公开(公告)号：US10002247B2

公开(公告)日：2018-06-19

申请号：US14975627

申请日：2015-12-18

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Joseph Suarez ,  Scott Kerns Windsor ,  Nare Hayrapetyan ,  Daniel Robert Gerdesmeier ,  Pooja Kalpana Prakash

IPC: G06F21/00 ,  G06F21/53 ,  G06F9/455 ,  G06F9/445

CPC classification number: G06F21/53 ,  G06F8/60 ,  G06F9/45558 ,  G06F21/31 ,  G06F2009/4557 ,  G06F2221/033

Abstract: A software image associated with a first customer of a computing resource service provider and criteria for identifying an event is received, the software image comprising a set of layers. The set of layers is stored in a first data store to form a stored set of layers, the first data store being physically located in a first region. The set of layers is copied to a second data store to form a copied set of layers, the second data store being physically located in a second region different from the first region. The copied set of layers is launched as a container executing in an instance that is physically located in the second region, and, as a result of identifying an occurrence of the event, the container is caused to be unavailable to an entity associated with the instance.

公开(公告)号：US20170177877A1

公开(公告)日：2017-06-22

申请号：US14975637

申请日：2015-12-18

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Joseph Suarez ,  Scott Kerns Windsor ,  Nare Hayrapetyan ,  Daniel Robert Gerdesmeier ,  Pooja Kalpana Prakash

IPC: G06F21/57 ,  G06F21/60 ,  G06F17/30

CPC classification number: G06F21/577 ,  G06F8/63 ,  G06F8/71 ,  G06F9/44505 ,  G06F9/45558 ,  G06F17/30233 ,  G06F17/30477 ,  G06F21/562 ,  G06F21/602 ,  G06F21/6218 ,  G06F2009/45562 ,  G06F2221/033

Abstract: A request to a scan a software image for specified criteria is received, the software image comprising layers stored in a first data store. Metadata in a second data store, different from the first data store, is searched through to obtain information corresponding to the software image. A first set of the layers that matches the specified criteria is determined, based at least in part on the information. The first set of layers is marked as un-referenceable. Asynchronous to fulfillment of the request, a second set of layers of the layers to be deleted is determined, based at least in part on the metadata, the second set of layers including layers marked as un-referenceable, and the second set of layers is deleted.

公开(公告)号：US20170177860A1

公开(公告)日：2017-06-22

申请号：US14975627

申请日：2015-12-18

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Joseph Suarez ,  Scott Kerns Windsor ,  Nare Hayrapetyan ,  Daniel Robert Gerdesmeier ,  Pooja Kalpana Prakash

IPC: G06F21/53 ,  G06F9/445 ,  G06F9/455

CPC classification number: G06F21/53 ,  G06F8/60 ,  G06F9/45558 ,  G06F21/31 ,  G06F2009/4557 ,  G06F2221/033

Abstract: A software image associated with a first customer of a computing resource service provider and criteria for identifying an event is received, the software image comprising a set of layers. The set of layers is stored in a first data store to form a stored set of layers, the first data store being physically located in a first region. The set of layers is copied to a second data store to form a copied set of layers, the second data store being physically located in a second region different from the first region. The copied set of layers is launched as a container executing in an instance that is physically located in the second region, and, as a result of identifying an occurrence of the event, the container is caused to be unavailable to an entity associated with the instance.

公开(公告)号：US11487530B2

公开(公告)日：2022-11-01

申请号：US16940261

申请日：2020-07-27

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Joseph Suarez ,  Scott Kerns Windsor ,  Nare Hayrapetyan ,  Daniel Robert Gerdesmeier ,  Pooja Kalpana Prakash

IPC: G06F21/00 ,  G06F8/71 ,  G06F9/455 ,  G06F21/53 ,  G06F8/61 ,  G06F21/62

Abstract: A request to update a software container image within a container registry hosted by a computing resource service provider is received from an entity associated with a customer account with the computing resource service provider, where the container registry is a scalable distributed data storage service. The software container image is stored in the container registry in association with the customer account. A layer of the software container image stored in the container registry is scanned for a reference identifier associated with a security vulnerability as a result of said scan finding the reference identifier within the software container image, notice is provided to the entity indicating that the security vulnerability was found. Software within the software container image is updated based at least in part on the vulnerability scan; and the update software is deployed.

公开(公告)号：US10782990B1

公开(公告)日：2020-09-22

申请号：US14951334

申请日：2015-11-24

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Joseph Suarez ,  Jia Bi Zhang ,  Christopher Brian Barclay ,  Anirudh Balachandra Aithal ,  Cornelle Christiaan Pretorius Janse Van Rensburg

IPC: G06F9/455 ,  G06F9/50

Abstract: At least one instance of an application is launched in a set of software containers that are distributed among a set of virtual machine instances. A set of measurements corresponding to resource utilization by a software container of the set of software containers is obtained and a timestamp is generated for the set of measurements. The set of measurements is aggregated, with other sets of measurements corresponding to the set of software containers for the application, into a set of aggregated measurements grouped in a time window group, based at least in part on the timestamp, and, as a result of fulfillment of a condition, the time window group is outputted.

