it down if it ever does get compromised, and there was nothing anyone could do with that machine because it was underpowered and firewalled to only allow incoming connections on your game port and no outgoing connections. Unless there's an exploitable vulnerability in the Linux networking stack or their server application, everything else doesn't matter. If they run it in fargate, Amazon will take care of Linux patches, so it's only their application server that matters. Games usually use custom UDP protocols, right? So there's no off-the-shelf library for them to patch in their application.
Same deal with people talking about windows requiring new hardware really: for most people the answer should be "good, it'll stop rebooting to update now". Almost everyone is behind a firewall that doesn't allow incoming connections (it can't by default because of NAT). The only point of entry is the browser, and if you stay off the seedier parts of the web and have an adblocker, that's not really an issue either. Your bank or Spotify presumably aren't going to be dropping malware on your machine via old browser exploits.
You can't do that kind of thing if you're under some auditing regime, but they're not, right?
Because that's not how videogames in 2023 (or the past ~decade plus) have worked.
You need, at a very minimum:
— login system that also works with consoles
— persistence for users stats (maybe not for some kinds of games)
— matchmaking service (which really wants a persistence system for SBMM)
— make sure your systems aren't actively being exploited (you don't want to accidentally run a botnet)
— make sure nobody is "hacking" or modding the game (what's the point of keeping the severs up if they're filled with aimhacking bots)
— monitor the services to make sure they're up
— potentially patch the games on multiple platforms if you need to make a backwards-compatible change to fulfill any of the above.
— also potentially update your games if the console vendors make changes to their stacks
I agree that it sucks that the services are being shut down without any alternatives being provided, and I wish there was a way to force the publishers to support them for longer or provide an OSS servers options; but it is definitely not "free" or "easy" to provide these services for years.
You already have the login and database systems though. And who cares if someone mods or hacks the game; you were going to abandon it. If people are still having fun, you've added some incremental happiness to the world. If an OS vendor breaks your game that you otherwise would've abandoned, that sounds like something the users should take up with the OS vendor (really, it's something the users should take up with the OS vendor regardless, but if you've already decided you're done supporting it, that definitely applies). Or on PC they can avoid patching/"upgrading".
Basically, unless someone takes control of your servers or other players, if the alternative is to shut it down, why not just leave as-is and not maintain/support it? If an impactful exploit is found, then shut it down. Preemptively shutting it down because the experience might degrade is silly; shutting it down will definitely break it.
So you want the unsupported, unmanaged, not monitored game server - that will get hacked - access to the credentials database that holds emails, password, names, addresses and possibly payment details?
You also want users to contact the the OS devs when their old, unmanaged, not updated game no longer works? Or you want the users not to install important security updates because they want to play one old game?
None of what you've said really makes sense in the the enterprise IT world. AS it's already been previously stated to you, you can't just spin up a VM and host your game on it, it just doesn't work like that. There are plenty of valid reasons for that in the thread already.