公开(公告)号：US09984238B1

公开(公告)日：2018-05-29

申请号：US14673311

申请日：2015-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: G06F21/00 ,  G06F21/60 ,  H04L29/08 ,  H04L29/06

CPC classification number: G06F21/602 ,  H04L63/0428 ,  H04L67/1097 ,  H04L67/2842

Abstract: A storage device can include processing and cryptographic capability enabling the device to function as a hardware security module (HSM). This includes the ability to encrypt and decrypt data using a cryptographic key, as well as to perform processing using such a key, independent of whether that processing involves data stored on the device. An internal key can be provided to the drive, whether provided before customer software access or received wrapped in another key, etc. That key enables the device to perform secure processing on behalf of a user or entity, where that key is not exposed to other components in the network or environment. A key may have specified tasks that can be performed using that key, and can be discarded after use. In some embodiments, firmware is provided that can cause a storage device to function as an HSM and/or processing device with cryptographic capability.

公开(公告)号：US09946869B1

公开(公告)日：2018-04-17

申请号：US14476593

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: G06F21/00 ,  G06F21/50 ,  H04L29/08 ,  H04L29/06 ,  G06F9/455

CPC classification number: G06F21/50 ,  G06F9/4401 ,  G06F9/45558 ,  G06F2009/45591 ,  H04L63/10 ,  H04L63/12 ,  H04L67/10

Abstract: Systems and methods for providing computer system monitoring as a service of a computing resource service provider, monitoring capacity computer system of a customer of the computing resource service provider, and based on the request, launching a monitoring agent in a protected execution environment in which the monitoring agent is configured to generate an assessment of the computer system and provide the assessment of the computer system.

公开(公告)号：US09942041B1

公开(公告)日：2018-04-10

申请号：US14476533

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: H04L9/32 ,  H04L29/08 ,  H04L12/911 ,  H04L29/06

CPC classification number: H04L9/32 ,  H04L9/3263 ,  H04L47/70 ,  H04L63/061 ,  H04L67/10

Abstract: Techniques for securely instantiating applications associated with computing resource service provider services on hardware that is controlled by third parties and/or customers of the computing resource service provider are described herein. A request to instantiate an application is received and fulfilled by selecting a computer system from computer systems that are controlled by a third party and/or a customer of the computing resource service provider. The computer system is selected based at least in part on the hardware capabilities of the computer system associated with instantiating a secure execution environment. The application is then instantiated within a secure execution environment operating on the computer system.

公开(公告)号：US20180069844A1

公开(公告)日：2018-03-08

申请号：US15645936

申请日：2017-07-10

Applicant: Amazon Technologies, Inc.

Inventor： Todd Lawrence Cignetti ,  Andrew J. Doane ,  Eric Jason Brandwine ,  Robert Eric Fitzgerald

IPC: H04L29/06 ,  G06F9/455 ,  H04L9/32

CPC classification number: H04L63/061 ,  G06F9/45533 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/0876

Abstract: Organizations maintain and generate large amounts of sensitive information using computer hardware resources and services of a service provider. Furthermore, there is a need to be able to delete large amounts of data securely and quickly by encrypting the data with a key and destroying the key. To ensure that information stored remotely is secured and capable of secure deletion, cryptographic keys used by the organization should be prevented from being persistently stored during serialization operations. If the keys used to encrypt the data have not been exposed during serialization operation, they may be deleted or destroyed enabling the destruction of data encrypted with the keys.

公开(公告)号：US09898618B1

公开(公告)日：2018-02-20

申请号：US15636466

申请日：2017-06-28

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Bradley Jeffery Behm ,  Patrick J. Ward ,  Graeme Baer ,  Eric Jason Brandwine

IPC: G06F21/62 ,  H04L9/32

CPC classification number: G06F21/6227 ,  G06F17/30389 ,  G06F17/30427 ,  G06F17/30477 ,  G06F21/602 ,  G06F21/6218 ,  H04L9/3247 ,  H04L9/3263

Abstract: A database access system may protect a field by storing the field as one or more underlying fields within a database. The database engine may not have access to keys used to protect the underlying fields within the database, such as by encryption, while the database access system may have access to the keys. Underlying fields may be used to store protected data and aid in the querying of protected data. The database access system may modify queries to use the underlying fields, which may include encrypting query terms and/or modifying query terms to fit the use of the underlying fields. The database access system may modify query results to match the format of the original query, which may include decrypting protected results and/or removing underlying fields.

