公开(公告)号：US20150347763A1

公开(公告)日：2015-12-03

申请号：US14714982

申请日：2015-05-18

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Eric D. Crahen ,  Graeme D. Baer ,  Eric J. Brandwine ,  Nathan R. Fitch

IPC: G06F21/60 ,  G06F9/455 ,  G06F9/445

CPC classification number: G06F21/602 ,  G06F9/44505 ,  G06F9/45558 ,  G06F21/606 ,  G06F2009/45587 ,  G06Q30/06 ,  H04L63/0209 ,  H04L63/0428 ,  H04L63/0471 ,  H04L63/08 ,  H04L63/166

Abstract: A support system negotiates secure connections on behalf of multiple guest systems using a set of credentials associated with the guest systems. The operation of the secure connection may be transparent to the guest system such that guest system may send and receive messages that are encrypted or decrypted by the support system, such as a hypervisor. As the support system is in between the guest system and a destination, the support system may act as a local endpoint to the secure connection. Messages may be altered by the support system to indicate to a guest system which communications were secured. The credentials may be managed by the support system such that the guest system does not require access to the credentials.

Abstract translation: 支持系统使用与guest虚拟机系统相关联的一组凭据代表多个客户系统协商安全连接。 安全连接的操作对客户系统可能是透明的，使得客系统可以发送和接收由诸如管理程序之类的支持系统加密或解密的消息。 由于支持系统在客户系统和目的地之间，支持系统可以充当安全连接的本地端点。 消息可以由支持系统改变以向客系统指示哪些通信被保护。 证书可以由支持系统管理，使得客户机系统不需要访问凭证。

公开(公告)号：US20150040117A1

公开(公告)日：2015-02-05

申请号：US14518768

申请日：2014-10-20

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： Joseph E. Fitzgerald, II ,  Marvin M. Theimer, II ,  Eric J. Brandwine ,  Benjamin W. Mercier

IPC: G06F9/445 ,  H04L29/08 ,  G06F9/455

CPC classification number: G06F8/65 ,  G06F9/45533 ,  H04L67/10

Abstract: Update preferences might be utilized to specify that an update to an application should not be applied until the demand for the application falls below a certain threshold. Demand for the application is monitored. The update to the application is applied when the actual demand for the application falls below the specified threshold. The threshold might be set such that updates are deployed during the off-peak periods of demand encountered during a regular demand cycle, such as a diurnal, monthly, or yearly cycle.

Abstract translation: 可以使用更新偏好来指定在应用程序的需求下降到特定阈值之前不应用应用程序的更新。 对应用程序的需求进行监控。 当应用程序的实际需求低于指定阈值时，应用对应用程序的更新。 可以设置阈值，使得在正常需求周期（例如昼夜，每月或每年周期）遇到的需求的非高峰期期间部署更新。

公开(公告)号：US20140047503A1

公开(公告)日：2014-02-13

申请号：US14057359

申请日：2013-10-18

Applicant: Amazon Technologies, Inc.

Inventor： Bradley E. Marshall ,  Charles D. Phillips ,  Eric J. Brandwine

IPC: G06F21/60 ,  H04L29/06

CPC classification number: G06F21/60 ,  H04L63/0227 ,  H04L63/20

Abstract: Network computing systems may implement data loss prevention (DLP) techniques to reduce or prevent unauthorized use or transmission of confidential information or to implement information controls mandated by statute, regulation, or industry standard. Implementations of network data transmission analysis systems and methods are disclosed that can use contextual information in a DLP policy to monitor data transmitted via the network. The contextual information may include information based on a network user's organizational structure or services or network infrastructure. Some implementations may detect bank card information in network data transmissions. Some of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network.

Abstract translation: 网络计算系统可以实施数据丢失预防（DLP）技术，以减少或阻止未经授权的使用或传输机密信息或执行法规，法规或行业标准所规定的信息控制。 公开了可以使用DLP策略中的上下文信息来监视经由网络发送的数据的网络数据传输分析系统和方法的实现。 上下文信息可以包括基于网络用户的组织结构或服务或网络基础设施的信息。 一些实现可以在网络数据传输中检测银行卡信息。 一些系统和方法可以在覆盖在用作衬底网络的一个或多个中间物理网络上的虚拟网络上实现。

公开(公告)号：US10516655B1

公开(公告)日：2019-12-24

申请号：US15258743

申请日：2016-09-07

Applicant: Amazon Technologies, Inc.

Inventor： Eric J. Brandwine

IPC: H04L29/06 ,  G06F21/60 ,  G06F9/4401

Abstract: In a resource-on-demand environment, dynamically created server instances are allowed to boot from encrypted boot volumes. Access keys to the boot volumes are provided from a key provider that authenticates new instances based on possession of a security token that has been previously shared between the key provider and the new instance through an out-of-band communication.

公开(公告)号：US10237233B2

公开(公告)日：2019-03-19

申请号：US15466431

申请日：2017-03-22

Applicant: Amazon Technologies, Inc.

Inventor： Eric J. Brandwine

IPC: G06F15/16 ,  H04L29/12 ,  H04L12/911 ,  H04L12/26

Abstract: In certain embodiments, a system includes one or more memory units and one or more processing units. The memory units store blocks that each include a number of identifiers. The memory units include executable instructions that upon execution by the processing units cause the system to receive a request to allocate an identifier to an entity. The request includes data identifying the entity. A target block of identifiers is identified. The target block includes more unallocated identifiers than any other block. The target block is split into first and second blocks. The identifiers of the second block are each higher than any identifier of the first block. The second block is assigned to the entity, and a lowest identifier of the second block is allocated to the entity.

公开(公告)号：US09846778B1

公开(公告)日：2017-12-19

申请号：US15396276

申请日：2016-12-30

Applicant: Amazon Technologies, Inc.

