公开(公告)号：US09521140B2

公开(公告)日：2016-12-13

申请号：US15001175

申请日：2016-01-19

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/56 ,  G06F21/53 ,  G06F21/57

CPC classification number: H04L63/0823 ,  G06F21/53 ,  G06F21/56 ,  G06F21/575 ,  H04L9/3268 ,  H04L63/062 ,  H04L63/123

Abstract: Techniques for managing secure execution environments provided as a service to computing resource service provider customers are described herein. A request to launch a secure execution environment is received from a customer and fulfilled by launching a secure execution environment on a selected computer system. The secure execution environment is then validated and upon a successful validation, one or more applications are provided to the secure execution environment to be executed within the secure execution environment. As additional requests relating to managing the secure execution environment are received, operations are performed based on the requests.

公开(公告)号：US09436508B1

公开(公告)日：2016-09-06

申请号：US14021793

申请日：2013-09-09

Applicant: Amazon Technologies, Inc.

Inventor： Marvin Michael Theimer ,  Eric Jason Brandwine

IPC: G06F9/46 ,  G06F9/455 ,  G06F9/50

CPC classification number: G06F9/50 ,  G06F9/45558 ,  G06F9/5005 ,  G06F9/5011 ,  G06F9/5027 ,  G06F9/5077 ,  G06F2009/45562 ,  G06F2009/45575 ,  G06F2209/5011 ,  G06F2209/502

Abstract: Virtual resource provisioning may be enhanced by coloring virtual resource instances and/or underlying implementation resources. Particular resource colors may be associated with particular treatments during allocation of implementation resources to virtual resources. There may be different types of colors corresponding to different types of allocation treatment. Exclusory colors may be utilized to reduce clustering of virtual resources with respect to implementation resources. Assignment of exclusory colors to virtual resources can help strike a balance between lower costs through efficient implementation resource utilization and higher fault tolerance through spreading across an available implementation resource pool. Inclusive colors may be utilized to require and/or prefer allocation of virtual resources to implementation resources painted with the inclusive color. Proximity colors may be utilized to enhance a computational performance of a set of virtual resources. Proximity colors may be associated with proximity specifications that define proximity in implementation resource networks.

Abstract translation: 可以通过着色虚拟资源实例和/或底层实现资源来增强虚拟资源配置。 在将实现资源分配给虚拟资源时，特定资源颜色可以与特定处理相关联。 可能有不同类型的颜色对应于不同类型的分配处理。 可以利用独特的颜色来减少虚拟资源相对于实现资源的聚类。 通过在可用的实施资源池中传播，通过有效的实施资源利用率和更高的容错能力，将独占颜色分配给虚拟资源可以帮助降低成本之间的平衡。 可以使用包含的颜色来要求和/或更喜欢将虚拟资源分配给用包含颜色绘制的实现资源。 近似颜色可用于增强一组虚拟资源的计算性能。 接近颜色可能与定义实现资源网络中的接近度的接近度规范相关联。

公开(公告)号：US09425966B1

公开(公告)日：2016-08-23

申请号：US13826888

申请日：2013-03-14

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Eric Jason Brandwine ,  Gregory Alan Rubin ,  Patrick James Ward ,  James Leon Irving, Jr. ,  Andrew Paul Mikulski ,  Donald Lee Bailey, Jr.

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/30

CPC classification number: H04L9/3263 ,  H04L9/302 ,  H04L9/3268 ,  H04L63/0823 ,  H04L63/1433

Abstract: Methods and apparatus for a security mechanism evaluation service are disclosed. A storage medium stores program instructions that when executed on a processor define a programmatic interface enabling a client to submit an evaluation request for a security mechanism. On receiving an evaluation request from a client indicating a particular security mechanism using public-key encryption, the instructions when executed, identify resources of a provider network to be used to respond. The instructions, when executed, provide to the client, one or more of: (a) a trustworthiness indicator for a certificate authority that issued a public-key certificate in accordance with the particular security mechanism; (b) a result of a syntax analysis of the public-key certificate; or (c) a vulnerability indicator for a key pair.

