公开(公告)号：US09197610B1

公开(公告)日：2015-11-24

申请号：US14060396

申请日：2013-10-22

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Ian R. Searle

IPC: H04L29/06

CPC classification number: H04L63/06 ,  H04L61/103 ,  H04L61/15 ,  H04L63/0428 ,  H04L63/123

Abstract: Systems and methods provide logic for distributing cryptographic keys in a physical network comprising a plurality of physical nodes. In one implementation, a computer-implemented method is provided for distributing cryptographic keys in a physical network. The method includes receiving information mapping a virtual network address of a virtual node to a physical network address of a physical node. The virtual node may be associated with a virtual network hosted by the physical node, and the received mapping information identifies a virtual network address of the node and the physical network address of the node. The mapping service transmits a current version of a cryptographic key and an identifier of the current version to the physical node.

Abstract translation: 系统和方法提供用于在包括多个物理节点的物理网络中分发加密密钥的逻辑。 在一个实现中，提供了一种用于在物理网络中分发加密密钥的计算机实现的方法。 该方法包括接收将虚拟节点的虚拟网络地址映射到物理节点的物理网络地址的信息。 虚拟节点可以与由物理节点托管的虚拟网络相关联，并且所接收的映射信息标识节点的虚拟网络地址和节点的物理网络地址。 映射服务将当前版本的加密密钥和当前版本的标识符发送到物理节点。

公开(公告)号：US20150304310A1

公开(公告)日：2015-10-22

申请号：US14754321

申请日：2015-06-29

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0823 ,  H04L9/0822 ,  H04L9/0891 ,  H04L9/0894 ,  H04L63/06 ,  H04L63/061 ,  H04L2463/062

Abstract: Customers accessing resources and/or data in a multi-tenant environment can obtain assurance that a provider of that environment will honor only requests associated with the customer. A multi-tenant cryptographic service can be used to manage cryptographic key material and/or other security resources in the multi-tenant environment. The cryptographic service can provide a mechanism in which the service can receive requests to use the cryptographic key material to access encrypted customer data, export key material out of the cryptographic service, destroy key material managed by the cryptographic service, among others. Such an approach can enable a customer to manage key material without exposing the key material outside a secure environment.

Abstract translation: 在多租户环境中访问资源和/或数据的客户可以确保该环境的提供商只会履行与客户相关的请求。 可以使用多租户加密服务来管理多租户环境中的加密密钥资料和/或其他安全资源。 加密服务可以提供一种机制，其中服务可以接收使用加密密钥材料的访问加密客户数据的请求，从密码服务导出密钥材料，销毁密码服务管理的密钥材料等。 这种方法可以使客户能够管理关键材料，而不会将密钥材料暴露在安全环境之外。

公开(公告)号：US09037691B1

公开(公告)日：2015-05-19

申请号：US13942530

申请日：2013-07-15

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Ian R. Searle ,  Aaron C. Thompson ,  Kevin Christopher Miller

IPC: G06F15/16 ,  H04L29/08

CPC classification number: H04L41/0803 ,  H04L41/12 ,  H04L41/5051 ,  H04L41/5096 ,  H04L63/0227 ,  H04L63/104 ,  H04L67/16 ,  H04L67/288 ,  H04L67/38

Abstract: Techniques are described for providing managed computer networks. In some situations, the techniques include managing communications for computing nodes of a managed computer network by using one or more particular computing nodes of the managed computer network that are configured to operate as intermediate destinations to handle at least some communications that are sent by and/or directed to one or more other computing nodes of the managed computer network. For example, a manager module associated with a source computing node may select one or more particular intermediate destination computing nodes to use for one or more particular communications from the source computing node to an indicated final destination, such as based on a configured logical network topology for the managed computer network. The manager module then forwards those communications to a first of the selected intermediate destination computing nodes for further handling.

