公开(公告)号：US12067119B1

公开(公告)日：2024-08-20

申请号：US17490244

申请日：2021-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: G06F21/00 ,  G06F9/455 ,  G06F21/57 ,  H04L9/32

CPC classification number: G06F21/57 ,  G06F9/45558 ,  H04L9/3236 ,  H04L9/3247 ,  H04L9/3263 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Techniques are described for enabling users of cloud provider services to verify, via cryptographic attestation, that trusted “enclaves” are used to process user data during limited points in time at which user data may be unencrypted or otherwise vulnerable. A cloud provider service processes requests involving user data at least in part using an enclave, where an enclave includes a virtual machine running on isolated computing resources of a host computing device managed by the cloud provider. The enclave, for example, can include an application that performs operations such as decrypting user data included in requests sent to a service (e.g., user data encrypted as part of a Transport Layer Security (TLS) connection established between the service and a client computing device), obtaining user-specific encryption keys from a key management service or other source, encrypting the user data using the encryption keys, and forwarding the encrypted data for further processing.

公开(公告)号：US12067028B2

公开(公告)日：2024-08-20

申请号：US16779295

申请日：2020-01-31

Applicant: Amazon Technologies, Inc.

Inventor： Andrew James Lusk ,  Eric Jason Brandwine

IPC: G06F16/30 ,  G06F9/445 ,  G06F9/54 ,  G06F16/25 ,  G06F16/28 ,  G06F21/60 ,  H04L9/40

CPC classification number: G06F16/258 ,  G06F9/445 ,  G06F9/541 ,  G06F16/25 ,  G06F16/284 ,  G06F21/604 ,  H04L63/08

Abstract: An application programming interface gateway service generates an application programming interface that, in various examples, allows client applications to access database functionality without maintaining active database connections, managing database credentials, or providing SQL code. The application programming interface maintains state information between invocations that allows for improved database performance. The state information may include SQL statements and subroutines, compiled SQL code, database credentials, active database connections, and connection pools. When invoked by a client application, the application programming interface may select an active database connection from a connection pool based at least in part on the activity history of each connection in the connection pool so that the expected cache performance of the database may be improved. Access to the application programming interface may be controlled via fine-grained access controls independent of the credentials used to access the database.

公开(公告)号：US11870644B2

公开(公告)日：2024-01-09

申请号：US18059267

申请日：2022-11-28

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Christopher Miller ,  Eric Jason Brandwine ,  Andrew J. Doane

IPC: H04L41/0816 ,  H04L45/02 ,  H04L45/586 ,  H04L41/12

CPC classification number: H04L41/0816 ,  H04L45/02 ,  H04L45/04 ,  H04L45/586 ,  H04L41/12

Abstract: Techniques are described for providing managed virtual computer networks that have a configured logical network topology with virtual networking devices, such as by a network-accessible configurable network service, with corresponding networking functionality provided for communications between multiple computing nodes of the virtual computer network by emulating functionality that would be provided by the virtual networking devices if they were physically present. In some situations, the networking functionality provided for a managed computer network of a client includes receiving routing communications directed to the virtual networking devices and using included routing information to update the configuration of the managed computer network, such as to allow at least some computing nodes of a managed computer network to dynamically signal particular types of uses of one or more indicated target network addresses and/or to dynamically signal use of particular external public network addresses based on such routing information.

公开(公告)号：US11831496B2

公开(公告)日：2023-11-28

申请号：US17705188

申请日：2022-03-25

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Clarissa Loree Cook Brandwine ,  Daniel T. Cohn ,  Andrew J. Doane ,  Carl J. Moses ,  Stephen E. Schmidt

IPC: H04L41/0803 ,  H04L12/46 ,  H04L45/586 ,  H04L9/40

CPC classification number: H04L41/0803 ,  H04L12/4641 ,  H04L45/586 ,  H04L63/0272

Abstract: Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. If so, secure private access between an existing computer network and new computer network extension that is being provided may be enabled using one or more VPN connections or other private access mechanisms.

公开(公告)号：US20230176891A1

公开(公告)日：2023-06-08

申请号：US18053287

申请日：2022-11-07

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Nicholas Liguori ,  Eric Jason Brandwine ,  Matthew Shawn Wilson

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F21/53

Abstract: At a virtualization host, an isolated run-time environment is established within a compute instance. The configuration of the isolated run-time environment is analyzed by a security manager of the hypervisor of the host. After the analysis, computations are performed at the isolated run-time environment.

公开(公告)号：US11652822B2

公开(公告)日：2023-05-16

申请号：US17119640

申请日：2020-12-11

Applicant: Amazon Technologies, Inc.

