公开(公告)号：US20220191206A1

公开(公告)日：2022-06-16

申请号：US17119868

申请日：2020-12-11

Applicant: Amazon Technologies, Inc.

Inventor： John Byron Cook ,  Neha Rungta ,  Carsten Varming ,  Daniel George Peebles ,  Daniel Kroening ,  Alejandro Naser Pastoriza

IPC: H04L29/06 ,  H04L12/24

Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.

公开(公告)号：US11301357B1

公开(公告)日：2022-04-12

申请号：US16584611

申请日：2019-09-26

Applicant: Amazon Technologies, Inc.

Inventor： Andrew Jude Gacek ,  Neha Rungta ,  Lee Pike

IPC: G06F11/36 ,  G06F11/32

Abstract: Techniques for performing compile-time checks of source code using static analysis are described herein. One or more application programming interface calls to a remote computing service provider are detected in a set of source code listings using static analysis, and properties of each call are checked against a user-defined model containing rules defining incorrect behavior. If incorrect behavior is detected, a visualization is presented containing information about the incorrect behavior.

公开(公告)号：US11861409B2

公开(公告)日：2024-01-02

申请号：US17218541

申请日：2021-03-31

Applicant: Amazon Technologies, Inc.

Inventor： John Byron Cook ,  Andres Philipp Noetzli ,  Neha Rungta ,  Jingmei Hu

IPC: G06F9/46 ,  G06F9/50 ,  G06F9/54

CPC classification number: G06F9/505 ,  G06F9/5038 ,  G06F9/5072 ,  G06F9/541

Abstract: Techniques are described for efficiently distributing across multiple computing resources satisfiability modulo theories (SMT) queries expressed in propositional logic with string variables. As part of the computing-related services provided by a cloud provider network, many cloud providers also offer identity and access management services, which generally help users to control access and permissions to the services and resources (e.g., compute instances, storage resources, etc.) obtained by users via a cloud provider network. By using resource policies, for example, users can granularly control which identities are able to access specific resources associated with the users' accounts and how those identities can use the resources. The ability to efficiently distribute the analysis of SMT queries expressed in propositional logic with string variables among any number of separate computing resources (e.g., among separate processes, compute instances, containers, etc.) enables the efficient analysis of such policies.

公开(公告)号：US11483317B1

公开(公告)日：2022-10-25

申请号：US16206859

申请日：2018-11-30

Applicant: Amazon Technologies, Inc.

Inventor： Pauline Virginie Bolignano ,  John Byron Cook ,  Andrew Jude Gacek ,  Kasper Luckow ,  Neha Rungta ,  Cole Schlesinger ,  Ian Sweet ,  Carsten Varming

IPC: H04L9/40 ,  G06F16/901 ,  G06F9/54

Abstract: A policy auditing service can be implemented, in accordance with at least one embodiment that obtains a set of parameters that indicates a snapshot of a policy configuration for an account, a query, and a security policy. The security policy may encode a security requirement or invariant. The policy auditing system may determine states that can be reached via mutative operations (e.g., role assumption) and use a policy analyzer service to determine whether assuming a role results in a grant of access that is at least as permissive as the security policy of the set of parameters.

公开(公告)号：US11128653B1

公开(公告)日：2021-09-21

申请号：US16219622

申请日：2018-12-13

Applicant: Amazon Technologies, Inc.

Inventor： Oksana Tkachuk ,  Claudia Cauli ,  Neha Rungta ,  Pauline Virginie Bolignano ,  Juan Rodriguez Hortala ,  Sean Maher

IPC: H04L29/06 ,  H04L12/26 ,  H04L12/24 ,  G06F16/901 ,  G06F9/50 ,  G06F16/36 ,  G06F16/335

Abstract: In some embodiments, a system is provided, and computer-executable instructions cause the system to: obtain a file with instructions for provisioning resources of a service by referencing types of compute resources and including instructions for generating a customized resource of a first type; determine that the file references a first type of compute resources; retrieve threat modeling information associated with the first type of resource, including information identifying a first potential threat; generate a graph with nodes representing the first type of resource, the customized resource, and the first potential threat, and an edge connecting the first node and the second node with a predicate indicative of the relationship them; generate an ontology statement that relate the customized resource and first type of resource; and provide a plurality of ontology statements representing the graph to a reasoner to perform at least a portion of a security review without user intervention.

公开(公告)号：US10922423B1

公开(公告)日：2021-02-16

申请号：US16015114

申请日：2018-06-21

Applicant: Amazon Technologies, Inc.

