公开(公告)号：US11616800B2

公开(公告)日：2023-03-28

申请号：US16985954

申请日：2020-08-05

Applicant: Amazon Technologies, Inc.

Inventor： John Cook ,  Neha Rungta ,  Catherine Dodge ,  Jeff Puchalski ,  Carsten Varming

IPC: H04L9/40 ,  H04L41/0869 ,  H04L41/22 ,  G06F21/55 ,  G06F21/57 ,  G06F21/60 ,  H04L41/0893

Abstract: Security policies may be utilized to grant or deny permissions related to the access of computing resources. Two or more security policies may be compared to determine whether the policies are equivalent, whether one security is more permissive than another, and more. In some cases, it may be possible to identify whether there exists a security permission that is sufficient to determine two security policies lack equivalency. Propositional logics may be utilized in the evaluation of security policies.

公开(公告)号：US11245701B1

公开(公告)日：2022-02-08

申请号：US15993455

申请日：2018-05-30

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  John Cook

IPC: H04L29/06 ,  G06F9/54 ,  G06F9/455

Abstract: At an authorization manager, an indication is obtained that a request pre-processing tool has been designated as a validator for a category of requests directed to a network-accessible service. The authorization manager determines, based at least in part on a validation result set indicated in a request of the category, that the request pre-processing tool has verified that the request meets an authorization requirement. The authorization manager approves one or more operations indicated in the request.

公开(公告)号：US11200144B1

公开(公告)日：2021-12-14

申请号：US15696056

申请日：2017-09-05

Applicant: Amazon Technologies, Inc.

Inventor： John Cook ,  Kalpana Gondi ,  Michael Tautschnig

IPC: G06F11/36

Abstract: Methods, systems, and computer-readable media for refinement of static analysis of program code are disclosed. A report is received. The report was generated using initial static analysis of program code. The report indicates a plurality of warnings regarding the program code, at least some of which represent potential flaws, and the warnings are associated with a plurality of segments of the program code. Additional analysis of the segments of program code is performed. The additional analysis differs at least in part from the initial static analysis. Based at least in part on the additional analysis, at least some of the warnings are determined to represent false positives.

公开(公告)号：US11017107B2

公开(公告)日：2021-05-25

申请号：US15913741

申请日：2018-03-06

Applicant: Amazon Technologies, Inc.

Inventor： Neha Rungta ,  Pauline Virginie Bolignano ,  Catherine Dodge ,  Carsten Varming ,  John Cook ,  Rajesh Viswanathan ,  Daryl Stephen Cooke ,  Santosh Kalyankrishnan

IPC: G06F21/44 ,  H04L29/06 ,  G06F21/62 ,  G06F9/455 ,  G06F9/445 ,  G06F9/50 ,  G06F9/48

Abstract: A security assessment system of a computing resource service provider performs security analyses of virtual resource instances, such as virtual machine instances and virtual data store instances, to verify that certain invariable security requirements are satisfied by the instances' corresponding configurations; these analyses are performed before the instances are provisioned and deployed. If the security checks, which can be selected by the administrator of the resources, fail, the requested resources are denied deployment. Notifications identifying the faulty configuration(s) may be send to the administrative user. A template for launching virtual resource instances may be transformed into an optimized template for performing the pre-deployment security checks, such as by storing information needed to perform the checks within the optimized template itself.

公开(公告)号：US10769250B1

公开(公告)日：2020-09-08

申请号：US15794757

申请日：2017-10-26

Applicant: Amazon Technologies, Inc.

Inventor： Michael Tautschnig ,  John Cook

IPC: G06F21/00 ,  G06F21/12 ,  G06F8/41 ,  G06F11/34 ,  G06F8/71 ,  G06F8/75

Abstract: Techniques for targeted security monitoring using semantic behavioral change analysis are described. A mutation monitor can use a code repository to generate a build of a software project prior to a code commit and another build after the code commit. An instruction-difference between the builds can be generated and used to perform a change impact analysis to identify control-flow and data dependencies changed as a result of the code commit. A semantic difference can be generated by annotating a syntactic difference for the code commit based on the identified control-flow and data dependency changes to allow for the behavioral changes to be easily shown to a user. Security impact analysis can be performed on parts of the software impacted by the code commit to quickly determine the security impacts introduced by the code commit.

公开(公告)号：US11863563B1

公开(公告)日：2024-01-02

申请号：US15923832

申请日：2018-03-16

Applicant: Amazon Technologies, Inc.

