公开(公告)号：US10972288B2

公开(公告)日：2021-04-06

申请号：US16726734

申请日：2019-12-24

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Hingle Kruse ,  Conor Patrick Cahill ,  Jeffrey Cicero Canton ,  Dmitry Frenkel ,  Harshad Vasant Kulkarni ,  Colin Watson ,  Andrew Paul Mikulski

IPC: H04L29/06 ,  H04L9/32 ,  G06F12/14

Abstract: A request to add tags (e.g., labels, key-value pairs, or metadata) to resources can be digitally signed by the entity making the request, such that the source can be verified and an authorization determination made for each tag. For a request involving multiple services (or entities) that can each add tags, any tag added by a service can be included in the request and digitally signed by that service. Each service processing the request can also digitally sign the request before forwarding, so that each service signs a version of the request, which includes elements signed by other services earlier in the request chain. When the request is received to a tagging service, the service ensures that every tag was digitally signed by the appropriate authorized entity or service, and validates the signatures to ensure that no data was modified or omitted, before adding the tags to the designated resource(s).

公开(公告)号：US10691822B1

公开(公告)日：2020-06-23

申请号：US15840892

申请日：2017-12-13

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Conor Patrick Cahill

IPC: G06F21/62 ,  G06F21/60 ,  G06F21/31

Abstract: Validated policies can be utilized where information regarding the validation travels with the policies. A policy validator can validate information about a policy, such as may relate to compliance with policy requirements and accuracy of the policy output. Information about the validation, such as one or more claims of validity and information about the validator, can be provided with the policy as metadata, such as in a signature block. The signatures, or other verification mechanisms, can be used to ensure that the policy is not modified after the validation. When attempting to utilize the policy, the signature block can be evaluated along with the policy to determine whether to grant the access. In some embodiments the signature block may not be evaluated with the policy, but may be used subsequently for auditing or compliance determinations.

公开(公告)号：US20230283482A1

公开(公告)日：2023-09-07

申请号：US18196266

申请日：2023-05-11

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Hingle Kruse ,  Conor Patrick Cahill ,  Jeffrey Cicero Canton ,  Dmitry Frenkel ,  Harshad Vasant Kulkarni ,  Colin Watson ,  Andrew Paul Mikulski

IPC: H04L9/32 ,  G06F12/14 ,  H04L9/40

CPC classification number: H04L9/3247 ,  G06F12/1408 ,  H04L63/061 ,  H04L63/126 ,  G06F2212/402

Abstract: A request to add tags (e.g., labels, key-value pairs, or metadata) to resources can be digitally signed by the entity making the request, such that the source can be verified and an authorization determination made for each tag. For a request involving multiple services (or entities) that can each add tags, any tag added by a service can be included in the request and digitally signed by that service. Each service processing the request can also digitally sign the request before forwarding, so that each service signs a version of the request, which includes elements signed by other services earlier in the request chain. When the request is received to a tagging service, the service ensures that every tag was digitally signed by the appropriate authorized entity or service, and validates the signatures to ensure that no data was modified or omitted, before adding the tags to the designated resource(s).

公开(公告)号：US20220400084A1

公开(公告)日：2022-12-15

申请号：US17870609

申请日：2022-07-21

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Jasmeet Chhabra ,  Daniel Stephen Popick

IPC: H04L47/70 ,  H04L9/40 ,  H04L67/146 ,  G06F21/45 ,  H04L67/02 ,  G06Q10/00 ,  G06F21/31

Abstract: User identities can managed at an organization level, instead of across multiple individual resource accounts. In a resource provider environment, access to various resources and services may require users to have identities with specific resource accounts. Users can instead be associated with organization accounts, or virtual accounts that are not associated with specific resources or services. The organization accounts are attached at the appropriate location(s) in an organizational hierarchy. A user having an organization account can project the identity in any sub-account in the organization hierarchy. This can include any lower-level resource account, or can child accounts under a relevant branch of the hierarchy. A user can validate against the organization account, and receive access to the relevant service or resources using the identity projected in the corresponding resource account.