Abstract translation: 描述了提供托管计算机网络的技术。 在某些情况下，这些技术包括通过使用被管理计算机网络的一个或多个特定计算节点来管理被管理计算机网络的计算节点的通信，所述计算节点被配置为作为中间目的地来操作至少一些由 或被引导到被管理计算机网络的一个或多个其他计算节点。 例如，与源计算节点相关联的管理器模块可以选择一个或多个特定的中间目的地计算节点，以用于从源计算节点到指定的最终目的地的一个或多个特定通信，诸如基于配置的逻辑网络拓扑 用于托管计算机网络。 管理器模块然后将这些通信转发到所选择的中间目的地计算节点中的第一个，以便进一步处理。

公开(公告)号：US09025468B1

公开(公告)日：2015-05-05

申请号：US14301255

申请日：2014-06-10

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Swaminathan Sivasubramanian ,  Bradley E. Marshall ,  Tate Andrew Certain

IPC: H04L12/26 ,  H04L12/721

CPC classification number: H04L45/14 ,  H04L12/4641 ,  H04L45/02

Abstract: With the advent of virtualization technologies, networks and routing for those networks can now be simulated using commodity hardware rather than actual routers. For example, virtualization technologies such as those provided by VMWare, XEN, or User-Mode Linux can be adapted to allow a single physical computing machine to be shared among multiple virtual networks by providing each virtual network user with one or more virtual machines hosted by the single physical computing machine, with each such virtual machine being a software simulation acting as a distinct logical computing system that provides users with the illusion that they are the sole operators and administrators of a given hardware computing resource. In addition, routing can be accomplished through software, providing additional routing flexibility to the virtual network in comparison with traditional routing. As a result, in some implementations, supplemental information other than packet information can be used to determine network routing.

Abstract translation: 随着虚拟化技术的出现，现在可以使用商品硬件而不是实际的路由器来模拟这些网络的网络和路由。 例如，诸如由VMWare，XEN或用户模式Linux提供的虚拟化技术可以被调整为允许单个物理计算机器在多个虚拟网络之间共享，通过为每个虚拟网络用户提供一个或多个由 单个物理计算机，其中每个这样的虚拟机是作为不同逻辑计算系统的软件模拟器，其向用户提供它们是给定硬件计算资源的唯一操作者和管理员的错觉。 此外，路由可以通过软件实现，与传统路由相比，为虚拟网络提供了额外的路由灵活性。 结果，在一些实现中，可以使用除分组信息之外的补充信息来确定网络路由。

公开(公告)号：US09003412B1

公开(公告)日：2015-04-07

申请号：US14064860

申请日：2013-10-28

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: G06F9/46 ,  G06F9/455 ,  G06F9/44 ,  G06F9/45

CPC classification number: G06F9/45533 ,  G06F11/3051 ,  G06F11/3055 ,  G06F11/3409 ,  G06F11/3476 ,  G06F11/3604 ,  G06F2201/815

Abstract: A physical computer system includes a processor and a memory configured to store instructions executable by the processor to implement a virtualization module, which in turn implements virtual machine(s) that execute an operating system distinct from any underlying operating system executed by the physical computer system. In response to a client request to initially perform a repeatable computation, the virtualization module instructs that the virtual machine(s) archive an original initial state of the repeatable computation, initially perform the repeatable computation, and archive an original terminal state of the repeatable computation. In response to a client request to repeat the repeatable computation, the virtualization module instructs that the virtual machine(s) be initialized according to configuration information indicated by the archived original initial state of the repeatable computation, and that the one or more virtual machines perform the repeatable computation to generate a new terminal state of the repeatable computation.

Abstract translation: 物理计算机系统包括处理器和存储器，其被配置为存储可由处理器执行的指令以实现虚拟化模块，虚拟化模块又实现执行与物理计算机系统执行的任何底层操作系统不同的操作系统的虚拟机 。 响应于最初执行可重复计算的客户端请求，虚拟化模块指示虚拟机归档可重复计算的原始初始状态，最初执行可重复计算，并归档可重复计算的原始终端状态 。 响应于重复可重复计算的客户端请求，虚拟化模块指示根据由可重复计算的归档原始初始状态指示的配置信息来初始化虚拟机，并且一个或多个虚拟机执行 可重复计算以产生可重复计算的新的终端状态。

公开(公告)号：US20150082428A1

公开(公告)日：2015-03-19

申请号：US14551819

申请日：2014-11-24

Applicant: Amazon Technologies, Inc.