Inventor： Neha Rungta ,  Tyler Stuart Bray ,  Kasper Søe Luckow ,  Alexander Watson ,  Jeff Puchalski ,  John Cook ,  Michael Gough

IPC: H04L9/40

CPC classification number: H04L63/105 ,  H04L63/20

Abstract: The appropriate scoping of an access policy can be determined using the observed access and usage of various resources covered under that policy. Information about access requests received over a period of time can be logged, and actions represented in the log data can be mapped to the permissions of the access policy. A new access policy can be generated that includes grant permissions only for those actions that were received and/or granted during the monitored period of time. The new policy can be processed using policy logic to ensure that changes in permission comply with rules or policies for the target resources. The new policy can be at least partially implemented, or can be provided to an authorized user, who can choose to adopt or deny the new policy, or to accept some of the recommendations for modifying the current policy.

公开(公告)号：US20230370473A1

公开(公告)日：2023-11-16

申请号：US18359456

申请日：2023-07-26

Applicant: Amazon Technologies, Inc.

Inventor： Neha Rungta ,  Tyler Stuart Bray ,  Kasper Søe Luckow ,  Alexander Watson ,  Jeff Puchalski ,  John Cook ,  Michael Gough

IPC: H04L9/40

CPC classification number: H04L63/105 ,  H04L63/20

Abstract: The appropriate scoping of an access policy can be determined using the observed access and usage of various resources covered under that policy. Information about access requests received over a period of time can be logged, and actions represented in the log data can be mapped to the permissions of the access policy. A new access policy can be generated that includes grant permissions only for those actions that were received and/or granted during the monitored period of time. The new policy can be processed using policy logic to ensure that changes in permission comply with rules or policies for the target resources. The new policy can be at least partially implemented, or can be provided to an authorized user, who can choose to adopt or deny the new policy, or to accept some of the recommendations for modifying the current policy.

公开(公告)号：US11418532B1

公开(公告)日：2022-08-16

申请号：US16842496

申请日：2020-04-07

Applicant: Amazon Technologies, Inc.

Inventor： Michael Tautschnig ,  Neha Rungta ,  John Cook ,  Pauline Virginie Bolignano ,  Todd Granger MacDermid ,  Oksana Tkachuk

IPC: H04L29/06 ,  H04L9/40

Abstract: This disclosure describes techniques for automating a system-level security review of a network-based service. The techniques may include generating and utilizing a machine-readable threat model to identify system-level security threats to the network-based service. The network-based service may be scanned upon being provisioned in a service-provider network, and the machine-readable threat model may be generated based on results of the scan. The machine-readable threat model may represent components of the network-based service, system-level security constraints configured to identify system-level security threats to the service, and mitigations to remedy violations to the system-level security constraints. The network-based service may be continuously, or periodically, scanned to identify changes in the network-based service. The techniques further include updating the machine-readable threat model to account for the detected changes to the network-based service, and analyzing the updated machine-readable threat model to determine whether the changes to the network-based service violate a system-level security constraint.

公开(公告)号：US20200067785A1

公开(公告)日：2020-02-27

申请号：US16672120

申请日：2019-11-01

Applicant: Amazon Technologies, Inc.

Inventor： John Cook ,  Catherine Dodge ,  Sean McLaughlin

IPC: H04L12/24 ,  H04L12/46

Abstract: A virtual network verification service for provider networks that leverages a declarative logic programming language to allow clients to pose queries about their virtual networks as constraint problems; the queries may be resolved using a constraint solver engine. Semantics and logic for networking primitives of virtual networks in the provider network environment may be encoded as a set of rules according to the logic programming language; networking security standards and/or client-defined rules may also be encoded in the rules. A description of a virtual network may be obtained and encoded. A constraint problem expressed by a query may then be resolved for the encoded description according to the encoded rules using the constraint solver engine; the results may be provided to the client.

公开(公告)号：US10469324B2

公开(公告)日：2019-11-05

申请号：US15359500

申请日：2016-11-22

Applicant: Amazon Technologies, Inc.

Inventor： John Cook ,  Catherine Dodge ,  Sean McLaughlin

IPC: H04L12/24 ,  H04L12/46 ,  H04L29/08 ,  H04L12/26

Abstract: A virtual network verification service for provider networks that leverages a declarative logic programming language to allow clients to pose queries about their virtual networks as constraint problems; the queries may be resolved using a constraint solver engine. Semantics and logic for networking primitives of virtual networks in the provider network environment may be encoded as a set of rules according to the logic programming language; networking security standards and/or client-defined rules may also be encoded in the rules. A description of a virtual network may be obtained and encoded. A constraint problem expressed by a query may then be resolved for the encoded description according to the encoded rules using the constraint solver engine; the results may be provided to the client.