公开(公告)号：US10075557B2

公开(公告)日：2018-09-11

申请号：US14984957

申请日：2015-12-30

Applicant: Amazon Technologies, Inc.

Inventor： Edward Bradford Smith, II ,  Graeme David Baer ,  Manivannan Sundaram

IPC: H04L29/08 ,  H04L29/06

CPC classification number: H04L67/327 ,  H04L63/06 ,  H04L63/061 ,  H04L63/08 ,  H04L63/10 ,  H04L63/102 ,  H04L63/123 ,  H04L63/166

Abstract: The present document describes systems and methods that authorize client resources such as computers, servers, computing appliances, and virtual machines to access online services provided by an online service provider. To authorize a client resource, a client submits a registration request on behalf of the client resource to an authorization service provided by the service provider. The authorization service returns an activation code to the client. The activation code may expire after an amount of time, or upon first use. The client provides the activation code to an agent running on the client resource. The agent establishes communication with the authorization service, and upon providing the activation code to the authorization service, receives an authorization token that can be used by the client resource to access online services in accordance with security roles or permissions specified with the registration request.

公开(公告)号：US20180241742A1

公开(公告)日：2018-08-23

申请号：US15958655

申请日：2018-04-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/34

Abstract: A one-time password (OTP) based security scheme is described, where a provider pre-generates a number of verification codes (e.g., OTP codes) which will be valid for a predetermined interval. The provider then encodes the verification codes (e.g., by hashing each code with a time value), and stores the verification codes into a data structure. The data structure can be provided to a verification system that can use the set of pre-generated OTP codes to authenticate requests received from users having personal security tokens.

公开(公告)号：US09838430B1

公开(公告)日：2017-12-05

申请号：US14475314

申请日：2014-09-02

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Jacques Daniel Thomas ,  Nicholas Andrew Gochenaur

IPC: H04L29/06 ,  G06F9/455 ,  G06Q30/06

CPC classification number: H04L63/20 ,  G06F9/45533 ,  G06Q30/0601 ,  H04L63/10

Abstract: Functionality is disclosed herein for providing temporary access to a resource. A software product that is executing in response to a request from a customer may access one or more resources of a software provider. The resources that may be accessed by a software product may be identified within an access policy. The customer is prevented from accessing the resource when the software product is not executing.

公开(公告)号：US09288208B1

公开(公告)日：2016-03-15

申请号：US14020494

申请日：2013-09-06

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： Gregory Branchek Roth ,  Graeme David Baer

IPC: G06F21/00 ,  H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  G06F21/33 ,  G06F21/31

CPC classification number: H04L9/3271 ,  G06F9/45533 ,  G06F21/31 ,  G06F21/335 ,  H04L9/08 ,  H04L9/0816 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/302 ,  H04L9/3242 ,  H04L9/3247 ,  H04L9/3249 ,  H04L63/0807 ,  H04L63/0876 ,  H04L63/0884 ,  H04L63/126 ,  H04L63/20 ,  H04L67/02 ,  H04L2209/56 ,  H04L2209/76

Abstract: An escrow platform is described that can be used to enable access to devices. The escrow platform can be used to sign cryptographic network protocol challenges on behalf of clients so that the secrets used to sign cryptographic network protocol challenges do not have to be exposed to the clients. The escrow platform can store or control access to private keys, and the corresponding public keys can be stored on respective target platforms. A client can attempt to access a target platform and in response the target platform can issue a challenge. The client platform can send the challenge to the escrow platform, which can use the corresponding private key to sign the challenge. The signed challenge can be sent back to the client, which can forward it to the target platform. The target platform can verify the expected private key and grant access.

Abstract translation: 描述了可用于启用对设备的访问的托管平台。 托管平台可以用于代表客户端签署加密网络协议挑战，以便用于签署加密网络协议挑战的秘密不必暴露给客户端。 托管平台可以存储或控制对私钥的访问，相应的公钥可以存储在各自的目标平台上。 客户端可以尝试访问目标平台，并且响应目标平台可以发出挑战。 客户端平台可将挑战发送到托管平台，该平台可以使用相应的私钥来签署挑战。 签署的挑战可以发送回客户端，可以将其转发到目标平台。 目标平台可以验证预期的私钥并授予访问权限。

公开(公告)号：US11849037B1

公开(公告)日：2023-12-19

申请号：US17301341

申请日：2021-03-31

Applicant: Amazon Technologies, Inc.

