公开(公告)号：US09553854B2

公开(公告)日：2017-01-24

申请号：US13764963

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  H04L29/08

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

公开(公告)号：US09553757B1

公开(公告)日：2017-01-24

申请号：US13899360

申请日：2013-05-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth

IPC: G06F15/173 ,  H04L29/08 ,  H04L29/06

CPC classification number: H04L63/10 ,  H04L63/0227 ,  H04L63/0272 ,  H04L63/101 ,  H04L63/20 ,  H04L67/02 ,  H04L67/10 ,  H04L67/1097 ,  H04L67/42

Abstract: Approaches are described for allowing an access control policy to specify that a substitute operation be executed when a request for access matches certain conditions specified in the access control policy (e.g., when the identity of the requestor matches a specified identity in the policy). For example, the access control may specify that a substitute result should be provided to a requestor in response to a request for access or a substitute request should be executed instead of executing the received request and the results of the substitute request should be provided to the requestor in response to the request. The substitute result or the result of the substitute request may appear to the requestor as though their original request for access succeeded but the content of the result may be different than what would have been generated if the access control policy allowed the request to proceed.

Abstract translation: 描述了用于允许访问控制策略指定当访问请求与访问控制策略中指定的特定条件匹配（例如，当请求者的身份与策略中的指定身份匹配时）执行替代操作的方法。 例如，访问控制可以指定应当响应于访问请求向请求者提供替代结果，或者应当执行替代请求而不是执行接收的请求，并且应该将代替请求的结果提供给 请求者响应请求。 替代结果或替代请求的结果可能对请求者似乎似乎是原来的访问请求成功，但如果访问控制策略允许请求继续，结果的内容可能与生成的内容不同。

公开(公告)号：US20160359924A1

公开(公告)日：2016-12-08

申请号：US15237505

申请日：2016-08-15

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  H04L9/32

CPC classification number: H04L63/205 ,  G06F21/60 ,  G06F21/602 ,  H04L9/3247 ,  H04L63/126 ,  H04L63/18 ,  H04L63/20 ,  H04L2463/062

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

Abstract translation: 第一个服务代表服务提供商的客户向第二个服务提交请求。 该请求可能是由客户对第一个服务的请求触发的。 为了处理请求，第二服务评估一个或多个策略以确定是否通过与客户相关联的策略来允许请求的履行。 一个或多个策略可以在提交请求时发挥作用的一个或多个服务上陈述一个或多个条件。 如果确定策略允许满足请求，则第二服务满足请求。

公开(公告)号：US20160352753A1

公开(公告)日：2016-12-01

申请号：US15237352

申请日：2016-08-15

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Bradley Jeffery Behm

IPC: H04L29/06

CPC classification number: H04L63/105 ,  G06F21/31 ,  G06F21/335 ,  G06F21/6218 ,  G06Q20/06 ,  G06Q2220/00 ,  H04L63/08

Abstract: Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Delegation profiles are established that are associated with at least one secured account of at least one customer. Each delegation profile includes information such as a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once a delegation profile is created, the profile can be available for external principals or services that provide a user credential delegated access under the account, where that credential is provided by a trusted identity service. Access can be provided across accounts using the user credential.

Abstract translation: 可以委派权限来访问与一个或多个不同帐户相关联的资源，这些帐户可能与一个或多个不同的实体相关联。 建立与至少一个客户的至少一个安全帐户相关联的授权配置文件。 每个委托简档都包括信息，例如一个名称，一个验证策略，它指定可能在该帐户外部的主体，以及哪些被允许承担该委托简档的授权策略，以及一个授权策略，指示帐户中允许的行为， 在代理简介中行事。 一旦创建了一个授权配置文件，该配置文件可用于在该帐户下提供用户凭据委派访问的外部主体或服务，该凭证由受信任的身份服务提供。 可以使用用户凭据在各个帐户之间提供访问。

公开(公告)号：US09491111B1

公开(公告)日：2016-11-08

申请号：US14476468

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: H04L29/06 ,  H04L12/911 ,  H04L12/24

CPC classification number: H04L63/0428 ,  G06F21/53 ,  G06F21/6281 ,  G06F21/645 ,  H04L41/50 ,  H04L41/5054 ,  H04L47/70 ,  H04L63/083 ,  H04L67/02

Abstract: Techniques for securely instantiating control plane components of provider services, at least a portion of which are instantiated within secure execution environments, are described herein. A request to instantiate the control plane of a service provided by a computing resource service provider is fulfilled by selecting a target computer system. The target computer system is selected based at least in part on the hardware capabilities of the target computer system. The control plane is then instantiated within a secure execution environment operating on the target computer system.

Abstract translation: 这里描述了用于安全地实例化提供者服务的控制平面组件的技术，其至少一部分在安全执行环境中被实例化。 通过选择目标计算机系统来实现实例化由计算资源服务提供商提供的服务的控制平面的请求。 至少部分地基于目标计算机系统的硬件能力来选择目标计算机系统。 然后在运行在目标计算机系统上的安全执行环境中实例化控制平面。

公开(公告)号：US20160323110A1

公开(公告)日：2016-11-03

申请号：US15204927

申请日：2016-07-07

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Branchek Roth

IPC: H04L9/32 ,  G06F12/14 ,  H04L29/06

Abstract: A new version of a structured collection of information, different from a previous version, of a cryptographic domain is created. The new version is created to be verifiable as a valid successor to the previous version and to specify a new set of quorum rules, with the new set of quorum rules defining one or more conditions to be fulfilled by a plurality of operators as conditions precedent to update the structured collection. The new version is provided to the plurality of operators. Digital signatures corresponding to the new version are obtained, and, as a result of the digital signatures received fulfilling the one or more conditions defined by a previous set of quorum rules specified by the previous version, the new version is caused to replace the previous version.

