公开(公告)号：US20170134348A1

公开(公告)日：2017-05-11

申请号：US15410450

申请日：2017-01-19

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/62 ,  H04L29/08 ,  G06F21/60

CPC classification number: H04L63/0471 ,  G06F21/602 ,  G06F21/6218 ,  G06F2221/2101 ,  H04L9/0894 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/045 ,  H04L63/08 ,  H04L67/1097 ,  H04L2209/76

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

公开(公告)号：US09600664B1

公开(公告)日：2017-03-21

申请号：US14475940

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Peter Zachary Bowen

IPC: G06F21/00 ,  G06F21/55 ,  G06F9/455

CPC classification number: G06F21/53 ,  G06F9/45533 ,  G06F9/45558 ,  G06F21/55 ,  G06F21/554 ,  G06F21/604 ,  G06F2009/45575 ,  G06F2009/45587 ,  G06F2009/45591 ,  G06F2221/034

Abstract: Functionality is disclosed herein for monitoring an execution environment to determine if the execution environment is in an approved configuration. Memory used by the execution environment may be scanned from outside of the execution environment to determine whether the execution environment is in an unapproved configuration. The scanning may include examining the memory for abnormalities or other irregular or unapproved data. When the execution environment is in the unapproved configuration, actions may be performed that change how the execution environment accesses resources or performing other types of functionality.

公开(公告)号：US20170070492A1

公开(公告)日：2017-03-09

申请号：US14849488

申请日：2015-09-09

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Alan Rubin ,  Gregory Branchek Roth

IPC: H04L29/06 ,  G06F21/64 ,  G06F17/30

CPC classification number: G06F21/64 ,  G06F17/30312 ,  G06F17/30371 ,  G06F21/645 ,  H04L63/126

Abstract: A computer system encodes a plurality of components of a data set into a probabilistic data structure and digitally signs the probabilistic data structure. The computer system provides the digital signature for the probabilistic data structure and the probabilistic data structure to various entities. An entity can verify an individual component of the data set within the probabilistic data structure by verifying the individual component against the probabilistic data structure and the digital signature of the probabilistic data structure.

Abstract translation: 计算机系统将数据集合的多个组件编码为概率数据结构，并对概率数据结构进行数字签名。 计算机系统为各种实体提供概率数据结构和概率数据结构的数字签名。 实体可以通过根据概率数据结构和概率数据结构的数字签名验证各个组件来验证概率数据结构内的数据集的单个组件。

公开(公告)号：US20160379012A1

公开(公告)日：2016-12-29

申请号：US15261759

申请日：2016-09-09

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth

IPC: G06F21/64 ,  G06F21/60

CPC classification number: G06F21/64 ,  G06F21/604

Abstract: A request to cancel a change to a policy is received. Based at least in part on delay information for the change, determine that the change is currently delayed, where the delay information is associated with a condition precedent for the change to become effective under a policy change policy. A determination is made regarding whether cancellation is allowed by a set of conditions for the changes, and the proposed policy change is caused to be cancelled prior to a time indicated by the delay information.

Abstract translation: 收到取消政策更改的请求。 至少部分地基于变更的延迟信息，确定变更当前被延迟，其中延迟信息与在变更政策下变更生效的先决条件相关联。 确定关于改变的一组条件是否允许取消，并且在由延迟信息指示的时间之前导致所提出的策略更改被取消。

公开(公告)号：US20160373481A1

公开(公告)日：2016-12-22

申请号：US15256381

申请日：2016-09-02

Applicant: Amazon Technologies, Inc.

Inventor： Hassan Sultan ,  John Schweitzer ,  Donald Lee Bailey, JR. ,  Gregory Branchek Roth ,  Nachiketh Rao Potlapally

IPC: H04L29/06

CPC classification number: H04L63/1433 ,  G06F21/53 ,  G06F21/554 ,  H04L63/1441 ,  H04L63/20

Abstract: A graph of a plurality of resources in a computing environment is generated, with the graph associating a first resource of the plurality with a second resource of the plurality. Based at least in part on measurements obtained at a point in a test computing environment that corresponds to a point in the computing environment, an expected value or expected range of values is determined. An assessment of a security state of the computing environment is generated based at least in part on a comparison between a measurement obtained at the point in the computing environment and the expected value or expected range of values, and responsive to a determination that the assessment indicates a rule violation in the computing environment, a security action is performed.

Abstract translation: 生成计算环境中的多个资源的图形，其中该图将多个的第一资源与多个的第二资源相关联。 至少部分地基于在与计算环境中的点对应的测试计算环境中的点处获得的测量值，确定值的期望值或预期范围。 至少部分地基于在计算环境中的点获得的测量值与期望值或期望值之间的比较来生成对计算环境的安全状态的评估，并且响应于评估指示的确定 在计算环境中的规则违规，执行安全措施。

公开(公告)号：US09521140B2

公开(公告)日：2016-12-13

申请号：US15001175

申请日：2016-01-19

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/56 ,  G06F21/53 ,  G06F21/57

CPC classification number: H04L63/0823 ,  G06F21/53 ,  G06F21/56 ,  G06F21/575 ,  H04L9/3268 ,  H04L63/062 ,  H04L63/123

Abstract: Techniques for managing secure execution environments provided as a service to computing resource service provider customers are described herein. A request to launch a secure execution environment is received from a customer and fulfilled by launching a secure execution environment on a selected computer system. The secure execution environment is then validated and upon a successful validation, one or more applications are provided to the secure execution environment to be executed within the secure execution environment. As additional requests relating to managing the secure execution environment are received, operations are performed based on the requests.

