-
公开(公告)号:US20170161505A1
公开(公告)日:2017-06-08
申请号:US14960553
申请日:2015-12-07
Applicant: Amazon Technologies, Inc.
Inventor: Matthew John Campagna , Gregory Alan Rubin , Eric Jason Brandwine , Matthew Shawn Wilson , Cristian M. Ilac
CPC classification number: G06F21/602 , G06F9/45558 , G06F21/57 , G06F2009/4557 , G06F2009/45587 , G06F2221/2153
Abstract: A tiered credentialing approach provides assurance to customers having virtual machines running in a remote environment that the virtual images for these machines are in a pristine state and running in a trusted execution environment. The environment can be divided into multiple subsystems, each having its own cryptographic boundary, secure storage, and trusted computing capabilities. A trusted, limited subsystem can handle the administrative tasks for virtual machines running on the main system of a host computing device. The limited system can receive a certificate from a certificate authority, and can act as a certificate authority to provide credentials to the main system. Upon an attestation request, the subsystems can provide attestation information using the respective credentials as well as the certificate chain. An entity having the appropriate credentials can determine the state of the system from the response and verify the state is as expected.
-
公开(公告)号:US09626512B1
公开(公告)日:2017-04-18
申请号:US14673713
申请日:2015-03-30
Applicant: Amazon Technologies, Inc.
Inventor: Eric Jason Brandwine , David R. Richardson , Matthew Shawn Wilson , Ian Paul Nowland , Anthony Nicholas Liguori , Brian William Barrett
CPC classification number: G06F21/57 , G06F9/45533 , G06F9/45541 , G06F9/45558 , G06F21/575 , G06F21/72 , G06F2009/45587 , G06F2221/034 , H04L9/0897 , H04L9/14 , H04L9/3247
Abstract: Generally described, physical computing devices in a virtual network can be configured to host a number of virtual machine instances. The physical computing devices can be operably coupled with offload devices. In accordance with an aspect of the present disclosure, a security component can be incorporated into an offload device. The security component can be a physical device including a microprocessor and storage. The security component can include a set of instructions configured to validate an operational configuration of the offload device or the physical computing device to establish that they are configured in accordance with a secure or trusted configuration. In one example, a first security component on the offload device can validate the operational computing environment on the offload device and a second security component on the physical computing device can validate the operational computing environment on the physical computing device.
-
公开(公告)号:US09614873B1
公开(公告)日:2017-04-04
申请号:US14683460
申请日:2015-04-10
Applicant: Amazon Technologies, Inc.
Inventor: Marvin M. Theimer , Eric Jason Brandwine , Marc J. Brooker , David Everard Brown , Christopher Richard Jacques de Kadt
IPC: G06F15/173 , H04L29/06 , G06F9/445
CPC classification number: H04L63/20 , G06F9/44505
Abstract: Users intending to launch instances or otherwise access virtual resources in a multi-tenant environment can specify a launch configuration. For each type of instance or each type of user, at least one launch configuration is created that includes parameters and values to be used in instantiating an instance of that type, the values being optimized for the current environment and type of instance. Launch configurations can be optimized for different types of users, such as to account for security credentials and access levels. Such an approach enables users to launch instances by contacting the resource provider directly without need for a proxy, which can function as a choke point under heavy load. The use of an appropriate launch configuration can be enforced for any type of user at any level, such as at the sub-net level, by modifying a request that does not specify an appropriate launch configuration.
-
254.发明授权Using virtual networking devices to manage routing communications between connected computer networks 有权使用虚拟网络设备管理连接的计算机网络之间的路由通信公开(公告)号:US09577876B2
公开(公告)日:2017-02-21
申请号:US14825006
申请日:2015-08-12
Applicant: Amazon Technologies, Inc.
Inventor: Kevin Christopher Miller , Eric Jason Brandwine , Andrew J. Doane
CPC classification number: H04L41/0803 , H04L12/6418 , H04L29/06 , H04L29/08072 , H04L41/5054 , H04L67/141 , H04L67/16
Abstract: Techniques are described for providing managed virtual computer networks whose configured logical network topology may have one or more virtual networking devices, such as by a network-accessible configurable network service, with corresponding networking functionality provided for communications between multiple computing nodes of a virtual computer network by emulating functionality that would be provided by the networking devices if they were physically present. The networking functionality provided for a managed computer network may include supporting a connection between that managed computer network and one or more other managed computer networks, such as via a provided virtual peering router to which each of the managed computer networks may connect, with the functionality of the virtual peering router being emulated by modules of the configurable network service without physically providing the virtual peering router, including to manage routing communications between the inter-connected managed computer networks in accordance with client-specified configuration information.
Abstract translation: 描述了用于提供被管理的虚拟计算机网络的技术,其被配置的逻辑网络拓扑可以具有一个或多个虚拟网络设备,诸如通过网络可访问的可配置网络服务,具有为虚拟计算机网络的多个计算节点之间的通信提供的相应的网络功能 通过模拟由网络设备提供的功能,如果它们是物理存在的。 为被管理的计算机网络提供的联网功能可以包括支持该被管理计算机网络与一个或多个其他被管理的计算机网络之间的连接,诸如经由所提供的虚拟对等路由器,每个被管理的计算机网络可以连接到该虚拟对等路由器与功能 虚拟对等路由器被可配置网络服务的模块仿真,而不物理地提供虚拟对等路由器,包括根据客户端指定的配置信息来管理连接在一起的被管理计算机网络之间的路由通信。
-
公开(公告)号:US09519696B1
公开(公告)日:2016-12-13
申请号:US14149702
申请日:2014-01-07
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Eric Jason Brandwine
CPC classification number: G06F17/30569
Abstract: Data transformation policies specify conditions based at least in part on request features. When a request is received, features of the received request are used to determine any data transformation policies applicable to the request. When a data transformation policy applies to the request, a corresponding data transformation is applied to data responsive to the request. A response to the request comprising transformed data is provided.