Inventor： William Tong ,  Joseph Baro ,  Parimal Shirish Deshmukh ,  Kylan Joseph Kempster ,  Yan Wu ,  Graeme David Baer ,  Steven K. Emelander ,  Divya Sridhar

IPC: H04L9/08 ,  H04L67/1095 ,  G06F9/54 ,  H04L9/40 ,  G06F3/0482

CPC classification number: H04L9/0891 ,  G06F3/0482 ,  G06F9/541 ,  H04L9/0861 ,  H04L63/0428 ,  H04L67/1095

Abstract: This disclosure describes techniques for managing the replication of a secret across different regions. A secrets management system (SMS) may be used to manage replication of secrets across different regions of the cloud that are in different geographic locations. Different input mechanisms, such as an API, a UI, or a CLI may be utilized to manage the replication of secrets. In some examples, upon detection of a replication message, the SMS reads the message, identifies the secret, and performs an action involving the secret. For instance, a secret identified within the replication message is accessed from the current region, and the secret is re-encrypted using a customer specified KMS key using customer credentials. The secret is then packaged into a secret replication message. An SRS in the replicated region reads this new secret replication message, accesses the secret that was replicated, and saves the secret in the replicated region.

公开(公告)号：US11621954B2

公开(公告)日：2023-04-04

申请号：US16921172

申请日：2020-07-06

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Brian Irl Pratt

IPC: H04L9/40 ,  G06F21/34

Abstract: A one-time password (OTP) based security scheme is described, where a provider pre-generates a number of verification codes (e.g., OTP codes) which will be valid for a predetermined interval. The provider then encodes the verification codes (e.g., by hashing each code with a time value), and stores the verification codes into a data structure. The data structure can be provided to a verification system that can use the set of pre-generated OTP codes to authenticate requests received from users having personal security tokens.

公开(公告)号：US20200336479A1

公开(公告)日：2020-10-22

申请号：US16921172

申请日：2020-07-06

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/34

Abstract: A one-time password (OTP) based security scheme is described, where a provider pre-generates a number of verification codes (e.g., OTP codes) which will be valid for a predetermined interval. The provider then encodes the verification codes (e.g., by hashing each code with a time value), and stores the verification codes into a data structure. The data structure can be provided to a verification system that can use the set of pre-generated OTP codes to authenticate requests received from users having personal security tokens.

公开(公告)号：US10440151B2

公开(公告)日：2019-10-08

申请号：US16127140

申请日：2018-09-10

Applicant: Amazon Technologies, Inc.

Inventor： Edward Bradford Smith, II ,  Graeme David Baer ,  Manivannan Sundaram

IPC: H04L29/08 ,  H04L29/06

Abstract: The present document describes systems and methods that authorize client resources such as computers, servers, computing appliances, and virtual machines to access online services provided by an online service provider. To authorize a client resource, a client submits a registration request on behalf of the client resource to an authorization service provided by the service provider. The authorization service returns an activation code to the client. The activation code may expire after an amount of time, or upon first use. The client provides the activation code to an agent running on the client resource. The agent establishes communication with the authorization service, and upon providing the activation code to the authorization service, receives an authorization token that can be used by the client resource to access online services in accordance with security roles or permissions specified with the registration request.

公开(公告)号：US20190268245A1

公开(公告)日：2019-08-29

申请号：US16406758

申请日：2019-05-08

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Derek Avery Lyon ,  John Michael Morkel ,  Graeme David Baer ,  Ajith Harshana Ranabahu ,  Khaled Salah Sedky

IPC: H04L12/24 ,  G06F21/62 ,  H04L29/06

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

公开(公告)号：US10320790B1

公开(公告)日：2019-06-11

申请号：US14475306

申请日：2014-09-02

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Jacques Daniel Thomas ,  Nicholas Andrew Gochenaur

IPC: G06F9/50 ,  H04L29/06 ,  G06Q30/06 ,  G06Q40/00 ,  G06F21/33

Abstract: Functionality is disclosed herein for providing temporary access to a resource. A software product that is executing in response to a request from a customer may access one or more resources of a software provider. The resources that may be accessed by a software product may be identified within an access policy. The customer is prevented from accessing the resource when the software product is not executing.