公开(公告)号：US10121017B2

公开(公告)日：2018-11-06

申请号：US13765239

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F11/30 ,  G06F21/62 ,  H04L9/08 ,  H04L29/06 ,  G06F21/00

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

公开(公告)号：US10114668B2

公开(公告)日：2018-10-30

申请号：US14584808

申请日：2014-12-29

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  James Alfred Gordon Greenfield

IPC: G06F9/50 ,  G06F9/46 ,  G06Q20/08

Abstract: Techniques are described for managing execution of programs, including using excess program execution capacity of one or more computing systems. For example, a private pool of excess computing capacity may be maintained for a user based on unused dedicated program execution capacity allocated for that user, with the private pool of excess capacity being available for priority use by that user. Such private excess capacity pools may further in some embodiments be provided in addition to a general, non-private excess computing capacity pool that is available for use by multiple users, optionally including users who are associated with the private excess capacity pools. In some such situations, excess computing capacity may be made available to execute programs on a temporary basis, such that the programs executing using the excess capacity may be terminated at any time if other preferred use for the excess capacity arises.

公开(公告)号：US10104127B2

公开(公告)日：2018-10-16

申请号：US15479168

申请日：2017-04-04

Applicant: Amazon Technologies, Inc.

Inventor： Stephen E. Schmidt ,  Eric Jason Brandwine ,  Luis Felipe Cabrera

IPC: H04L29/06 ,  H04L12/24 ,  H04L9/32 ,  G06F21/53

Abstract: Systems and methods are provided for configuring and monitoring computing resources of an entity for compliance with one or more standards. In one implementation, a server receives one or more identifiers of one or more standards and determines a plurality of configuration settings for the computing resources of the entity, based on the received one or more identifiers. The plurality of configuration settings comply with the one or more standards. The computing resources of the entity are configured according to the plurality of configuration settings. The server detects an event related to the computing resources. The detected event and the plurality of configuration settings are evaluated for compliance with the one or more standards. A determination is made whether the entity is compliant with the one or more standards, based on the evaluation, and an action is taken, based on the determination.

公开(公告)号：US20180270051A1

公开(公告)日：2018-09-20

申请号：US15984198

申请日：2018-05-18

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffrey Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: H04L9/08 ,  H04L9/14

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

公开(公告)号：US10079681B1

公开(公告)日：2018-09-18

申请号：US14476533

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: H04L9/32 ,  H04L29/08 ,  H04L12/911 ,  H04L29/06

Abstract: Techniques for securely instantiating applications associated with computing resource service provider services on hardware that is controlled by third parties and/or customers of the computing resource service provider are described herein. A request to instantiate an application is received and fulfilled by selecting a computer system from computer systems that are controlled by a third party and/or a customer of the computing resource service provider. The computer system is selected based at least in part on the hardware capabilities of the computer system associated with instantiating a secure execution environment. The application is then instantiated within a secure execution environment operating on the computer system.

公开(公告)号：US20180262485A1

公开(公告)日：2018-09-13

申请号：US15977069

申请日：2018-05-11

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Bradley Jeffrey Behm

IPC: H04L29/06

CPC classification number: H04L63/0807 ,  H04L63/083

Abstract: Techniques are described for enabling a Kerberos-based authentication system to provide a client with access to a plurality of unmodifiable components that require plain text passwords. Such an approach enables a user to sign into a distributed computer system using a single password, and access multiple components that require different passwords without the need to enter a second password. By using Kerberos based authentication, passwords are not unnecessarily sent throughout distributed computing system where they may be vulnerable. A proxy key distribution center can be used to manage passwords or other credentials on behalf of various clients, which can be used with various processes discussed herein.

公开(公告)号：US10038718B2

公开(公告)日：2018-07-31

申请号：US13932872

申请日：2013-07-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: H04L29/06 ,  H04L9/32

Abstract: Data received through a proxy for a service is analyzed for compliance with one or more data policies, such as one or more data loss prevention policies. When data satisfies the criteria of one or more data policies, the data is manipulated at the proxy prior to transmission of the data to the service. In some examples, the manipulation of the data includes encryption.

公开(公告)号：US20180205738A1

公开(公告)日：2018-07-19

申请号：US15924038

申请日：2018-03-16

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Nathan R. Fitch ,  Cristian M. Ilac ,  Eric D. Crahen

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  G06F21/33

CPC classification number: H04L63/102 ,  G06F21/335 ,  G06F2221/2137 ,  H04L9/083 ,  H04L9/0861 ,  H04L9/088 ,  H04L9/32 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/06 ,  H04L63/08 ,  H04L2209/38

Abstract: A delegation request is submitted to a session-based authentication service, fulfilment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

公开(公告)号：US20180183602A1

公开(公告)日：2018-06-28

申请号：US15390176

申请日：2016-12-23

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Nicholas Alexander Allen ,  Andrew Kyle Driggs ,  Eric Jason Brandwine

IPC: H04L9/32 ,  H04L9/06 ,  H04L9/08 ,  H04L9/14 ,  H04L9/30

CPC classification number: H04L9/3247 ,  H04L9/0643 ,  H04L9/0861 ,  H04L9/14 ,  H04L9/30

Abstract: A signature authority generates a master seed value that is used as the root of a seed tree of subordinate nodes. Each subordinate node of the seed tree is generated from the value of its parent node using a cryptographic hash or one-way function. The signature authority selects subordinate seed values which are distributed to one or more key generators, each of which generates a set of one-time-use cryptographic keys. Each key generator generates a hash tree from its set of one-time-use cryptographic keys, and the root of its hash tree is returned to the signature authority. The signature authority integrates the hashes provided by the key generators into a comprehensive hash tree. The root of the comprehensive hash tree acts as a public key for the signature authority.

公开(公告)号：US09998335B2

公开(公告)日：2018-06-12

申请号：US14952519

申请日：2015-11-25

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Kevin Christopher Miller ,  Andrew J. Doane

IPC: H04L12/28 ,  H04L12/24 ,  H04L12/715 ,  H04L12/713 ,  H04L12/751 ,  G06F9/455 ,  H04L29/08 ,  H04J1/16

CPC classification number: H04L41/12 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L41/0816 ,  H04L41/5096 ,  H04L45/02 ,  H04L45/586 ,  H04L45/64 ,  H04L67/34

Abstract: Techniques are described for providing virtual networking functionality for managed computer networks. In some situations, a user may configure or otherwise specify a logical network topology for a managed computer network with multiple computing nodes that includes one or more virtual networking devices each associated with a specified group of the multiple computing nodes. Corresponding networking functionality may be provided for communications between the multiple computing nodes by emulating functionality that would be provided by the networking devices if they were physically present and configured to support the specified network topology. In some situations, the managed computer network is a virtual computer network overlaid on a substrate network, and the networking device functionality emulating includes receiving routing communications directed to the networking devices and using included routing information to update the specified network topology for the managed computer network.