公开(公告)号：US10725775B2

公开(公告)日：2020-07-28

申请号：US16383523

申请日：2019-04-12

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Joseph Suarez ,  Scott Kerns Windsor ,  Nare Hayrapetyan ,  Daniel Robert Gerdesmeier ,  Pooja Kalpana Prakash

IPC: G06F21/00 ,  G06F8/71 ,  G06F9/455 ,  G06F21/53 ,  G06F8/61 ,  G06F21/62

Abstract: A request to store a container image is received from a device associated with a customer of a computing resource service provider. Validity of a security token associated with the request is authenticated using a cryptographic key maintained as a secret by the computing resource service provider. One or more layers of the container image is built based at least in part on at least one build artifact to form a set of built layers. The software image including the set of built layers is stored in a repository associated with the customer. A manifest of metadata for the set of built layers is stored in a database of a structured data store. The container image is obtained in the form of an obtained container image. The obtained container image is deployed as the software container in at least one virtual machine instance associated with the customer.

公开(公告)号：US20190297096A1

公开(公告)日：2019-09-26

申请号：US16435396

申请日：2019-06-07

Applicant: Amazon Technologies, Inc.

Inventor： Khaja Ehteshamuddin Ahmed ,  Anthony Joseph Suarez ,  Dmitry Petrovich Andreychuk

IPC: H04L29/06 ,  G06N20/00

Abstract: A service provider may deploy a security threat detection and mitigation platform in a multi-tenant virtualization environment that includes pluggable data collection, data analysis, and response components. The data analysis components may apply machine learning techniques to generate (based on training data sets) and refine (based on subsequently received data sets and feedback about the resulting classifications) predictors configured to detect particular types of security threats, such as denial of service attacks, botnets, scans, or remote desktop attacks. A data collection layer may collect, filter, organize, and curate network packet traffic data, network packet header data, or other information emitted by computing instances or applications executing on them, and provide the curated data as streams to the analysis layer. A response layer may automatically take action in response to threat detections (which may be overridden by an administrator) and may store classification data for subsequent analysis, feedback, and predictor refinement.

公开(公告)号：US10261782B2

公开(公告)日：2019-04-16

申请号：US14975631

申请日：2015-12-18

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Joseph Suarez ,  Scott Kerns Windsor ,  Nare Hayrapetyan ,  Daniel Robert Gerdesmeier ,  Pooja Kalpana Prakash

IPC: H04L29/06 ,  G06F8/71 ,  G06F9/455 ,  G06F21/53 ,  G06F8/61 ,  G06F21/62

Abstract: A request to store, in first data store associated with a customer of a computing resource service provider, a software image is received, the request including a set of layers of the software image to be stored. As a result of successful authentication of the request, based at least in part on a security token included with the request, a subset of layers of the software image that have not previously been stored in the first data store are determined, based at least in part on first metadata obtained from a second data store, the subset of layers in the first data store are stored, second metadata about the subset of layers are stored in the second data store, and the software image is caused to be launched in a software container of an instance based at least in part on the subset of layers.

公开(公告)号：US20190108049A1

公开(公告)日：2019-04-11

申请号：US16004050

申请日：2018-06-08

Applicant: Amazon Technologies, Inc.

Inventor： Deepak Singh ,  Anthony Joseph Suarez ,  William Andrew Thurston ,  Anirudh Balachandra Aithal ,  Daniel Robert Gerdesmeier ,  Euan Skyler Kemp ,  Kiran Kumar Meduri ,  Muhammad Umer Azad

IPC: G06F9/455 ,  G06F9/50

Abstract: A task definition is received. The task definition indicates at least a location from which one or more software image can be obtained and information usable to determine an amount of resources to allocate to one or more software containers for the one or more software image. A set of virtual machine instances in which to launch the one or more software containers is determined, the one or more software image is obtained from the location included in the task definition and is launched as the one or more of software containers within the set of virtual machine instances.

公开(公告)号：US20160162320A1

公开(公告)日：2016-06-09

申请号：US15007113

申请日：2016-01-26

Applicant: Amazon Technologies, Inc.

Inventor： Deepak Singh ,  Anthony Joseph Suarez ,  William Andrew Thurston ,  Anirudh Balachandra Aithal ,  Daniel Robert Gerdesmeier ,  Euan Skyler Kemp ,  Kiran Kumar Meduri ,  Muhammad Umer Azad

IPC: G06F9/455 ,  G06F9/50

CPC classification number: G06F9/45558 ,  G06F9/45533 ,  G06F9/5005 ,  G06F9/5055 ,  G06F9/5077 ,  G06F2009/4557 ,  G06F2009/45595

Abstract: A task definition is received. The task definition indicates at least a location from which one or more software image can be obtained and information usable to determine an amount of resources to allocate to one or more software containers for the one or more software image. A set of virtual machine instances in which to launch the one or more software containers is determined, the one or more software image is obtained from the location included in the task definition and is launched as the one or more of software containers within the set of virtual machine instances.

Abstract translation: 接收到任务定义。 任务定义至少指示可以从其获得一个或多个软件映像的位置，以及可用于确定要分配给一个或多个软件映像的一个或多个软件容器的资源量的信息。 确定在其中启动一个或多个软件容器的一组虚拟机实例，从包括在任务定义中的位置获得一个或多个软件映像，并作为该组内的一个或多个软件容器发起 虚拟机实例。