Abstract translation: 创建了与旧版本不同的加密域的新版本的结构化信息集合。 新版本被创建为可验证为先前版本的有效后继者，并指定一组新的仲裁规则，新的一组法定规则定义一个或多个条件由多个运营商履行，作为先决条件的先决条件 更新结构化集合。 新版本被提供给多个操作者。 获得对应于新版本的数字签名，并且由于接收的数字签名符合由先前版本规定的先前的一组法定规则所定义的一个或多个条件，导致新版本替换以前的版本 。

公开(公告)号：US09444800B1

公开(公告)日：2016-09-13

申请号：US13682248

申请日：2012-11-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Eric Jason Brandwine

IPC: H04L29/00 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L63/205 ,  G06F21/6218 ,  H04L63/0218 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/083 ,  H04L63/0861 ,  H04L63/10 ,  H04L63/123 ,  H04L63/1458 ,  H04L63/168 ,  H04L67/10 ,  H04L67/1002

Abstract: Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.

Abstract translation: 客户可以利用多租户环境的资源来提供一个或多个可用于各种用户的服务。 为了简化这些客户的过程，多租户环境可以包括基础设施，其中一部分资源提供可由客户服务利用的认证和/或授权服务。 这些资源可以逻辑地坐在用于提供客户服务的资源之前，使得用户请求必须在被指示到客户服务之前通过授权和认证服务。 这样的资源也可以提供其他功能，例如负载平衡和计量。

公开(公告)号：US09443093B2

公开(公告)日：2016-09-13

申请号：US13923004

申请日：2013-06-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth

IPC: G06F21/60

CPC classification number: G06F21/64 ,  G06F21/604

Abstract: Policies are used to control access to resources. Requests to change a set of policies may be fulfillable, at least in some circumstances, only if the requests are submitted such that the requested changes would become effective at a time in the future that is in compliance with a requirement for delayed enforcement. The requirement for delayed enforcement may be encoded in a policy in the set of policies.

Abstract translation: 策略用于控制对资源的访问。 至少在某些情况下，只有在提交请求时，要求更改一组政策的请求才能实现，以便所要求的更改将在以后的时间内生效，以符合延迟执行的要求。 延迟执行的要求可以编码在一组策略中的策略中。

公开(公告)号：US09438421B1

公开(公告)日：2016-09-06

申请号：US14318375

申请日：2014-06-27

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew John Campagna ,  Benjamin Elias Seidenberg

IPC: H04L9/08

CPC classification number: H04L9/0891 ,  H04L9/088 ,  H04L9/14 ,  H04L63/065

Abstract: A system and method for receiving requests for performing cryptographic operations with a virtual key having a plurality of actual keys associated with the virtual key, determining which actual key of the plurality of actual keys to use for the cryptographic operation, performing the cryptographic operation using the actual key, and providing the result of performing the cryptographic operation.

Abstract translation: 一种用于接收使用具有与所述虚拟键相关联的多个实际键的虚拟键执行加密操作的请求的系统和方法，确定用于所述密码操作的所述多个实际密钥中的哪个实际密钥，使用所述密码操作 实际密钥，并提供执行密码操作的结果。

公开(公告)号：US20160239677A1

公开(公告)日：2016-08-18

申请号：US15138028

申请日：2016-04-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Jonathan Weiss

IPC: G06F21/62 ,  G06F3/0484 ,  G06F3/0482

CPC classification number: G06F21/6218 ,  G06F3/0482 ,  G06F3/04842 ,  G06F21/10 ,  G06F21/604 ,  G06F21/629 ,  H04L41/0893 ,  H04L63/0263 ,  H04L63/20

Abstract: A user interface is described, such as a graphical user interface (GUI), operable to receive a representation of a security policy expressed in a first policy language, where that security policy will be supported by policy evaluation engines (or other such components) that are configured to operate using security policies expressed using a second (different) policy language. The representation of the security policy is persisted in a data store in accordance with the first policy language. Subsequently, in response to receiving a request to access a resource, a second representation of the security policy is generated by translating the content of the security policy into a second policy language that is associated with the policy evaluation engine. The second representation of the security policy is then evaluated by the policy evaluation engine to grant or deny access to the resource.

Abstract translation: 描述了用户界面，诸如图形用户界面（GUI），其可操作以接收以第一策略语言表达的安全策略的表示，其中该策略评估引擎（或其他这样的组件）将支持安全策略， 被配置为使用使用第二（不同）策略语言表达的安全策略来操作。 安全策略的表示依照第一策略语言在数据存储中保留。 随后，响应于接收到访问资源的请求，通过将安全策略的内容翻译成与策略评估引擎相关联的第二策略语言来生成安全策略的第二表示。 然后策略评估引擎对安全策略的第二个表示进行评估，以授予或拒绝对资源的访问。