公开(公告)号：US20170180389A1

公开(公告)日：2017-06-22

申请号：US15454986

申请日：2017-03-09

Applicant: Amazon Technologies, Inc.

Inventor： Jonathan Kozolchyk ,  Darin Keith McAdams ,  Jeffrey J. Fielding ,  Vaibhav Mallya ,  Darren E. Canavor

IPC: H04L29/06

CPC classification number: H04L63/105 ,  H04L63/06 ,  H04L63/08 ,  H04L63/10 ,  H04L63/1408 ,  H04L63/20

Abstract: A security service enables service providers to register available services. Prospective service consumers may register with the security service to access a particular registered service, and may specify conditions for access that are subject to approval by the corresponding service provider. Based on the registrations of the service provider and the service consumer, the security service can define access policies that may be enforced to control the conditions under which a service consumer accesses or utilizes the particular service. Additionally, changes to the access policies may be propagated to running services in near real time. Some implementations enable masking of information provided to particular service consumers based on determined needs of each service consumer for access to particular information. In some instances, the service providers may provide log information to the security service, which may be monitored to identify anomalies, security breaches or the like.

公开(公告)号：US10986081B1

公开(公告)日：2021-04-20

申请号：US15719379

申请日：2017-09-28

Applicant: Amazon Technologies, Inc.

Inventor： Darin Keith McAdams ,  Dick Clarence Hardt

IPC: H04L29/00 ,  H04L29/06

Abstract: A managed directory service receives a request from a first service to link a directory of a contractor service to the first service's directory. The managed directory service identifies a group within the directory of the contractor service and links the directories using this group. Through the link, the managed directory service enables users in the group to authenticate to the first service's directory using credentials for the directory of the contractor service.

公开(公告)号：US20190356495A1

公开(公告)日：2019-11-21

申请号：US16525174

申请日：2019-07-29

Applicant: Amazon Technologies, Inc.

Inventor： Arjun Dasarakothapalli ,  Morgan Akers ,  David Alan Blunt ,  Darin Keith McAdams

IPC: H04L9/32 ,  H04L9/30 ,  H04L9/08

Abstract: A client obtains, in response to a request to a server, a response that includes data for fulfillment of the request, a digital signature that can be verified using a digital certificate, and location information that specifies a location where the digital certificate can be obtained. The client uses the location information to access the location and obtains the digital certificate. Using the digital certificate, the client evaluates the digital signature provided in the response to determine whether the digital signature is valid. If the digital signature is valid, the client accepts the data included in the response for fulfillment of the request.

公开(公告)号：US20180316657A1

公开(公告)日：2018-11-01

申请号：US15677930

申请日：2017-08-15

Applicant: Amazon Technologies, Inc.

Inventor： Dick Clarence Hardt ,  Darin Keith McAdams

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0815

Abstract: An identity provider receives a request to configure authentication for enabling single sign-on to a service provider. The identity provider identifies the authentication protocols supported by the service provider and determines whether it is compatible with these authentication protocols. As a result of the identity provider being compatible with at least some of the authentication protocols, the identity provider generates configuration information that is usable by the service provider to configure the authentication. The identity provider transmits, to a computer system, a response that causes the computer system to be redirected to the service provider in order to provide information usable by the service provider to obtain the configuration information.

公开(公告)号：US20180278621A1

公开(公告)日：2018-09-27

申请号：US15990389

申请日：2018-05-25

Applicant: Amazon Technologies, Inc.

Inventor： Jonathan Kozolchyk ,  Darin Keith McAdams ,  Jeffrey J. Fielding ,  Vaibhav Mallya ,  Darren E. Canavor

IPC: H04L29/06

CPC classification number: H04L63/105 ,  H04L63/06 ,  H04L63/08 ,  H04L63/10 ,  H04L63/1408 ,  H04L63/20

Abstract: A security service enables service providers to register available services. Prospective service consumers may register with the security service to access a particular registered service, and may specify conditions for access that are subject to approval by the corresponding service provider. Based on the registrations of the service provider and the service consumer, the security service can define access policies that may be enforced to control the conditions under which a service consumer accesses or utilizes the particular service. Additionally, changes to the access policies may be propagated to running services in near real time. Some implementations enable masking of information provided to particular service consumers based on determined needs of each service consumer for access to particular information. In some instances, the service providers may provide log information to the security service, which may be monitored to identify anomalies, security breaches or the like.

公开(公告)号：US09985974B2

公开(公告)日：2018-05-29

申请号：US15454986

申请日：2017-03-09

Applicant: Amazon Technologies, Inc.

Inventor： Jonathan Kozolchyk ,  Darin Keith McAdams ,  Jeffrey J. Fielding ,  Vaibhav Mallya ,  Darren E. Canavor

IPC: H04L29/06

CPC classification number: H04L63/105 ,  H04L63/06 ,  H04L63/08 ,  H04L63/10 ,  H04L63/1408 ,  H04L63/20

Abstract: A security service enables service providers to register available services. Prospective service consumers may register with the security service to access a particular registered service, and may specify conditions for access that are subject to approval by the corresponding service provider. Based on the registrations of the service provider and the service consumer, the security service can define access policies that may be enforced to control the conditions under which a service consumer accesses or utilizes the particular service. Additionally, changes to the access policies may be propagated to running services in near real time. Some implementations enable masking of information provided to particular service consumers based on determined needs of each service consumer for access to particular information. In some instances, the service providers may provide log information to the security service, which may be monitored to identify anomalies, security breaches or the like.