Inventor： Eric J. Brandwine

IPC: H04L29/06 ,  G06F21/00 ,  G06F21/57 ,  G06F9/44

CPC classification number: G06F21/575 ,  G06F9/4401 ,  G06F9/4416 ,  G06F21/335 ,  G06F2221/2107 ,  G06F2221/2149 ,  H04L9/083 ,  H04L9/3215 ,  H04L9/3234 ,  H04L63/0435 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/062 ,  H04L63/0807

Abstract: In an resource-on-demand environment, dynamically created server instances are allowed to boot from encrypted boot volumes. Access keys to the boot volumes are provided from a key provider that authenticates new instances based on possession of a security token that has been previously shared between the key provider and the new instance through an out-of-band communication.

公开(公告)号：US20170353394A1

公开(公告)日：2017-12-07

申请号：US15583547

申请日：2017-05-01

Applicant: Amazon Technologies, Inc.

Inventor： Eric J. Brandwine ,  Marvin M. Theimer ,  Don Johnson ,  Swaminathan Sivasubramanian

IPC: H04L12/911 ,  H04L29/08

CPC classification number: H04L47/70 ,  G06F9/5077 ,  G06F21/53 ,  G06F2221/2149 ,  H04L67/10

Abstract: With the advent of virtualization technologies, networks and routing for those networks can now be simulated using commodity hardware. For example, virtualization technologies can be adapted to allow a single physical computing machine to be shared among multiple virtual networks by providing one or more virtual machines simulated in software by the single physical computing machine, with each virtual machine acting as a distinct logical computing system. In addition, as routing can be accomplished through software, additional network setup flexibility can be provided to the virtual network in comparison with hardware-based routing. In some implementations, virtual network setup can be abstracted through the use of resource placement templates, allowing users to create virtual networks compliant with a customer's networking policies without necessarily having knowledge of what those policies are.

公开(公告)号：US20170195283A1

公开(公告)日：2017-07-06

申请号：US15466431

申请日：2017-03-22

Applicant: Amazon Technologies, Inc.

Inventor： Eric J. Brandwine

IPC: H04L29/12

CPC classification number: H04L61/2007 ,  H04L43/0876 ,  H04L47/70 ,  H04L61/2061 ,  H04L61/6022 ,  H04L61/605 ,  H04L61/6095

Abstract: In certain embodiments, a system includes one or more memory units and one or more processing units. The memory units store blocks that each include a number of identifiers. The memory units include executable instructions that upon execution by the processing units cause the system to receive a request to allocate an identifier to an entity. The request includes data identifying the entity. A target block of identifiers is identified. The target block includes more unallocated identifiers than any other block. The target block is split into first and second blocks. The identifiers of the second block are each higher than any identifier of the first block. The second block is assigned to the entity, and a lowest identifier of the second block is allocated to the entity.

公开(公告)号：US09607162B2

公开(公告)日：2017-03-28

申请号：US14714982

申请日：2015-05-18

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Eric D. Crahen ,  Graeme D. Baer ,  Eric J. Brandwine ,  Nathan R. Fitch

IPC: G06F21/00 ,  G06F21/60 ,  G06F9/445 ,  G06F9/455 ,  H04L29/06 ,  G06Q30/06

CPC classification number: G06F21/602 ,  G06F9/44505 ,  G06F9/45558 ,  G06F21/606 ,  G06F2009/45587 ,  G06Q30/06 ,  H04L63/0209 ,  H04L63/0428 ,  H04L63/0471 ,  H04L63/08 ,  H04L63/166

Abstract: A support system negotiates secure connections on behalf of multiple guest systems using a set of credentials associated with the guest systems. The operation of the secure connection may be transparent to the guest system such that guest system may send and receive messages that are encrypted or decrypted by the support system, such as a hypervisor. As the support system is in between the guest system and a destination, the support system may act as a local endpoint to the secure connection. Messages may be altered by the support system to indicate to a guest system which communications were secured. The credentials may be managed by the support system such that the guest system does not require access to the credentials.

公开(公告)号：US20160110375A1

公开(公告)日：2016-04-21

申请号：US14981700

申请日：2015-12-28

Applicant: Amazon Technologies, Inc.

Inventor： Eric J. Brandwine

IPC: G06F17/30

CPC classification number: G06F16/162 ,  G06F3/0605 ,  G06F3/0608 ,  G06F3/0647 ,  G06F3/067 ,  G06F3/0689 ,  G06F12/0804 ,  G06F12/0868 ,  G06F16/128 ,  G06F16/174 ,  G06F16/2365 ,  G06F2212/463

Abstract: In certain embodiments, a system comprises a memory and a processor communicatively coupled to the memory. The memory includes executable instructions that upon execution cause the system to generate, at a first time, a first snapshot capturing data stored in storage units of a storage device. The executable instructions upon execution cause the system to receive an indication to delete at least a portion of the data in the storage units and captured by the first snapshot, and to mark, in response to receiving the indication, the one or more storage units that store the at least a first portion of the data as available. The executable instructions upon execution cause the system to generate, at a second time subsequent to the first time, a second snapshot that omits the one or more storage units marked as available.

Abstract translation: 在某些实施例中，系统包括通信地耦合到存储器的存储器和处理器。 存储器包括可执行指令，其在执行时导致系统在第一时间产生第一快照捕获存储在存储设备的存储单元中的数据。 执行时的可执行指令导致系统接收删除存储单元中的数据的至少一部分并由第一快照捕获的指示，并且响应于接收到指示而标记一个或多个存储单元， 将数据的至少第一部分存储为可用的。 在执行时的可执行指令导致系统在第一次之后的第二时间生成省略标记为可用的一个或多个存储单元的第二快照。