公开(公告)号：US20190296917A1

公开(公告)日：2019-09-26

申请号：US16440899

申请日：2019-06-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L9/32

Abstract: A system that provides responses to requests obtains a key that is used to digitally sign the request. The key is derived from information that is shared with a requestor to which the response is sent. The requestor derives, using the shared information, derives a key usable to verify the digital signature of the response, thereby enabling the requestor to operate in accordance with whether the digital signature of the response matches the response.

公开(公告)号：US10382449B2

公开(公告)日：2019-08-13

申请号：US15652198

申请日：2017-07-17

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/08 ,  G06F21/60

Abstract: Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Accordingly, approaches for delegating security rights and privileges for services and resources in an electronic and/or multi-tenant environment are provided. In particular, various embodiments provide approaches for dynamically determining and authorizing delegation of permissions to perform actions in, on, or against one or more secured accounts, where those accounts may be associated with a number of different entities and/or resource providers.

公开(公告)号：US10361911B2

公开(公告)日：2019-07-23

申请号：US15061851

申请日：2016-03-04

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Kevin Christopher Miller

IPC: H04L12/18 ,  H04L12/24 ,  H04L12/46 ,  H04L12/707

Abstract: Techniques are described for managing communications for a managed computer network by using a defined pool of alternative computing nodes of the managed computer network that are configured to operate as intermediate destinations to handle at least some communications that are sent by and/or directed to one or more other computing nodes of the managed computer network. For example, a manager module associated with a source computing node may select a particular alternative intermediate destination computing node from a defined pool to use for one or more particular communications from the source computing node to an indicated final destination, such as based on a configured logical network topology for the managed computer network and/or on one or more other selection criteria (e.g., to enable load balancing between the alternative computing nodes). The manager module then forwards those communications to the selected intermediate destination computing node for further handling.

公开(公告)号：US20190205540A1

公开(公告)日：2019-07-04

申请号：US16298867

申请日：2019-03-11

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Eric Jason Brandwine

IPC: G06F21/57 ,  G06F21/64 ,  H04L9/32 ,  H04L9/08 ,  H04L9/14 ,  H04L29/06

CPC classification number: G06F21/57 ,  G06F21/64 ,  H04L9/0877 ,  H04L9/088 ,  H04L9/14 ,  H04L9/3247 ,  H04L9/3263 ,  H04L63/067 ,  H04L63/0823 ,  H04L67/42 ,  H04L2209/30

Abstract: A service provider provides virtual computing services using a fleet of one or more host computer systems. Each of the host computer systems may be equipped with a trusted platform module (“TPM”). The service provider, the host computer systems, and the virtual computing environments generate attestations that prove the integrity of the system. The attestations are signed with a one-time-use cryptographic key that is verifiable against the public keys of the service provider, a host computer system, and a virtual computing environment. The public key of the host computer system is integrated into a hash tree that links the public key of the host computer system to the public key of the service provider. The public key of the virtual computing environment is signed using a one-time-use graphic key issued to the host computer system that hosts the virtual computing environment.

公开(公告)号：US10331895B1

公开(公告)日：2019-06-25

申请号：US14149725

申请日：2014-01-07

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: G06F21/60

Abstract: Logical data containers of a data storage system are associated with policies that require data transformation of data to be stored in the logical data containers. When a data object is received to be stored in a logical data container, the data object is transformed in accordance with a policy on the logical data container. Transformation of the data object may include encryption. The logical data container may also be associated with a cryptographic key used to perform a required transformation.

公开(公告)号：US10318747B1

公开(公告)日：2019-06-11

申请号：US14984069

申请日：2015-12-30

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： Colm Gearóid MacCárthaigh ,  Eric Jason Brandwine

IPC: G06F21/62 ,  H04L29/06

Abstract: A computing system includes a programming interface of a control interface of a distributed computing environment, a service layer of the control interface, and a manager of the control interface. The programming interface is configured to receive a block of a block chain database. The block includes a ledger that includes a plurality of transactional data records. The service layer is configured to analyze the plurality of records to determine that one of the plurality of records is an indication of a request by a client for a service provided by a data interface of the distributed computing environment. The manager is configured to allocate access to execute the request in response to receiving the indication of the request.

公开(公告)号：US20190138736A1

公开(公告)日：2019-05-09

申请号：US16237703

申请日：2019-01-01

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Eric Jason Brandwine ,  Matthew Shawn Wilson ,  Cristian M. Ilac

IPC: G06F21/60 ,  G06F9/455 ,  G06F21/57

Abstract: A tiered credentialing approach provides assurance to customers having virtual machines running in a remote environment that the virtual images for these machines are in a pristine state and running in a trusted execution environment. The environment can be divided into multiple subsystems, each having its own cryptographic boundary, secure storage, and trusted computing capabilities. A trusted, limited subsystem can handle the administrative tasks for virtual machines running on the main system of a host computing device. The limited system can receive a certificate from a certificate authority, and can act as a certificate authority to provide credentials to the main system. Upon an attestation request, the subsystems can provide attestation information using the respective credentials as well as the certificate chain. An entity having the appropriate credentials can determine the state of the system from the response and verify the state is as expected.

公开(公告)号：US20190036901A1

公开(公告)日：2019-01-31

申请号：US16152132

申请日：2018-10-04

Applicant: Amazon Technologies, Inc.

Inventor： Marc J. Brooker ,  Mark Joseph Cavage ,  David Brown ,  Kevin Ross O'Neill ,  Eric Jason Brandwine ,  Christopher Richard Jacques de Kadt

IPC: H04L29/06 ,  G06F21/44

Abstract: A plurality of virtual computing resources is detected to have been provisioned. Credentials are distributed to the plurality of virtual computing resources. A credentials map that maps the credentials to the plurality of virtual computing resources is updated. The credentials for the plurality of virtual computing resources are activated to enable the plurality of virtual computing resources to use the credentials to authenticate to a second computer system that manages a resource service, with the credentials being inaccessible to resources of the resource service. A virtual computing resource of the plurality of virtual computing resources is detected to been deprovisioned, and the credentials for the virtual computing resource are deactivated.

公开(公告)号：US20190012196A1

公开(公告)日：2019-01-10

申请号：US16118264

申请日：2018-08-30

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Don Johnson ,  Marvin M. Theimer

IPC: G06F9/455 ,  G06F21/62 ,  G06F21/00

CPC classification number: G06F9/45558 ,  G06F21/00 ,  G06F21/62 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Generally described, aspects of the present disclosure relate to for managing the configuration and security policies of hosted virtual machine networks. Hosted virtual machine networks are configured in a manner such that a virtual machine manager component can establish service manifests that correspond to information required by the virtual machine network from a user/customer. The virtual machine manager component can also publish in the service manifests contractual information, such as security risk assessments, that are deemed to have been provided and accepted by the user/customer in instantiating virtual machine networks. If the processed service manifest information remains valid, a substrate network process requests or independently instantiate services or components in accordance with the configuration information and security risk information included in the processed service manifest.

公开(公告)号：US20180359282A1

公开(公告)日：2018-12-13

申请号：US16046582

申请日：2018-07-26

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/0471 ,  H04L63/06

Abstract: A system comprises a data storage service includes a web service interface operating as a proxy to the data storage service. Data obtained at the data storage service is analyzed by one or more criteria of a data loss prevention policy, the data is encrypted by a key that is inaccessible to a remote service, and then the encrypted data is transmitted to the remote service.