公开(公告)号：US11411881B2

公开(公告)日：2022-08-09

申请号：US16866961

申请日：2020-05-05

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Jasmeet Chhabra ,  Daniel Stephen Popick

IPC: H04L47/70 ,  H04L9/40 ,  H04L67/146 ,  G06F21/45 ,  H04L67/02 ,  G06Q10/00 ,  G06F21/31

Abstract: User identities can managed at an organization level, instead of across multiple individual resource accounts. In a resource provider environment, access to various resources and services may require users to have identities with specific resource accounts. Users can instead be associated with organization accounts, or virtual accounts that are not associated with specific resources or services. The organization accounts are attached at the appropriate location(s) in an organizational hierarchy. A user having an organization account can project the identity in any sub-account in the organization hierarchy. This can include any lower-level resource account, or can child accounts under a relevant branch of the hierarchy. A user can validate against the organization account, and receive access to the relevant service or resources using the identity projected in the corresponding resource account.

公开(公告)号：US20210211304A1

公开(公告)日：2021-07-08

申请号：US17212915

申请日：2021-03-25

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Hingle Kruse ,  Conor Patrick Cahill ,  Jeffrey Cicero Canton ,  Dmitry Frenkel ,  Harshad Vasant Kulkarni ,  Colin Watson ,  Andrew Paul Mikulski

IPC: H04L9/32 ,  G06F12/14 ,  H04L29/06

Abstract: A request to add tags (e.g., labels, key-value pairs, or metadata) to resources can be digitally signed by the entity making the request, such that the source can be verified and an authorization determination made for each tag. For a request involving multiple services (or entities) that can each add tags, any tag added by a service can be included in the request and digitally signed by that service. Each service processing the request can also digitally sign the request before forwarding, so that each service signs a version of the request, which includes elements signed by other services earlier in the request chain. When the request is received to a tagging service, the service ensures that every tag was digitally signed by the appropriate authorized entity or service, and validates the signatures to ensure that no data was modified or omitted, before adding the tags to the designated resource(s).

公开(公告)号：US11005853B1

公开(公告)日：2021-05-11

申请号：US15912982

申请日：2018-03-06

Applicant: Amazon Technologies, Inc.

Inventor： Ankur Agarwal ,  Praveen Akinapally ,  Conor Patrick Cahill ,  Dmitry Frenkel ,  Rachit Jain ,  Lennart Christopher Leon Kats ,  Julian Eric Naydichev

IPC: H04L29/00 ,  H04L29/06

Abstract: Transitive restrictions can be applied to requests received on a session. A session token can be issued for an active session, and a transitivity setting specified to indicate the types of requests for which the transitive restriction is to be enforced. This can include enforcing the restriction on requests received from outside a trusted environment, requests within a scope of enforcement, or enforcing the restriction at request authentication. Any request received from an untrusted source that fails to satisfy the transitive restriction will be denied. Requests from inside the trusted environment may not have the transitive restriction enforced, such as where a new token is issued. This enables services within the environment to make calls on behalf of the customer, while ensuring that third parties obtaining the session token cannot successfully initiate such calls.

公开(公告)号：US10044695B1

公开(公告)日：2018-08-07

申请号：US14475382

申请日：2014-09-02

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Gregory Branchek Roth

IPC: H04L29/06 ,  G06F21/44

Abstract: A computer-implemented system and method for receiving a request to associate one or more application instance definitions with an application identity of an application configured with a set of permissions to access computer resources in an environment of a computing resource service provider. The system and method cause a computer system to store the one or more application instance definitions in association with the application identity of the application. The system and method also cause the computer system to evaluate a request originating from an application corresponding to the application identity and the application instance definition to determine if fulfillment of the request complies with the permissions.