公开(公告)号：US09912696B2

公开(公告)日：2018-03-06

申请号：US13932872

申请日：2013-07-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: H04L29/06 ,  H04L9/32

Abstract: Data received through a proxy for a service is analyzed for compliance with one or more data policies, such as one or more data loss prevention policies. When data satisfies the criteria of one or more data policies, the data is manipulated at the proxy prior to transmission of the data to the service. In some examples, the manipulation of the data includes encryption.

公开(公告)号：US09906552B1

公开(公告)日：2018-02-27

申请号：US13766350

申请日：2013-02-13

Applicant: Amazon Technologies, Inc.

Inventor： Nicholas Howard Brown ,  Gregory Branchek Roth ,  Gregory Alan Rubin

IPC: H04L29/06

CPC classification number: H04L63/1458

Abstract: System load, such as load caused by a denial of service attack, is managed by requiring those requesting access to the system to provide proof of work. A system receives, from a requestor, a request for access to the system. Before the request can be processed, the system provides a challenge to the requestor. The requestor obtains a solution to the challenge and provides proof of having obtained the solution. The system verifies the correctness of the solution and, if the correct solution is verified, the system services the request.

公开(公告)号：US09887836B1

公开(公告)日：2018-02-06

申请号：US14498732

申请日：2014-09-26

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth

IPC: H04L9/00 ,  H04L9/08

CPC classification number: H04L9/0822 ,  H04L9/0861 ,  H04L9/088 ,  H04L9/0897 ,  H04L2209/24

Abstract: A cryptography service allows for management of cryptographic keys in multiple environments. The service allows for specification of policies applicable to cryptographic keys, such as what cryptographic algorithms should be used in which contexts. In some contexts, the cryptography service, upon receiving a request for a key, provides a referral to another system to obtain the key.

公开(公告)号：US09876815B2

公开(公告)日：2018-01-23

申请号：US15256381

申请日：2016-09-02

Applicant: Amazon Technologies, Inc.

Inventor： Hassan Sultan ,  John Schweitzer ,  Donald Lee Bailey, Jr. ,  Gregory Branchek Roth ,  Nachiketh Rao Potlapally

IPC: G08B23/00 ,  H04L29/06 ,  G06F21/53 ,  G06F21/55

CPC classification number: H04L63/1433 ,  G06F21/53 ,  G06F21/554 ,  H04L63/1441 ,  H04L63/20

Abstract: A graph of a plurality of resources in a computing environment is generated, with the graph associating a first resource of the plurality with a second resource of the plurality. Based at least in part on measurements obtained at a point in a test computing environment that corresponds to a point in the computing environment, an expected value or expected range of values is determined. An assessment of a security state of the computing environment is generated based at least in part on a comparison between a measurement obtained at the point in the computing environment and the expected value or expected range of values, and responsive to a determination that the assessment indicates a rule violation in the computing environment, a security action is performed.

公开(公告)号：US09866392B1

公开(公告)日：2018-01-09

申请号：US14486741

申请日：2014-09-15

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Branchek Roth

IPC: H04L9/32 ,  H04L9/14

CPC classification number: H04L9/3247 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/0891 ,  H04L9/14 ,  H04L9/3234 ,  H04L9/3265 ,  H04L2209/38

Abstract: A web of trust in a distributed system is established. A root of trust for at least two components in the distributed system validates information for the distributed system. The validated information is then used to create additional information for the distributed system. Versions of the information are usable to validate subsequent versions of the information such that validation of a version of the information can be performed by using one or more previous versions to verify that the version is a valid successor of a previously validated previous version.

公开(公告)号：US09854001B1

公开(公告)日：2017-12-26

申请号：US14225300

申请日：2014-03-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L29/06

CPC classification number: H04L63/20

Abstract: A system enforces policies in connection with requests to access resources. Users are provided the ability to obtain information about the policies the system enforces. Some of the users have associated restrictions such that, when those users request information about the policies, the information provided is incomplete. The information provided may lack information about one or more policies that apply to the users.

公开(公告)号：US09838430B1

公开(公告)日：2017-12-05

申请号：US14475314

申请日：2014-09-02

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Jacques Daniel Thomas ,  Nicholas Andrew Gochenaur

IPC: H04L29/06 ,  G06F9/455 ,  G06Q30/06

CPC classification number: H04L63/20 ,  G06F9/45533 ,  G06Q30/0601 ,  H04L63/10

Abstract: Functionality is disclosed herein for providing temporary access to a resource. A software product that is executing in response to a request from a customer may access one or more resources of a software provider. The resources that may be accessed by a software product may be identified within an access policy. The customer is prevented from accessing the resource when the software product is not executing.

公开(公告)号：US20170346638A1

公开(公告)日：2017-11-30

申请号：US15656805

申请日：2017-07-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Alan Rubin ,  Gregory Branchek Roth

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3247 ,  G06F21/64 ,  H04L9/0819 ,  H04L2209/24 ,  H04L2209/72

Abstract: Cryptographic keys can include logging properties that enable those keys to be used only if the properties can be enforced by the cryptographic system requested to perform one or more actions using the keys. The logging property can specify how to log use of a respective key. A key can also include a mutability property for specifying whether the logging property can be changed, and if so under what circumstances or in which way(s). The ability to specify and automatically enforce logging can be important for environments where audit logs are essential. These can include, for example, public certificate authorities that must provide accurate and complete audit trails. In cases where the data is not to be provided outside a determined secure environment, the key can be generated with a property indicating not to log any of the usage.

公开(公告)号：US09832171B1

公开(公告)日：2017-11-28

申请号：US13916964

申请日：2013-06-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0428 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/083 ,  H04L9/0891 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/16 ,  H04L9/3213 ,  H04L9/3234 ,  H04L9/3247 ,  H04L63/0435 ,  H04L63/0807

Abstract: A plurality of devices are each operable to provide information that is usable for to prove authorization with any of the other devices. The devices may have common access to a cryptographic key. A device may use the cryptographic key to encrypt a session key and provide both the session key and the encrypted session key. Requests to any of the devices can include the encrypted session key and a digital signature generated using the session key. In this manner, a device that receives the request can decrypt the session key and use the decrypted session key to verify the digital signature.

公开(公告)号：US20170264602A1

公开(公告)日：2017-09-14

申请号：US15605739

申请日：2017-05-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Cristian M. Ilac

IPC: H04L29/06 ,  H04W12/04 ,  H04L9/08 ,  H04W12/06

CPC classification number: H04L63/08 ,  H04L9/0872 ,  H04L9/0891 ,  H04L63/061 ,  H04L63/0838 ,  H04W12/00502 ,  H04W12/04 ,  H04W12/06

Abstract: Secret information, such as seeds, codes, and keys, can be automatically renegotiated between at least one sender and at least one recipient. Various mechanisms, such as counters, events, or challenges, can be used to trigger automatic renegotiations through various requests or communications. These changes can cause the current secret information to diverge from older copies of the secret information that might have been obtained by unintended third parties. In some embodiments, a secret can be configured to “decay” over time, or have small changes periodically introduced that can be determined to be valid by an authorized party, but can reduce the effectiveness of prior versions of the secret information.