Inventor： Neha Rungta ,  Kasper Søe Luckow ,  Andrew Jude Gacek ,  Carsten Varming ,  John Cook

IPC: G06F21/60 ,  G06F21/44

Abstract: A security policy analyzer service of a computing resource service provider performs evaluations of security policies provided by the service provider's users, to determine whether the security policies are valid, satisfiable, accurate, and/or sufficiently secure. The service may compare the user-provided policy to a stored or best-practices policy to begin the evaluation, translating encoded security permissions into propositional logic formulae that can be compared to determine which policy is more permissive. The service determines values of the parameters in a request for access to a computing resource based on the policy comparison, and generates request contexts using the values. The service uses the request contexts to generate one or more comparative policies that are then used iteratively as the second policy in the comparison to the user-provided policy, in order to produce additional request contexts that represent allow/deny “edge cases” along the borders of policy permission statements.

公开(公告)号：US20200073783A1

公开(公告)日：2020-03-05

申请号：US16122676

申请日：2018-09-05

Applicant: Amazon Technologies, Inc.

Inventor： Juan Rodriguez Hortala ,  Neha Rungta ,  Mark R. Tuttle ,  Serdar Tasiran ,  Michael Tautschnig ,  Andrea Nedic ,  Carsten Varming ,  John Byron Cook ,  Sean McLaughlin

IPC: G06F11/36 ,  G06F9/50 ,  G06F8/65 ,  G06F9/54

Abstract: A method for verifying source code for a program includes determining that a new version of the source code is available. One or more verification tools are determined to use for verification of the new version of the source code from a verification specification associated with the source code. A plurality of verification tasks to perform for the verification of the new version of the source code are automatically determined from the verification specification associated with the source code. The plurality of verification tasks for the new version of the source code are automatically performed using the one or more verification tools. A determination is then made as to whether the new version of the source code is verified.

公开(公告)号：US20190007443A1

公开(公告)日：2019-01-03

申请号：US15637227

申请日：2017-06-29

Applicant: Amazon Technologies, Inc.

Inventor： John Cook ,  Neha Rungta ,  Catherine Dodge ,  Jeff Puchalski ,  Carsten Varming

IPC: H04L29/06 ,  H04L12/24 ,  G06F21/55

Abstract: Security policies may be utilized to grant or deny permissions related to the access of computing resources. Two or more security policies may be compared to determine whether the policies are equivalent, whether one security is more permissive than another, and more. In some cases, it may be possible to identify whether there exists a security permission that is sufficient to determine two security policies lack equivalency. Propositional logics may be utilized in the evaluation of security policies.

公开(公告)号：US11863563B1

公开(公告)日：2024-01-02

申请号：US15923832

申请日：2018-03-16

Applicant: Amazon Technologies, Inc.

Inventor： Neha Rungta ,  Tyler Stuart Bray ,  Kasper Søe Luckow ,  Alexander Watson ,  Jeff Puchalski ,  John Cook ,  Michael Gough

IPC: H04L9/40

CPC classification number: H04L63/105 ,  H04L63/20

Abstract: The appropriate scoping of an access policy can be determined using the observed access and usage of various resources covered under that policy. Information about access requests received over a period of time can be logged, and actions represented in the log data can be mapped to the permissions of the access policy. A new access policy can be generated that includes grant permissions only for those actions that were received and/or granted during the monitored period of time. The new policy can be processed using policy logic to ensure that changes in permission comply with rules or policies for the target resources. The new policy can be at least partially implemented, or can be provided to an authorized user, who can choose to adopt or deny the new policy, or to accept some of the recommendations for modifying the current policy.

公开(公告)号：US20230370473A1

公开(公告)日：2023-11-16

申请号：US18359456

申请日：2023-07-26

Applicant: Amazon Technologies, Inc.

Inventor： Neha Rungta ,  Tyler Stuart Bray ,  Kasper Søe Luckow ,  Alexander Watson ,  Jeff Puchalski ,  John Cook ,  Michael Gough

IPC: H04L9/40

CPC classification number: H04L63/105 ,  H04L63/20

Abstract: The appropriate scoping of an access policy can be determined using the observed access and usage of various resources covered under that policy. Information about access requests received over a period of time can be logged, and actions represented in the log data can be mapped to the permissions of the access policy. A new access policy can be generated that includes grant permissions only for those actions that were received and/or granted during the monitored period of time. The new policy can be processed using policy logic to ensure that changes in permission comply with rules or policies for the target resources. The new policy can be at least partially implemented, or can be provided to an authorized user, who can choose to adopt or deny the new policy, or to accept some of the recommendations for modifying the current policy.