Abstract translation: 公开了用于安全机制评估服务的方法和装置。 存储介质存储当在处理器上执行时定义编程接口的程序指令，使得客户端能够提交对安全机制的评估请求。 在从客户端接收到指示使用公钥加密的特定安全机制的评估请求时，执行指令时，识别要用于响应的提供商网络的资源。 指令在执行时向客户提供以下一个或多个：（a）根据特定安全机制发布公钥证书的认证机构的可信赖性指示符; （b）公钥证书的语法分析结果; 或（c）密钥对的漏洞指示符。

公开(公告)号：US09398121B1

公开(公告)日：2016-07-19

申请号：US13925573

申请日：2013-06-24

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: G06F15/16 ,  H04L29/06

CPC classification number: H04L69/24 ,  H04L67/10

Abstract: Techniques are disclosed for determining a virtual networking framework for computing nodes to use where they are part of a plurality of computing nodes that have heterogeneous virtual networking framework capabilities. Each node may report its capabilities to a mapping server, which serves as a centrally-managed selector of policy capabilities for the two computing nodes to use in communications with each other. The mapping server selects virtual networking framework capabilities for the two computing nodes to use in communicating with each other, instructs the nodes of these selected capabilities, and the two nodes then communicate according to these selected capabilities.

Abstract translation: 公开了用于确定虚拟网络框架的技术，用于计算节点以将它们作为具有异构虚拟网络框架能力的多个计算节点的一部分。 每个节点可以向映射服务器报告其能力，映射服务器用作两个计算节点在彼此通信中使用的策略能力的集中管理选择器。 映射服务器选择用于两个计算节点的虚拟网络框架能力以在彼此进行通信中指示这些所选能力的节点，然后两个节点根据这些所选择的能力进行通信。

公开(公告)号：US09331915B1

公开(公告)日：2016-05-03

申请号：US13750207

申请日：2013-01-25

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: G06F15/177 ,  H04L12/26

CPC classification number: H04L43/04 ,  H04L43/028 ,  H04L43/12

Abstract: Data packets may be mirrored or replicated to network ports and/or listening stations. Additionally, the data packets may include characteristics. Based at least in part on the characteristics of the data packets, dynamic capture lengths may be determined. A portion of the data packets may be transmitted to the network ports and/or listening station based at least in part on determined capture lengths.

Abstract translation: 数据分组可以被镜像或复制到网络端口和/或监听站。 另外，数据分组可以包括特性。 至少部分地基于数据分组的特性，可以确定动态捕获长度。 至少部分地基于所确定的捕获长度，一部分数据分组可以被发送到网络端口和/或监听站。

公开(公告)号：US09305164B1

公开(公告)日：2016-04-05

申请号：US13964506

申请日：2013-08-12

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Swaminathan Sivasubramanian ,  Bradley E. Marshall ,  Tate Andrew Certain

IPC: G06F15/16 ,  G06F9/00 ,  G06F21/55 ,  H04L29/06 ,  G06F15/173

CPC classification number: G06F21/552 ,  G06F11/3006 ,  G06F11/3072 ,  H04L63/1416 ,  H04L63/1441

Abstract: The effects on networking systems of attacks on vulnerabilities, such as vulnerable modules in a webserver, SYN flooding, etc, can be devastating to a network environment. In various embodiments, a first, quick, or inexpensive analysis is performed on incoming network flows. If an intrusion issue or other problem is suspected based on the first, rapid, or an inexpensive analysis, then the flow can be flagged for redirection to another process, virtual machine, or physical computer module that will perform a deeper, more expensive analysis on the network flow. If there are no issues detected in the second, deeper analysis, then the network flow can be forwarded to its intended recipient. If an issue is detected in the second, deeper analysis, then the network flow can be throttled, quarantined, ignored, sent to an un-trusted portion of the system, sent for more analysis, or otherwise handled or flagged.

公开(公告)号：US20160080317A1

公开(公告)日：2016-03-17

申请号：US14936314

申请日：2015-11-09

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Don Johnson ,  Marvin M. Theimer

IPC: H04L29/12 ,  G06F9/455

CPC classification number: H04L61/2503 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L61/6068 ,  H04L67/18 ,  H04L67/28 ,  H04L67/2814 ,  H04L67/2823

Abstract: Systems and method are provided for using proxy addresses to manage communications sent between virtual machine networks hosted by a substrate network. In some embodiments, the substrate network may identify a communication addressed from an instantiated component of a first hosted virtual network to a first proxy component of the first hosted virtual network. The substrate network may cause the communication to be received by a second instantiated component of a second host virtual network. Specifically, the substrate network may alter a destination address of the communication from a proxy address of the first proxy component to a network address of the second instantiated component. The substrate network may also alter a source address of the communication from a network address of the first instantiated component to a proxy address of a second proxy component.

