公开(公告)号：US09973488B1

公开(公告)日：2018-05-15

申请号：US14097130

申请日：2013-12-04

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Bradley Jeffrey Behm

IPC: H04L29/06

CPC classification number: H04L63/0807 ,  H04L63/083

Abstract: Techniques are described for enabling a Kerberos-based authentication system to provide a client with access to a plurality of unmodifiable components that require plain text passwords. Such an approach enables a user to sign into a distributed computer system using a single password, and access multiple components that require different passwords without the need to enter a second password. By using Kerberos based authentication, passwords are not unnecessarily sent throughout distributed computing system where they may be vulnerable. A proxy key distribution center can be used to manage passwords or other credentials on behalf of various clients, which can be used with various processes discussed herein.

公开(公告)号：US09959132B2

公开(公告)日：2018-05-01

申请号：US14821560

申请日：2015-08-07

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Stephen E. Schmidt

IPC: G06F9/46 ,  G06F9/455 ,  G06F9/50 ,  H04L12/24 ,  G06F9/48

CPC classification number: G06F9/45558 ,  G06F9/4856 ,  G06F9/5077 ,  G06F9/5088 ,  G06F2009/4557 ,  H04L41/0896

Abstract: Systems and method for the management of virtual machine instances are provided. A network data transmission analysis system can use contextual information in the execution of virtual machine instances to isolate and migrate virtual machine instances onto physical computing devices. The contextual information may include information obtained in observing the execution of virtual machines instances, information obtained from requests submitted by users, such as system administrators. Still further, the network data transmission analysis system can also include information collection and retention for identified virtual machine instances.

公开(公告)号：US20180115587A1

公开(公告)日：2018-04-26

申请号：US15849351

申请日：2017-12-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L29/06

CPC classification number: H04L63/20

Abstract: A request to access one or more computing resources is received by a system. The system performs one or more operations in response to the request according to one or more security polices, the one or more operations selected according to a substantially random selection process. A response to the request is caused based at least in part on the one or more operations.

公开(公告)号：US09954866B2

公开(公告)日：2018-04-24

申请号：US14866673

申请日：2015-09-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Nathan R. Fitch ,  Cristian M. Ilac ,  Eric D. Crahen

IPC: H04L9/08 ,  H04L29/06 ,  G06F21/33 ,  H04L9/32

CPC classification number: H04L63/102 ,  G06F21/335 ,  G06F2221/2137 ,  H04L9/083 ,  H04L9/0861 ,  H04L9/088 ,  H04L9/32 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/06 ,  H04L63/08 ,  H04L2209/38

Abstract: A delegation request is submitted to a session-based authentication service, fulfilment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

公开(公告)号：US09900214B2

公开(公告)日：2018-02-20

申请号：US14954734

申请日：2015-11-30

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Christopher Miller ,  Eric Jason Brandwine ,  Andrew J. Doane

IPC: G06F15/173 ,  H04L12/24 ,  H04L12/701 ,  H04L12/751 ,  H04L12/46

CPC classification number: H04L41/0813 ,  H04L12/4641 ,  H04L41/12 ,  H04L45/00 ,  H04L45/02

Abstract: Techniques are described for providing managed virtual computer networks that may have a configured logical network topology with one or more virtual networking devices, with corresponding networking functionality provided for communications between multiple computing nodes of the virtual computer network by emulating functionality that would be provided by the networking devices if they were physically present. In some situations, the emulating of networking device functionality includes receiving routing communications directed to the networking devices and using included routing information to update the configured network topology for the managed computer network. In addition, the techniques may further include supporting interactions with devices that are external to the virtual computer network, including remote physical networking devices that are part of a remote computer network configured to interoperate with the virtual computer network, and/or specialized network devices that are accessible via a substrate network on which the virtual computer network is overlaid.

