公开(公告)号：US20170359356A1

公开(公告)日：2017-12-14

申请号：US15652198

申请日：2017-07-17

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/24

CPC classification number: H04L63/108 ,  G06F21/604 ,  G06F2221/0791 ,  H04L41/50 ,  H04L63/08 ,  H04L67/10

Abstract: Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Accordingly, approaches for delegating security rights and privileges for services and resources in an electronic and/or multi-tenant environment are provided. In particular, various embodiments provide approaches for dynamically determining and authorizing delegation of permissions to perform actions in, on, or against one or more secured accounts, where those accounts may be associated with a number of different entities and/or resource providers.

公开(公告)号：US20170346689A1

公开(公告)日：2017-11-30

申请号：US15663592

申请日：2017-07-28

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Christopher Miller ,  Eric Jason Brandwine ,  Andrew J. Doane

IPC: H04L12/24 ,  H04L12/715 ,  H04L12/751 ,  H04L12/713

CPC classification number: H04L41/0816 ,  H04L41/12 ,  H04L45/02 ,  H04L45/04 ,  H04L45/586

Abstract: Techniques are described for providing managed virtual computer networks that have a configured logical network topology with virtual networking devices, such as by a network-accessible configurable network service, with corresponding networking functionality provided for communications between multiple computing nodes of the virtual computer network by emulating functionality that would be provided by the virtual networking devices if they were physically present. In some situations, the networking functionality provided for a managed computer network of a client includes receiving routing communications directed to the virtual networking devices and using included routing information to update the configuration of the managed computer network, such as to allow at least some computing nodes of a managed computer network to dynamically signal particular types of uses of one or more indicated target network addresses and/or to dynamically signal use of particular external public network addresses based on such routing information.

公开(公告)号：US09792143B1

公开(公告)日：2017-10-17

申请号：US14921555

申请日：2015-10-23

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Derek Del Miller ,  Mark Bradley Davis ,  Matthew Shawn Wilson ,  Eric Jason Brandwine ,  Anthony Nicholas Liguori ,  Rahul Gautam Patel

IPC: G06F9/455 ,  G06F21/74 ,  G06F21/62 ,  G06F21/72

CPC classification number: G06F9/45558 ,  G06F21/53 ,  G06F21/6218 ,  G06F21/72 ,  G06F21/74 ,  G06F2009/45587

Abstract: The performing of virtual machine (VM)-based secure operations is enabled using a trusted co-processor that is able to operate in a secure mode to perform operations in a multi-tenant environment that are protected from other VMs and DOM-0, among other domains and components. A customer VM can contact a VM manager (VMM) to perform an operation with respect to sensitive data. The VMM can trigger secure mode operation, whereby memory pages are marked and access blocked to entities outside a trusted enclave. The trusted co-processer can measure the VMM and compare the result against an earlier result to ensure that the VMM has not been compromised. Once the operations are performed, the trusted co-processor can return the results, and the VMM can exit the secure mode such that access to the marked pages and customer data is restored.

公开(公告)号：US09767445B1

公开(公告)日：2017-09-19

申请号：US14109852

申请日：2013-12-17

Applicant: Amazon Technologies, Inc.

Inventor： Marc J. Brooker ,  David Brown ,  Eric Jason Brandwine ,  Marvin M. Theimer ,  Abhinav Agrawal

IPC: G07B17/00 ,  G07F19/00 ,  H04M15/00 ,  G06Q20/14 ,  G06Q30/04

CPC classification number: G06Q20/145 ,  G06Q20/14 ,  G06Q30/04 ,  H04M15/58

Abstract: Techniques, including systems and methods, for virtual resource cost tracking account for unused capacity of implementation resources that are dedicated to particular customers and, as a result, are unusable for maintaining virtual resources for other customers. Customers requesting dedicated use of implementation resources are charged in a manner that compensates the virtual resource provider for the lost ability to use unused capacity of implementation resources to serve other customers. Customer charges may be determined by a pricing function that is calculated such that, for a base of customers, expected revenue from the base of customers approximates a revenue goal. The revenue goal may be determined based on revenue that would have been expected had the unused capacity of the dedicated implementation resources been available for serving other customers.

公开(公告)号：US09754297B1

公开(公告)日：2017-09-05

申请号：US14052511

申请日：2013-10-11

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Swaminathan Sivasubramanian ,  Bradley E. Marshall ,  Tate Andrew Certain

IPC: G06Q30/04 ,  H04L12/14 ,  H04M15/00 ,  H04L12/715

CPC classification number: G06Q30/04 ,  H04L12/14 ,  H04L12/1432 ,  H04L12/1485 ,  H04L45/02 ,  H04L45/64 ,  H04M15/43 ,  H04M15/80 ,  H04M15/8022 ,  H04M15/8044

Abstract: Systems, methods, and computer-readable media for network routing metering are disclosed. In some embodiments, various changes to the routes, and other actions requested by a computer system, physical or virtual, can be metered. Those actions may be performed and later rated in order to determine what amount, if any, to charge an account associated with the requesting network participant system. The network participant system can be billed based on the activities performed on its behalf. Therefore, even if a network is performing poorly and requires more resources that would normally be allowed by a neighboring router, if the network owner pays to have these requests performed, then the embodiments herein can allocate more resources to supporting the network's rapidly changing network.

