公开(公告)号：US10924482B1

公开(公告)日：2021-02-16

申请号：US14576141

申请日：2014-12-18

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Graeme David Baer

IPC: H04L29/06 ,  G06F21/62

Abstract: A computing resource service provides flexible configuration of authorization rules. A set of authorization rules which define whether fulfillment of requests. The set of authorization rules are applied to a request of a first type which is mapped to a request of a second type. The request of the second type is used for fulfillment of the request of the first type when the authorization rules so allow.

公开(公告)号：US10904268B2

公开(公告)日：2021-01-26

申请号：US15713004

申请日：2017-09-22

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Donald L. Bailey, Jr.

IPC: H04L29/06 ,  H04L12/717 ,  H04L29/08 ,  H04L12/26 ,  H04L12/741

Abstract: Systems, methods, and interfaces for the management of virtual machine networks and other programmatically controlled networks are provided. Hosted virtual networks are configured in a manner such that a virtual machine manager of the virtual network may monitor activity such as user requests, network traffic, and the status and execution of various virtual machine instances to determine possible security assessments. A security assessment may be performed before, after, or simultaneous to the execution of the activity associated with the security assessment event. The execution of an activity may further be synchronous with the results of the security assessment. The timing of the assessment may correspond to the type of assessment or type of activity that is requested or detected.

公开(公告)号：US10771255B1

公开(公告)日：2020-09-08

申请号：US14225264

申请日：2014-03-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L9/32 ,  H04L9/08

Abstract: Data storage operation commands are digitally signed to enhance data security in a distributed system. A data storage client and a data storage node may share access to a cryptographic key. The data storage client uses the cryptographic key to digitally sign commands transmitted to the data storage node. The data storage node uses its copy of the cryptographic key to verify a digital signature of a command before fulfilling the command. The command may include a log of database transactions to process.

公开(公告)号：US10666684B2

公开(公告)日：2020-05-26

申请号：US15849351

申请日：2017-12-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L29/06

Abstract: A request to access one or more computing resources is received by a system. The system performs one or more operations in response to the request according to one or more security polices, the one or more operations selected according to a substantially random selection process. A response to the request is caused based at least in part on the one or more operations.

公开(公告)号：US10474829B2

公开(公告)日：2019-11-12

申请号：US15712043

申请日：2017-09-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: G06F21/60 ,  G06F21/62

Abstract: A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.

公开(公告)号：US20190342212A1

公开(公告)日：2019-11-07

申请号：US16510739

申请日：2019-07-12

Applicant: Amazon Technologies, Inc.

Inventor： Swaminathan Sivasubramanian ,  Eric Jason Brandwine ,  Tate Andrew Certain ,  Bradley E. Marshall

IPC: H04L12/741 ,  H04L29/08 ,  H04L12/715 ,  H04L12/24

Abstract: Techniques are described for managing communications for a managed virtual computer network overlaid on a distinct substrate computer network, including for communications involving computing nodes of the managed virtual computer network that use an alternative addressing scheme to direct network packets and other network communications to intended destination locations by using textual network node monikers instead of numeric IP addresses to represent computing nodes at a layer 3 or “network layer” of a corresponding computer networking stack in use by the computing nodes. The techniques are provided without modifying or configuring the network devices of the substrate computer network, by using configured modules to manage and modify communications from the logical edge of the substrate network.

公开(公告)号：US10425223B2

公开(公告)日：2019-09-24

申请号：US15984198

申请日：2018-05-18

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffrey Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: H04L9/08 ,  G06F21/60 ,  H04L29/06 ,  H04L9/14

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

公开(公告)号：US10367791B2

公开(公告)日：2019-07-30

申请号：US15786322

申请日：2017-10-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L9/32 ,  H04L29/06 ,  H04L29/08

Abstract: Requests are pre-generated to include a cryptographic key to be used in fulfilling the requests. The requests may be encoded in uniform resource locators and may include authentication information to enable a service provider to whom the requests are submitted to determine whether the requests are authorized. The requests may be passed to various entities who can then submit the requests to the service provider. The service provider, upon receipt of a request, can verify the authentication information and fulfill the request using a cryptographic key encoded in the request.

公开(公告)号：US10341281B2

公开(公告)日：2019-07-02

申请号：US13747261

申请日：2013-01-22

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Peter Nicholas DeSantis ,  Léon Thrane

IPC: H04L12/58

Abstract: Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment.

公开(公告)号：US10275282B1

公开(公告)日：2019-04-30

申请号：US14938428

申请日：2015-11-11

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: G06F9/50 ,  G06F8/65 ,  H04L29/08 ,  G06F8/71

Abstract: A customer having a deployment in a resource provider environment can request one or more changes to the deployment using one or more application programming interface (API) requests. Along with the one or more changes, the customer can specify one or more metrics or behaviors, or a function thereof, to be monitored for the deployment for at least a period of time after the change is implemented. The customer can also specify acceptable or unacceptable values or ranges for the metrics. If the value of a specified metric is determined during the monitoring to have an unacceptable value, the change can be automatically rolled back or undone. The roll back in some embodiments takes the form of a change in state to yet another state that will cause the deployment to operate similar to a state before the change was implemented.