Abstract translation: 提供了系统和方法，用于使用代理地址来管理由基板网络托管的虚拟机网络之间发送的通信。 在一些实施例中，衬底网络可以识别从第一托管虚拟网络的实例化组件寻址到第一托管虚拟网络的第一代理组件的通信。 衬底网络可以使通信由第二主机虚拟网络的第二实例组件接收。 具体地，衬底网络可以将通信的目的地地址从第一代理组件的代理地址改变为第二实例化组件的网络地址。 衬底网络还可以将通信的源地址从第一实例化组件的网络地址改变为第二代理组件的代理地址。

公开(公告)号：US20160080213A1

公开(公告)日：2016-03-17

申请号：US14952519

申请日：2015-11-25

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Kevin Christopher Miller ,  Andrew J. Doane

IPC: H04L12/24 ,  H04L12/713

CPC classification number: H04L41/12 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L41/0816 ,  H04L41/5096 ,  H04L45/02 ,  H04L45/586 ,  H04L45/64 ,  H04L67/34

Abstract: Techniques are described for providing virtual networking functionality for managed computer networks. In some situations, a user may configure or otherwise specify a logical network topology for a managed computer network with multiple computing nodes that includes one or more virtual networking devices each associated with a specified group of the multiple computing nodes. Corresponding networking functionality may be provided for communications between the multiple computing nodes by emulating functionality that would be provided by the networking devices if they were physically present and configured to support the specified network topology. In some situations, the managed computer network is a virtual computer network overlaid on a substrate network, and the networking device functionality emulating includes receiving routing communications directed to the networking devices and using included routing information to update the specified network topology for the managed computer network.

Abstract translation: 描述了为被管理的计算机网络提供虚拟网络功能的技术。 在某些情况下，用户可以配置或以其他方式指定具有多个计算节点的被管理计算机网络的逻辑网络拓扑，所述多个计算节点包括每个与多个计算节点的指定组相关联的一个或多个虚拟网络设备。 可以通过模拟由网络设备提供的功能（如果它们物理存在并被配置为支持指定的网络拓扑）来为多个计算节点之间的通信提供相应的网络功能。 在一些情况下，被管理计算机网络是覆盖在基板网络上的虚拟计算机网络，并且模拟的网络设备功能包括接收定向到网络设备的路由通信，并使用包括的路由信息​​来更新被管理计算机网络的指定网络拓扑 。

公开(公告)号：US09276811B1

公开(公告)日：2016-03-01

申请号：US14145794

申请日：2013-12-31

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Peter J. Hill

IPC: H04L12/24

CPC classification number: H04L41/12 ,  G06F9/45558 ,  G06F9/5077 ,  G06F2009/45595 ,  H04L12/4641 ,  H04L12/4645 ,  H04L12/4666 ,  H04L41/0803 ,  H04L45/00 ,  H04L49/354

Abstract: Techniques are described for providing virtual networking functionality for managed computer networks. In some situations, a user may configure or otherwise specify one or more virtual local area networks (“VLANs”) for a managed computer network being provided for the user, such as with each VLAN including multiple computing nodes of the managed computer network. Networking functionality corresponding to the specified VLAN(s) may then be provided in various manners, such as if the managed computer network itself is a distinct virtual computer network overlaid on one or more other computer networks, and communications between computing nodes of the managed virtual computer network are handled in accordance with the specified VLAN(s) of the managed virtual computer network by emulating functionality that would be provided by networking devices of the managed virtual computer network if they were physically present and configured to support the specified VLAN(s).

Abstract translation: 描述了为被管理的计算机网络提供虚拟网络功能的技术。 在某些情况下，用户可以配置或以其他方式指定为用户提供的被管理计算机网络的一个或多个虚拟局域网（“VLAN”），例如每个VLAN包括被管理计算机网络的多个计算节点。 然后可以以各种方式提供对应于指定VLAN的网络功能，例如，如果被管理计算机网络本身是覆盖在一个或多个其他计算机网络上的不同虚拟计算机网络，以及被管理虚拟机的计算节点之间的通信 计算机网络根据受管虚拟计算机网络的指定VLAN进行处理，通过模拟被管理虚拟计算机网络的网络设备提供的功能（如果物理存在并配置为支持指定的VLAN） 。

公开(公告)号：US09231930B1

公开(公告)日：2016-01-05

申请号：US13682318

申请日：2012-11-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Eric Jason Brandwine

IPC: H04L21/00 ,  H04L29/06

CPC classification number: H04L63/08 ,  H04L63/126

Abstract: Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.

Abstract translation: 客户可以利用多租户环境的资源来提供一个或多个可用于各种用户的服务。 为了简化这些客户的过程，多租户环境可以包括基础设施，其中一部分资源提供可由客户服务利用的认证和/或授权服务。 这些资源可以逻辑地坐在用于提供客户服务的资源之前，使得用户请求必须在被指示到客户服务之前通过授权和认证服务。 这样的资源也可以提供其他功能，例如负载平衡和计量。