公开(公告)号：US09882773B2

公开(公告)日：2018-01-30

申请号：US14195379

申请日：2014-03-03

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Marvin M. Theimer

IPC: G06F9/455 ,  G06F9/46 ,  G06F15/173 ,  H04L12/24 ,  G06F9/50

CPC classification number: H04L41/0806 ,  G06F9/5061 ,  H04L41/5054 ,  H04L41/5096

Abstract: Control planes of virtual resource providers may be customized in a secure, stable and efficient manner with virtual control planes. Control planes may be modularized. Control plane modules may be supplied with data from standardized sensors, and required to generate standardized resource configuration requests responsive to solicitations with specified response latencies. Custom control plane modules may be selected to replace or complement default control plane modules. Financial and computational costs associated with control plane modules may be tracked. Competing resource configurations may be mediated by a control plane supervisor. Such mediation may be based on control plane module reputation scores. Reputation scores may be based on customer feedback ratings and/or measured performance with respect to module goals. Mediated configuration parameter values may be based on a combination of competing configuration parameter values weighted according to reputation. Contribution of individual modules to goal achievement may be tracked and rewarded accordingly.

公开(公告)号：US09872067B2

公开(公告)日：2018-01-16

申请号：US15063331

申请日：2016-03-07

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffery Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: G06F21/00 ,  H04N21/4405 ,  G06F21/60 ,  G06F21/62 ,  G06F21/64 ,  H04L9/08 ,  H04L9/32 ,  H04N21/4627

CPC classification number: H04N21/44055 ,  G06F21/60 ,  G06F21/602 ,  G06F21/6218 ,  G06F21/64 ,  H04L9/0819 ,  H04L9/088 ,  H04L9/3242 ,  H04L2209/24 ,  H04L2209/38 ,  H04N21/4627

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

公开(公告)号：US20180013624A1

公开(公告)日：2018-01-11

申请号：US15702589

申请日：2017-09-12

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Christopher Miller ,  Eric Jason Brandwine ,  Andrew J. Doane

IPC: H04L12/24 ,  H04L12/701 ,  H04L12/26

CPC classification number: H04L41/0826 ,  H04L43/50 ,  H04L45/00 ,  H04L45/121 ,  H04L45/14 ,  H04L45/22

Abstract: Techniques are described for providing managed virtual computer networks that have a configured logical network topology with virtual networking devices, such as by a network-accessible configurable network service, with corresponding networking functionality provided for communications between multiple computing nodes of the virtual computer network by emulating functionality that would be provided by the virtual networking devices if they were physically present. In some situations, the networking functionality provided for a managed computer network of a client includes receiving routing communications directed to the virtual networking devices and using included routing cost information to update the configuration of the managed computer network, and/or includes determining actual cost information corresponding to use of an underlying substrate network and providing routing cost information to the client that reflects the determined actual cost information, so as to enable the client to modify the configuration of the managed computer network accordingly.

公开(公告)号：US09853949B1

公开(公告)日：2017-12-26

申请号：US13866768

申请日：2013-04-19

Applicant: Amazon Technologies, Inc.

Inventor： Thomas Charles Stickle ,  Eric Jason Brandwine

IPC: H04L29/06 ,  G06F1/12 ,  H04L9/32

CPC classification number: H04L63/0428 ,  G06F1/12 ,  G06F21/606 ,  G06F2221/2115 ,  G06F2221/2151 ,  H04L9/3297 ,  H04L2463/121

Abstract: Methods and apparatus for a secure time service are disclosed. A time server including a time source, a cryptographic key and a cryptographic engine is instantiated within a provider network. A time service endpoint receives a timestamp request from a client. The endpoint transmits a representation of the request to the time server, and receives, from the time server, an encryption of at least a timestamp generated using the time source. A response comprising the encryption of at least the timestamp is transmitted to the requesting client.

公开(公告)号：US20170366551A1

公开(公告)日：2017-12-21

申请号：US15694697

申请日：2017-09-01

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: H04L29/06 ,  H04L12/911

CPC classification number: H04L47/70 ,  H04L63/102

Abstract: Authorization decisions can be made in a resource environment using authorization functions which can be provided by customers, third parties, or other such entities. The functions can be implemented using virtual machine instances with one or more transient compute containers. This compute capacity can be preconfigured with certain software and provided using existing compute capacity assigned to a customer, or capacity invoked from a warming pool, to execute the appropriate authorization function. The authorization function can be a lambda function that takes in context and generates the appropriate security functionality inline. The utilization of ephemeral compute capacity enables the functionality to be provided on demand, without requiring explicit naming or identification, and can enable cause state information to be maintained for a customer.