公开(公告)号：US20180041480A1

公开(公告)日：2018-02-08

申请号：US15786322

申请日：2017-10-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L9/32 ,  H04L29/08

CPC classification number: H04L63/0428 ,  H04L9/321 ,  H04L9/3247 ,  H04L63/10 ,  H04L63/102 ,  H04L63/108 ,  H04L63/123 ,  H04L63/168 ,  H04L67/02

Abstract: Requests are pre-generated to include a cryptographic key to be used in fulfilling the requests. The requests may be encoded in uniform resource locators and may include authentication information to enable a service provider to whom the requests are submitted to determine whether the requests are authorized. The requests may be passed to various entities who can then submit the requests to the service provider. The service provider, upon receipt of a request, can verify the authentication information and fulfill the request using a cryptographic key encoded in the request.

公开(公告)号：US09888041B2

公开(公告)日：2018-02-06

申请号：US15261069

申请日：2016-09-09

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Eric Jason Brandwine

IPC: H04L29/06

CPC classification number: H04L63/205 ,  G06F21/6218 ,  H04L63/0218 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/083 ,  H04L63/0861 ,  H04L63/10 ,  H04L63/123 ,  H04L63/1458 ,  H04L63/168 ,  H04L67/10 ,  H04L67/1002

Abstract: Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.

公开(公告)号：US09882888B2

公开(公告)日：2018-01-30

申请号：US14754321

申请日：2015-06-29

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine

IPC: H04L9/08 ,  H04L29/06

CPC classification number: H04L63/0823 ,  H04L9/0822 ,  H04L9/0891 ,  H04L9/0894 ,  H04L63/06 ,  H04L63/061 ,  H04L2463/062

Abstract: Customers accessing resources and/or data in a multi-tenant environment can obtain assurance that a provider of that environment will honor only requests associated with the customer. A multi-tenant cryptographic service can be used to manage cryptographic key material and/or other security resources in the multi-tenant environment. The cryptographic service can provide a mechanism in which the service can receive requests to use the cryptographic key material to access encrypted customer data, export key material out of the cryptographic service, destroy key material managed by the cryptographic service, among others. Such an approach can enable a customer to manage key material without exposing the key material outside a secure environment.

公开(公告)号：US20180013552A1

公开(公告)日：2018-01-11

申请号：US15603317

申请日：2017-05-23

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  David R. Richardson ,  Matthew Shawn Wilson ,  Ian Paul Nowland ,  Anthony Nicholas Liguori ,  Brian William Barrett

IPC: H04L9/08 ,  H04L9/32

CPC classification number: H04L9/0819 ,  H04L9/0861 ,  H04L9/32 ,  H04L9/3247

Abstract: Generally described, physical computing devices in a virtual network can be configured to host a number of virtual machine instances. The physical computing devices can be operably coupled with offload devices. In accordance with an aspect of the present disclosure, a security component can be incorporated into an offload device. The security component can be a physical device including a microprocessor and storage. The security component can include a set of instructions configured to validate an operational configuration of the offload device or the physical computing device to establish that they are configured in accordance with a secure or trusted configuration. In one example, a first security component on the offload device can validate the operational computing environment on the offload device and a second security component on the physical computing device can validate the operational computing environment on the physical computing device.

公开(公告)号：US20170272417A1

公开(公告)日：2017-09-21

申请号：US15615727

申请日：2017-06-06

Applicant: Amazon Technologies, Inc.

Inventor： Todd Lawrence Cignetti ,  Eric Jason Brandwine ,  Robert Eric Fitzgerald ,  Andrew J. Doane

IPC: H04L29/06 ,  G06F21/62 ,  G06F21/60 ,  G06F9/455 ,  G06F9/48

CPC classification number: H04L63/061 ,  G06F9/45558 ,  G06F9/4812 ,  G06F21/602 ,  G06F21/6218 ,  G06F2221/2101 ,  G06F2221/2143

Abstract: Organizations maintain and generate large amounts of sensitive information using computer hardware resources and services of a service provider. Furthermore, there is a need to be able to delete large amounts of data securely and quickly by encrypting the data with a key and destroying the key. To ensure that information stored remotely is secured and capable of secure deletion, cryptographic keys used by the organization should be prevented from being persistently stored during serialization operations.