Inventor： Aaron Douglas Dokey ,  Ian Roger Searle ,  Eric Jason Brandwine

IPC: H04L29/06

CPC classification number: H04L63/1408 ,  G06F21/50 ,  G06F21/554

Abstract: The behavior of a group of resources, such as a fleet of servers, can be monitored to attempt to determine a baseline of acceptable behaviors. When a behavior is observed, the baseline can be consulted to determine whether the behavior is indicated to be acceptable. If not, the rate or extent at which the newly observed behavior is observed on groupings of similar resources can be monitored. This information can be used to determine whether the behavior is acceptable in which case information for the observed behavior can be used to automatically update the baseline such that the baseline is representative of current acceptable behavior within the group of resources.

Abstract translation: 可以监视一组资源（例如服务器队列）的行为，以尝试确定可接受行为的基准。 当观察到行为时，可以查阅基线以确定行为是否被指示为可接受的。 如果没有，可以监测在类似资源分组中观察到新观察到的行为的速度或程度。 该信息可以用于确定行为是否可接受，在哪种情况下，可以使用观察到的行为的信息来自动更新基线，使得基线代表资源组内当前可接受的行为。

公开(公告)号：US08959633B1

公开(公告)日：2015-02-17

申请号：US13828265

申请日：2013-03-14

Applicant: Amazon Technologies, Inc.

Inventor： Aaron Douglas Dokey ,  Ian Roger Searle ,  Eric Jason Brandwine

IPC: G06F21/32 ,  G06F21/50

CPC classification number: H04L63/1408 ,  G06F21/50 ,  G06F21/554

Abstract: The behavior of a group of resources, such as a fleet of servers, can be monitored to attempt to determine a baseline of acceptable behaviors. When a behavior is observed, the baseline can be consulted to determine whether the behavior is indicated to be acceptable. If not, the rate or extent at which the newly observed behavior is observed on groupings of similar resources can be monitored. This information can be used to determine whether the behavior is acceptable in which case information for the observed behavior can be used to automatically update the baseline such that the baseline is representative of current acceptable behavior within the group of resources.

Abstract translation: 可以监视一组资源（例如服务器队列）的行为，以尝试确定可接受行为的基准。 当观察到行为时，可以查阅基线以确定行为是否被指示为可接受的。 如果没有，可以监测在类似资源分组中观察到新观察到的行为的速度或程度。 该信息可用于确定行为是否可接受，在哪种情况下，可以使用观察到的行为的信息来自动更新基线，使得基线代表资源组内当前可接受的行为。

公开(公告)号：US20150019858A1

公开(公告)日：2015-01-15

申请号：US13932872

申请日：2013-07-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/0471 ,  H04L63/06

Abstract: Data received through a proxy for a service is analyzed for compliance with one or more data policies, such as one or more data loss prevention policies. When data satisfies the criteria of one or more data policies, the data is manipulated at the proxy prior to transmission of the data to the service. In some examples, the manipulation of the data includes encryption.

Abstract translation: 通过代理服务接收的数据被分析以符合一个或多个数据策略，例如一个或多个数据丢失预防策略。 当数据满足一个或多个数据策略的标准时，在将数据传输到服务之前，在代理处操作数据。 在一些示例中，数据的操纵包括加密。

公开(公告)号：US20150006890A1

公开(公告)日：2015-01-01

申请号：US13932824

申请日：2013-07-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: G06F21/62

CPC classification number: G06F21/602 ,  G06F21/6218 ,  G06F21/6254

Abstract: A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.

Abstract translation: 服务代理服务作为服务的应用程序编程接口代理，可能涉及数据存储。 当服务代理接收到存储数据的请求时，服务代理对数据进行加密并以加密形式将数据存储在服务中。 类似地，当服务代理接收到检索数据的请求时，服务代理从服务获取加密的数据并解密数据。 可以使用服务不可访问的密钥来加密数据。

公开(公告)号：US20140229737A1

公开(公告)日：2014-08-14

申请号：US13765209

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/08

CPC classification number: H04L9/088 ,  H04L9/0618 ,  H04L9/0643 ,  H04L9/0891 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3247

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

Abstract translation: 系统使用与请求相关联的信息来确定是否以及如何处理请求。 信息可以由请求者使用密钥电子签名，使得处理请求的系统可以验证请求者具有密钥并且信息是真实的。 信息可以包括识别处理请求所需的密钥的持有者的信息，其中密钥的持有者可以是系统或另一个，可能是第三方系统。 可以处理对数据解密的请求，以确保在访问解密数据之前经过一定量的时间，从而提供取消这种请求和/或以其他方式缓解潜在安全漏洞的机会。