公开(公告)号：US09756023B2

公开(公告)日：2017-09-05

申请号：US15235687

申请日：2016-08-12

Applicant: Amazon Technologies, Inc.

Inventor： Jonathan Kozolchyk ,  Darren E. Canavor ,  Jeffrey J. Fielding ,  Vaibhav Mallya ,  Darin Keith McAdams

IPC: H04L29/00 ,  H04L29/06 ,  H04L9/32 ,  H04L29/08

CPC classification number: H04L9/3213 ,  H04L9/3239 ,  H04L29/06 ,  H04L63/0428 ,  H04L63/102 ,  H04L67/1097

Abstract: In some implementations, tokens that are representative of sensitive data may be used in place of the sensitive data to maintain the security of the sensitive data. For example, data may be separated into sensitive data and nonsensitive data, and at least the sensitive data is securely delivered to a data storage service. The data storage service generates a token that is representative of the sensitive data and stores the sensitive data as secure data. The data storage service may deliver the token to an entity that also receives the nonsensitive data, and the entity may use the token in place of the sensitive data. In some implementations, different tokens are generated each time the same piece of sensitive data is submitted for storage as secure data. Further, in some implementations, access policies define authorizations regarding which entities are able to resolve a token to access the actual sensitive data.

公开(公告)号：US20160352695A1

公开(公告)日：2016-12-01

申请号：US15235687

申请日：2016-08-12

Applicant: Amazon Technologies, Inc.

Inventor： Jonathan Kozolchyk ,  Darren E. Canavor ,  Jeffrey J. Fielding ,  Vaibhav Mallya ,  Darin Keith McAdams

IPC: H04L29/06 ,  H04L9/32 ,  H04L29/08

CPC classification number: H04L9/3213 ,  H04L9/3239 ,  H04L29/06 ,  H04L63/0428 ,  H04L63/102 ,  H04L67/1097

Abstract: In some implementations, tokens that are representative of sensitive data may be used in place of the sensitive data to maintain the security of the sensitive data. For example, data may be separated into sensitive data and nonsensitive data, and at least the sensitive data is securely delivered to a data storage service. The data storage service generates a token that is representative of the sensitive data and stores the sensitive data as secure data. The data storage service may deliver the token to an entity that also receives the nonsensitive data, and the entity may use the token in place of the sensitive data. In some implementations, different tokens are generated each time the same piece of sensitive data is submitted for storage as secure data. Further, in some implementations, access policies define authorizations regarding which entities are able to resolve a token to access the actual sensitive data.

Abstract translation: 在一些实现中，可以使用代表敏感数据的令牌来代替敏感数据来维护敏感数据的安全性。 例如，数据可以分为敏感数据和非敏感数据，并且至少敏感数据被安全地传送到数据存储服务。 数据存储服务生成代表敏感数据的令牌，并将敏感数据存储为安全数据。 数据存储服务可以将令牌递送到也接收非敏感数据的实体，并且实体可以使用令牌代替敏感数据。 在某些实现中，每次提交相同的敏感数据作为安全数据存储时，会生成不同的令牌。 此外，在一些实现中，访问策略定义关于哪些实体能够解析令牌以访问实际敏感数据的授权。

公开(公告)号：US11018874B2

公开(公告)日：2021-05-25

申请号：US16525174

申请日：2019-07-29

Applicant: Amazon Technologies, Inc.

Inventor： Arjun Dasarakothapalli ,  Morgan Akers ,  David Alan Blunt ,  Darin Keith McAdams

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/30

Abstract: A client obtains, in response to a request to a server, a response that includes data for fulfillment of the request, a digital signature that can be verified using a digital certificate, and location information that specifies a location where the digital certificate can be obtained. The client uses the location information to access the location and obtains the digital certificate. Using the digital certificate, the client evaluates the digital signature provided in the response to determine whether the digital signature is valid. If the digital signature is valid, the client accepts the data included in the response for fulfillment of the request.

公开(公告)号：US20200220854A1

公开(公告)日：2020-07-09

申请号：US16817562

申请日：2020-03-12

Applicant: Amazon Technologies, Inc.

Inventor： Dick Clarence Hardt ,  Darin Keith McAdams

IPC: H04L29/06 ,  H04L29/08

Abstract: An identity provider receives a request to configure authentication for enabling single sign-on to a service provider. The identity provider identifies the authentication protocols supported by the service provider and determines whether it is compatible with these authentication protocols. As a result of the identity provider being compatible with at least some of the authentication protocols, the identity provider generates configuration information that is usable by the service provider to configure the authentication. The identity provider transmits, to a computer system, a response that causes the computer system to be redirected to the service provider in order to provide information usable by the service provider to obtain the configuration information.