公开(公告)号：US09754116B1

公开(公告)日：2017-09-05

申请号：US14476600

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: H04L9/00 ,  G06F21/62 ,  G06F21/60 ,  G06F21/71 ,  G06F21/57

CPC classification number: G06F21/602 ,  G06F21/57 ,  G06F21/6218

Abstract: Techniques for operating web services within secure execution environments running within computing resource service provider environments are described herein. A web service provides an application that can be instantiated within a secure execution environment associated with a customer computer system that is hosted by a computing resource service provider and programmatically managed by the customer and the customer computer system provides validation of the secure execution environment. Web service requests from the customer computer system are received by the web service application hosted within the secure execution environment. As the one or more web service requests are received by the web service within the secure execution environment, the requests are fulfilled by executing instructions associated with the web service within the secure execution environment.

公开(公告)号：US09729517B2

公开(公告)日：2017-08-08

申请号：US13746702

申请日：2013-01-22

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Matthew Shawn Wilson

IPC: H04L29/06 ,  H04L9/08 ,  G06F3/06 ,  G06F9/48 ,  G06F21/57 ,  G06F9/455

CPC classification number: H04L63/0428 ,  G06F3/0647 ,  G06F9/45558 ,  G06F9/4856 ,  G06F21/57 ,  G06F2009/45562 ,  G06F2009/4557 ,  G06F2009/45587 ,  H04L9/0844 ,  H04L63/0869

Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order to enable secure migration of virtual machine instances between multiple host computing devices. The migration is performed by receiving a request to migrate a virtual machine where the request includes public keys for the source host computing and the destination host computing. The source and destination hosts use the public keys to establish an encrypted session and then use the encrypted session to migrate the virtual machine.

公开(公告)号：US09727743B1

公开(公告)日：2017-08-08

申请号：US15012639

申请日：2016-02-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Bradley Jeffery Behm ,  Patrick J. Ward ,  Graeme D. Baer ,  Eric Jason Brandwine

IPC: G06F21/62 ,  G06F21/60 ,  G06F17/30

CPC classification number: G06F21/6227 ,  G06F17/30389 ,  G06F17/30427 ,  G06F17/30477 ,  G06F21/602 ,  G06F21/6218 ,  H04L9/3247 ,  H04L9/3263

Abstract: A database access system may protect a field by storing the field as one or more underlying fields within a database. The database engine may not have access to keys used to protect the underlying fields within the database, such as by encryption, while the database access system may have access to the keys. Underlying fields may be used to store protected data and aid in the querying of protected data. The database access system may modify queries to use the underlying fields, which may include encrypting query terms and/or modifying query terms to fit the use of the underlying fields. The database access system may modify query results to match the format of the original query, which may include decrypting protected results and/or removing underlying fields.

公开(公告)号：US09703976B1

公开(公告)日：2017-07-11

申请号：US14742240

申请日：2015-06-17

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: G06F21/00 ,  G06F21/62 ,  G06F21/60 ,  H04L29/06

CPC classification number: G06F21/6218 ,  G06F21/602 ,  G06F21/606 ,  H04L63/0435

Abstract: Large volumes of data to be securely imported to, and exported from, a data storage service or other such location in a secure manner without a customer having to manage keys or encryption. A data management component can execute on a client device that can identify data to be stored and obtain the appropriate key for encrypting the data. Once the data is encrypted, the data can be written to a portable storage device, which can be shipped to the data storage service. When the device is received to the data storage service, an ingestion station reads the encrypted data and causes the encrypted data to be stored to the data storage service. The data remains encrypted from the client device through being stored to the data storage service. When a request for the data is received, the data can be decrypted and returned in response to the request.

公开(公告)号：US20170195119A1

公开(公告)日：2017-07-06

申请号：US15462604

申请日：2017-03-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/08 ,  H04L9/16

CPC classification number: H04L63/0428 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/083 ,  H04L9/0891 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/16 ,  H04L9/3213 ,  H04L9/3234 ,  H04L9/3247 ,  H04L63/0435 ,  H04L63/0807

Abstract: A plurality of devices, having common access to a first key under which a set of data objects used by the plurality of devices are encrypted, is caused to replace the first key with a second key by at least causing a device of the plurality of devices to encrypt a subset of the set of data objects that are not selected for electronic shredding, allow access to a data object of the subset regardless of whether the data object is encrypted using the first key or the second key. At a time after the data object becomes accessible by using the second key, each of the plurality of devices is verified have common access to the second key, and the plurality of devices is caused to lose access to the first key.