公开(公告)号：US09521000B1

公开(公告)日：2016-12-13

申请号：US13944579

申请日：2013-07-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer

IPC: H04L9/32

CPC classification number: H04L9/3247 ,  H04L9/14 ,  H04L9/3213 ,  H04L63/0807 ,  H04L2463/062

Abstract: A service provider manages access control to multiple services through an authentication system. One or more services are able to fulfill requests at least in part by submitting requests to other services of the service provider. Such a service is able to obtain, from the authentication system, information that can be passed on to one or more other services to enable the one or more other services to determine request validity without having to contact the authentication system. The information may include, for example, one or more responses that the one or more other services would have received had the one or more services contacted the authentication system themselves.

Abstract translation: 服务提供商通过身份验证系统管理对多个服务的访问控制。 一个或多个服务能够至少部分地通过向服务提供商的其他服务提交请求来满足请求。 这样的服务能够从认证系统获得可以传递到一个或多个其他服务的信息，以使一个或多个其他服务能够确定请求的有效性，而不必联系认证系统。 该信息可以包括例如一个或多个其他服务将一旦接收到认证系统本身就接收到的一个或多个响应。

公开(公告)号：US20160330214A1

公开(公告)日：2016-11-10

申请号：US15217624

申请日：2016-07-22

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Gregory Alan Rubin ,  Matthew John Campagna ,  Petr Praus

IPC: H04L29/06

CPC classification number: H04L63/123 ,  G06F21/602 ,  G06F21/604 ,  G06F21/64 ,  G06F21/645 ,  H04L63/061

Abstract: A system performs cryptographic operations utilizing information usable to verify validity of plaintext. To prevent providing information about a plaintext by providing the information usable to verify the validity of the plaintext, the system provides the information usable to verify validity of the plaintext to an entity on a condition that the entity is authorized to access the plaintext. The information usable to verify validity of the plaintext may be persisted in ciphertext along with the plaintext to enable the plaintext to be verified when decrypted.

Abstract translation: 系统利用可用于验证明文有效性的信息来执行加密操作。 为了通过提供可用于验证明文有效性的信息来防止提供关于明文的信息，在实体被授权访问明文的条件下，系统提供可用于验证明文的有效性的信息给实体。 可用于验证明文有效性的信息可以与明文一起保持密文，以便在解密时能够验证明文。

公开(公告)号：US20160301682A1

公开(公告)日：2016-10-13

申请号：US15187699

申请日：2016-06-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Gregory Alan Rubin

IPC: H04L29/06

CPC classification number: H04L63/083 ,  H04L63/0846 ,  H04L63/10 ,  H04L63/123

Abstract: A distributed passcode verification system includes devices that each have a secret and that are each able to perform a limited number of verifications using their secrets. Passcode verifiers receive passcode information from a passcode information manager. The passcode information provides information usable, with a secret, to verify passcodes provided to a verifier.

Abstract translation: 分布式密码验证系统包括每个具有秘密的设备，并且每个设备能够使用其秘密来执行有限数量的验证。 密码验证器从密码信息管理器接收密码信息。 密码信息提供可用于秘密的信息，以验证提供给验证者的密码。

公开(公告)号：US09466051B1

公开(公告)日：2016-10-11

申请号：US13760769

申请日：2013-02-06

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Bradley Jeffery Behm

IPC: G06Q20/02 ,  G06Q30/02 ,  H04L29/06 ,  G06F21/31

CPC classification number: G06Q20/02 ,  G06F21/31 ,  G06F21/6218 ,  G06Q20/3578 ,  G06Q20/405 ,  G06Q30/0277 ,  H04L63/08 ,  H04L63/0823 ,  H04L63/102

Abstract: Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Delegation profiles are established that are associated with at least one secured account of at least one customer. Each delegation profile includes information such as a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once a delegation profile is created, the profile can be available for external principals or services that provide a user credential delegated access under the account, where that credential is provided by a trusted identity service. Access can be provided across accounts using the user credential.

Abstract translation: 可以委派权限来访问与一个或多个不同帐户相关联的资源，这些帐户可能与一个或多个不同的实体相关联。 建立与至少一个客户的至少一个安全帐户相关联的授权配置文件。 每个委托简档都包括信息，例如一个名称，一个验证策略，它指定可能在该帐户外部的主体，以及哪些被允许承担该委托简档的授权策略，以及一个授权策略，指示帐户中允许的行为， 在代理简介中行事。 一旦创建了一个授权配置文件，该配置文件可用于在该帐户下提供用户凭据委派访问的外部主体或服务，该凭证由受信任的身份服务提供。 可以使用用户凭据在各个帐户之间提供访问。