Inventor： Maciej Broda ,  Eric Jason Brandwine ,  Matthew Schwartz

IPC: H04L9/40 ,  H04L67/141

CPC classification number: H04L63/102 ,  H04L63/0218 ,  H04L63/0807 ,  H04L63/20 ,  H04L67/141

Abstract: Techniques for deperimeterized access control are described. A method of deperimeterized access control may include receiving, by a controller of a deperimeterized access control service, a single packet authorization (SPA) request for a session ticket from an agent on a electronic device, wherein the agent sends the request for the session ticket in response to intercepting traffic destined for a service associated with the deperimeterized access control service and determining that the agent does not have a session ticket for the service, authorizing the SPA request, providing a session ticket to the agent based on the request, receiving, by a gateway of the deperimeterized access control service, a request to initiate a session with a service, the request including the session ticket, validating the session ticket, and providing session parameters to the agent to be used to initiate the session between the electronic device and the service.

公开(公告)号：US20230082172A1

公开(公告)日：2023-03-16

申请号：US18055317

申请日：2022-11-14

Applicant: Amazon Technologies, Inc.

Inventor： Daniel T. Cohn ,  Eric Jason Brandwine ,  Andrew J. Doane

IPC: H04L41/0816 ,  H04L9/40 ,  H04L61/5007 ,  H04L67/51 ,  H04L41/0806 ,  H04L67/10 ,  H04L41/08

Abstract: Techniques are described for managing communications between multiple computing nodes, such as for computing nodes that are part of managed virtual computer networks provided on behalf of users or other entities. In some situations, one or more of the computing nodes of a managed virtual computer network is configured to perform actions to extend capabilities of the managed virtual computer network to other computing nodes that are not part of the managed virtual computer network, such as by forwarding communications between computing nodes of the managed virtual computer network and the other external computing nodes so as to enable the other external computing nodes to participate in the managed virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

公开(公告)号：US11588886B2

公开(公告)日：2023-02-21

申请号：US17693186

申请日：2022-03-11

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Kevin Christopher Miller ,  Andrew J. Doane

IPC: G06F15/173 ,  H04L67/1029 ,  G06F9/455 ,  G06F11/14 ,  H04L61/5007 ,  G06F11/20 ,  H04L61/2503 ,  H04L67/1097 ,  H04L101/668

Abstract: Techniques are described for providing managed computer networks, such as for managed virtual computer networks overlaid on one or more other underlying computer networks. In some situations, the techniques include facilitating replication of a primary computing node that is actively participating in a managed computer network, such as by maintaining one or more other computing nodes in the managed computer network as replicas, and using such replica computing nodes in various manners. For example, a particular managed virtual computer network may span multiple broadcast domains of an underlying computer network, and a particular primary computing node and a corresponding remote replica computing node of the managed virtual computer network may be implemented in distinct broadcast domains of the underlying computer network, with the replica computing node being used to transparently replace the primary computing node in the virtual computer network if the primary computing node becomes unavailable.

公开(公告)号：US11470054B2

公开(公告)日：2022-10-11

申请号：US16811932

申请日：2020-03-06

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/40 ,  H04L9/08 ,  H04L9/14 ,  H04L9/32 ,  H04L9/16

Abstract: A key rotation that results in a first key version associated with a key being replaced by a second key version associated with the same key, wherein the first key version remains associated with the key for decrypting a previously generated ciphertext but not for future encryption requests. The first key version may be associated with a first cryptographic key material and the second key version may be associated with a second cryptographic key material different from the first cryptographic key material.

公开(公告)号：US20220278903A1

公开(公告)日：2022-09-01

申请号：US17663289

申请日：2022-05-13

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Kevin Christopher Miller ,  Andrew J. Doane

IPC: H04L41/12 ,  H04L45/64 ,  H04L45/586 ,  H04L41/0816 ,  G06F9/455 ,  H04L67/00 ,  H04L45/02

Abstract: Techniques are described for providing virtual networking functionality for managed computer networks. In some situations, a user may configure or otherwise specify a logical network topology for a managed computer network with multiple computing nodes that includes one or more virtual networking devices each associated with a specified group of the multiple computing nodes. Corresponding networking functionality may be provided for communications between the multiple computing nodes by emulating functionality that would be provided by the networking devices if they were physically present and configured to support the specified network topology. In some situations, the managed computer network is a virtual computer network overlaid on a substrate network, and the networking device functionality emulating includes receiving routing communications directed to the networking devices and using included routing information to update the specified network topology for the managed computer network.