Abstract translation: 数据转换策略至少部分地根据请求功能指定条件。 当接收到请求时,接收到的请求的特征被用于确定适用于请求的任何数据转换策略。 当数据转换策略适用于该请求时,相应的数据变换被应用于响应该请求的数据。 提供对包括变换数据的请求的响应。
-
Patent Agency Ranking
公开(公告)号:US09503268B2
公开(公告)日:2016-11-22
申请号:US13746780
申请日:2013-01-22
Applicant: Amazon Technologies, Inc.
Inventor: Eric Jason Brandwine , Matthew Shawn Wilson
CPC classification number: H04L9/3263 , G06F9/45558 , G06F21/33 , G06F21/44 , G06F21/53 , G06F21/606 , G06F21/629 , G06F2221/2107
Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order to secure the results of privileged operations on systems such as the operating system (OS) kernel and/or the hypervisor. The interface allows a public key to be included into a request to perform a privileged operation on a hypervisor and/or kernel. The kernel and/or hypervisor use the key included in the request to encrypt the results of the privileged operation. In some embodiments, the request itself can also be encrypted, such that any intermediate parties are not able to read the parameters and other information of the request.
Abstract translation: 描述了一组形式化的接口(例如,应用程序编程接口(API)),其使用诸如不对称(或对称)密码学的安全方案,以便保护诸如操作系统的系统上的特权操作的结果 OS)内核和/或管理程序。 该接口允许将公钥包括在对管理程序和/或内核执行特权操作的请求中。 内核和/或管理程序使用请求中包含的密钥加密特权操作的结果。 在一些实施例中,请求本身也可被加密,使得任何中间方不能读取请求的参数和其他信息。
-
公开(公告)号:US09443074B1
公开(公告)日:2016-09-13
申请号:US14099785
申请日:2013-12-06
Applicant: Amazon Technologies, Inc.
Inventor: Cornelle Christiaan Pretorius Janse Van Rensburg , Mark Joseph Cavage , Marc John Brooker , David Everard Brown , Abhinav Agrawal , Matthew S. Garman , Kevin Ross O'Neill , Eric Jason Brandwine , Christopher Richard Jacques de Kadt
CPC classification number: G06F21/45 , H04L63/0823 , H04L63/20 , H04L67/1002
Abstract: Systems and methods for attesting to information about a computing resource involve electronically signed documents. For a computing resource, a document containing information about the resource is generated and electronically signed. The document may be provided to one or more entities as an attestation to at least some of the information contained in the document. Attestation to information in the document may be a prerequisite for performance of one or more actions that may be taken in connection with the computing resource.
-
公开(公告)号:US20160255144A1
公开(公告)日:2016-09-01
申请号:US15154818
申请日:2016-05-13
Applicant: Amazon Technologies, Inc.
Inventor: Eric Jason Brandwine , Kevin Christopher Miller , Andrew J. Doane
CPC classification number: H04L67/1029 , G06F9/45533 , G06F9/45558 , G06F11/1484 , G06F11/2007 , G06F11/2038 , G06F11/2048 , G06F11/2097 , G06F2009/45562 , G06F2201/85 , H04L61/2007 , H04L61/2503 , H04L61/6068 , H04L67/1097
Abstract: Techniques are described for providing managed computer networks, such as for managed virtual computer networks overlaid on one or more other underlying computer networks. In some situations, the techniques include facilitating replication of a primary computing node that is actively participating in a managed computer network, such as by maintaining one or more other computing nodes in the managed computer network as replicas, and using such replica computing nodes in various manners. For example, a particular managed virtual computer network may span multiple broadcast domains of an underlying computer network, and a particular primary computing node and a corresponding remote replica computing node of the managed virtual computer network may be implemented in distinct broadcast domains of the underlying computer network, with the replica computing node being used to transparently replace the primary computing node in the virtual computer network if the primary computing node becomes unavailable.
-
公开(公告)号:US09432374B1
公开(公告)日:2016-08-30
申请号:US13974407
申请日:2013-08-23
Applicant: Amazon Technologies, Inc.
Inventor: Eric Jason Brandwine
IPC: H04L29/06
CPC classification number: H04L63/10 , H04L29/02 , H04L41/069 , H04L41/28
Abstract: Disclosed are various embodiments for disabling administrative access to computing resources. A customer request is obtained to disable administrative access of a provider to one or more computing devices. The provider supplies computing resources of the at least one computing device to the customer. The administrative access of the provider to the computing devices is disabled in response to the request. The administrative access of the provider remains disabled until a reset of the computing devices is performed.
-
公开(公告)号:US20160217290A1
公开(公告)日:2016-07-28
申请号:US15090315
申请日:2016-04-04
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Eric Jason Brandwine
CPC classification number: G06F21/602 , G06F21/6209 , H04L9/0819 , H04L9/0822 , H04L9/3226 , H04L9/3242 , H04L9/3247 , H04L63/0428 , H04L63/06 , H04L2209/76
Abstract: Requests are submitted to a request processing entity where the requests include a cryptographic key to be used in fulfilling the request. The request processing entity, upon receipt of the request, extracts the key from the request and uses the key to perform one or more cryptographic operations to fulfill the request. The one or more cryptographic operations may include encryption/decryption of data that to be/is stored, in encrypted form, by a subsystem of the request processing entity. Upon fulfillment of the request, the request processing entity may perform one or more operations to lose access to the key in the request, thereby losing the ability to use the key.
-
-
-
-
-
-
-
-
-
Search Results
510
records
(took 0.034 seconds)
