公开(公告)号：US20200213283A1

公开(公告)日：2020-07-02

申请号：US16811932

申请日：2020-03-06

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/16 ,  H04L9/08 ,  H04L9/14

Abstract: A key rotation that results in a first key version associated with a key being replaced by a second key version associated with the same key, wherein the first key version remains associated with the key for decrypting a previously generated ciphertext but not for future encryption requests. The first key version may be associated with a first cryptographic key material and the second key version may be associated with a second cryptographic key material different from the first cryptographic key material.

公开(公告)号：US10691822B1

公开(公告)日：2020-06-23

申请号：US15840892

申请日：2017-12-13

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Conor Patrick Cahill

IPC: G06F21/62 ,  G06F21/60 ,  G06F21/31

Abstract: Validated policies can be utilized where information regarding the validation travels with the policies. A policy validator can validate information about a policy, such as may relate to compliance with policy requirements and accuracy of the policy output. Information about the validation, such as one or more claims of validity and information about the validator, can be provided with the policy as metadata, such as in a signature block. The signatures, or other verification mechanisms, can be used to ensure that the policy is not modified after the validation. When attempting to utilize the policy, the signature block can be evaluated along with the policy to determine whether to grant the access. In some embodiments the signature block may not be evaluated with the policy, but may be used subsequently for auditing or compliance determinations.

公开(公告)号：US20200167364A1

公开(公告)日：2020-05-28

申请号：US16779295

申请日：2020-01-31

Applicant: Amazon Technologies, Inc.

Inventor： Andrew James Lusk ,  Eric Jason Brandwine

IPC: G06F16/25 ,  G06F9/445 ,  G06F9/54 ,  H04L29/06 ,  G06F21/60 ,  G06F16/28

Abstract: An application programming interface gateway service generates an application programming interface that, in various examples, allows client applications to access database functionality without maintaining active database connections, managing database credentials, or providing SQL code. The application programming interface maintains state information between invocations that allows for improved database performance. The state information may include SQL statements and subroutines, compiled SQL code, database credentials, active database connections, and connection pools. When invoked by a client application, the application programming interface may select an active database connection from a connection pool based at least in part on the activity history of each connection in the connection pool so that the expected cache performance of the database may be improved. Access to the application programming interface may be controlled via fine-grained access controls independent of the credentials used to access the database.

公开(公告)号：US10594699B2

公开(公告)日：2020-03-17

申请号：US15997330

申请日：2018-06-04

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: H04L29/06 ,  H04L29/08

Abstract: Systems and methods for providing access to a remote network via an external endpoint are provided. A client establishes a secure connection between an external endpoint and a remote network. Transmissions from clients to the external endpoint are supplemented with additional information regarding handling within the remote network, and then transmitted to an internal endpoint within the remote network. The internal endpoint processes the transmission based on the supplemental information and returns a response to the external endpoint. A response is then returned to the client. Access policies may be created by authorized users to establish processing of client transmissions. These policies may be stored and enforced by the internal endpoint or the external endpoint.

公开(公告)号：US20200012610A1

公开(公告)日：2020-01-09

申请号：US16575316

申请日：2019-09-18

Applicant: Amazon Technologies, Inc.

Inventor： Leah Shalev ,  Adi Habusha ,  Georgy Machulsky ,  Nafea Bshara ,  Eric Jason Brandwine

IPC: G06F13/16 ,  G06F13/40

Abstract: Apparatus, methods, and computer-readable storage media are disclosed for core-to-core communication between physical and/or virtual processor cores. In some examples of the disclosed technology, application cores write notification data (e.g., to doorbell or PCI configuration memory space accesses via a memory interface), without synchronizing with the other application cores or the service cores. In one examples of the disclosed technology, a message selection circuit is configured to, serialize data from the plurality of user cores by: receiving data from a user core, selecting one of the service cores to send the data based on a memory location addressed by the sending user core, and sending the received data to a respective message buffer dedicated to the selected service core.

公开(公告)号：US20190342161A1

公开(公告)日：2019-11-07

申请号：US16517446

申请日：2019-07-19

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Kevin Christopher Miller

IPC: H04L12/24 ,  H04L12/18 ,  H04L12/46

Abstract: Techniques are described for managing communications for a managed computer network by using a defined pool of alternative computing nodes of the managed computer network that are configured to operate as intermediate destinations to handle at least some communications that are sent by and/or directed to one or more other computing nodes of the managed computer network. For example, a manager module associated with a source computing node may select a particular alternative intermediate destination computing node from a defined pool to use for one or more particular communications from the source computing node to an indicated final destination, such as based on a configured logical network topology for the managed computer network and/or on one or more other selection criteria (e.g., to enable load balancing between the alternative computing nodes). The manager module then forwards those communications to the selected intermediate destination computing node for further handling.

公开(公告)号：US10459755B2

公开(公告)日：2019-10-29

申请号：US16118264

申请日：2018-08-30

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Don Johnson ,  Marvin M. Theimer

IPC: H04L29/00 ,  G06F9/455 ,  G06F21/00 ,  G06F21/62

Abstract: Generally described, aspects of the present disclosure relate to for managing the configuration and security policies of hosted virtual machine networks. Hosted virtual machine networks are configured in a manner such that a virtual machine manager component can establish service manifests that correspond to information required by the virtual machine network from a user/customer. The virtual machine manager component can also publish in the service manifests contractual information, such as security risk assessments, that are deemed to have been provided and accepted by the user/customer in instantiating virtual machine networks. If the processed service manifest information remains valid, a substrate network process requests or independently instantiate services or components in accordance with the configuration information and security risk information included in the processed service manifest.

公开(公告)号：US10447613B2

公开(公告)日：2019-10-15

申请号：US15694697

申请日：2017-09-01

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: H04L29/06 ,  H04L12/911

Abstract: Authorization decisions can be made in a resource environment using authorization functions which can be provided by customers, third parties, or other such entities. The functions can be implemented using virtual machine instances with one or more transient compute containers. This compute capacity can be preconfigured with certain software and provided using existing compute capacity assigned to a customer, or capacity invoked from a warming pool, to execute the appropriate authorization function. The authorization function can be a lambda function that takes in context and generates the appropriate security functionality inline. The utilization of ephemeral compute capacity enables the functionality to be provided on demand, without requiring explicit naming or identification, and can enable cause state information to be maintained for a customer.

公开(公告)号：US10412059B2

公开(公告)日：2019-09-10

申请号：US15786322

申请日：2017-10-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L9/32 ,  H04L29/06 ,  H04L29/08

Abstract: Requests are pre-generated to include a cryptographic key to be used in fulfilling the requests. The requests may be encoded in uniform resource locators and may include authentication information to enable a service provider to whom the requests are submitted to determine whether the requests are authorized. The requests may be passed to various entities who can then submit the requests to the service provider. The service provider, upon receipt of a request, can verify the authentication information and fulfill the request using a cryptographic key encoded in the request.

公开(公告)号：US10404670B2

公开(公告)日：2019-09-03

申请号：US15410450

申请日：2017-01-19

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  G06F21/62 ,  H04L29/08 ,  H04L9/08 ,  H04L9/32

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.