公开(公告)号：US11520530B2

公开(公告)日：2022-12-06

申请号：US16581619

申请日：2019-09-24

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Nicholas Liguori ,  Eric Jason Brandwine

IPC: G06F3/06 ,  G06F9/455 ,  H05K7/14 ,  H04L67/1097 ,  G06F9/4401

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement virtualization offloading components of a virtualized computing service, including a storage manager. The offloading components establish network connectivity with a control plane of the service. Based on detecting that a hardware server, in a separate enclosure, has been linked to the peripheral device, the hardware server is presented as a virtualization host of the service. The offloading components initiate compute instance configuration operations at the server in response to commands issued to the control plane, including at least one configuration operation initiated by the storage manager to enable access to a logical storage device from a compute instance.

公开(公告)号：US11500904B2

公开(公告)日：2022-11-15

申请号：US16000612

申请日：2018-06-05

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Calvin Yue-Ren Kuo

IPC: G06F16/28 ,  G06F3/06 ,  G06K9/62 ,  G06N20/00

Abstract: A connected device at a client network implements a local data classification service for classifying data based on a data classification service of a remote provider network. The local data classification service receives a request to classify data at one or more data sources of the client network. The request is initiated from a client device of the client network according to a management interface for a data classification service of a remote provider network (e.g., using the same API request used by the remote classification service). The local data classification service obtains at least some of the data from the one or more data sources of the client network. The local data classification service classifies the obtained data according to different types of sensitivity using the data classification engine in the execution environment without the data being exposed outside of a data isolation boundary of the client network.

公开(公告)号：US11443058B2

公开(公告)日：2022-09-13

申请号：US16000598

申请日：2018-06-05

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Calvin Yue-Ren Kuo

IPC: G06F21/62 ,  G06K9/62 ,  H04L67/01 ,  H04L9/40 ,  G06N20/00

Abstract: A client may send to a provider network a request to classify data at one or more data sources of the client network. The provider network receives the request and transmits the request to a local instance of a network-based data classification service at the client network. The local instance of the network-based data classification service classifies the data at the one or more data sources. The data is not exposed outside of a data isolation boundary associated with the client network during classification of the data by the local instance of the network-based data classification service. The provider network may initially provision the local instance of the network-based data classification service to run on the client network.

公开(公告)号：US20220279040A1

公开(公告)日：2022-09-01

申请号：US17693186

申请日：2022-03-11

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Kevin Christopher Miller ,  Andrew J. Doane

IPC: H04L67/1029 ,  G06F9/455 ,  G06F11/14 ,  H04L61/5007 ,  G06F11/20 ,  H04L61/2503 ,  H04L67/1097

Abstract: Techniques are described for providing managed computer networks, such as for managed virtual computer networks overlaid on one or more other underlying computer networks. In some situations, the techniques include facilitating replication of a primary computing node that is actively participating in a managed computer network, such as by maintaining one or more other computing nodes in the managed computer network as replicas, and using such replica computing nodes in various manners. For example, a particular managed virtual computer network may span multiple broadcast domains of an underlying computer network, and a particular primary computing node and a corresponding remote replica computing node of the managed virtual computer network may be implemented in distinct broadcast domains of the underlying computer network, with the replica computing node being used to transparently replace the primary computing node in the virtual computer network if the primary computing node becomes unavailable.

公开(公告)号：US11372993B2

公开(公告)日：2022-06-28

申请号：US16673753

申请日：2019-11-04

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F11/30 ,  G06F21/62 ,  G06F12/14

Abstract: Requests submitted to a computer system are evaluated for compliance with policy to ensure data security. Plaintext and associated data are used as inputs into a cipher to produce ciphertext. Whether a result of decrypting the ciphertext can be provided in response to a request is determined based at least in part on evaluation of a policy that itself is based at least in part on the associated data. Other policies include automatic rotation of keys to prevent keys from being used in enough operations to enable cryptographic attacks intended to determine the keys.

公开(公告)号：US11356457B2

公开(公告)日：2022-06-07

申请号：US16892197

申请日：2020-06-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Nathan R. Fitch ,  Cristian M. Ilac ,  Eric D. Crahen

IPC: H04L9/32 ,  H04L9/40 ,  G06F21/33 ,  H04L9/08 ,  H04L9/00

Abstract: A delegation request is submitted to a session-based authentication service, fulfillment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

公开(公告)号：US11277471B2

公开(公告)日：2022-03-15

申请号：US17163242

申请日：2021-01-29

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Kevin Christopher Miller ,  Andrew J. Doane

IPC: G06F15/173 ,  H04L67/1029 ,  G06F9/455 ,  G06F11/14 ,  G06F11/20 ,  H04L61/5007 ,  H04L61/2503 ,  H04L67/1097 ,  H04L101/668

Abstract: Techniques are described for providing managed computer networks, such as for managed virtual computer networks overlaid on one or more other underlying computer networks. In some situations, the techniques include facilitating replication of a primary computing node that is actively participating in a managed computer network, such as by maintaining one or more other computing nodes in the managed computer network as replicas, and using such replica computing nodes in various manners. For example, a particular managed virtual computer network may span multiple broadcast domains of an underlying computer network, and a particular primary computing node and a corresponding remote replica computing node of the managed virtual computer network may be implemented in distinct broadcast domains of the underlying computer network, with the replica computing node being used to transparently replace the primary computing node in the virtual computer network if the primary computing node becomes unavailable.

公开(公告)号：US20220029993A1

公开(公告)日：2022-01-27

申请号：US17173584

申请日：2021-02-11

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Graeme David Baer

IPC: H04L29/06

Abstract: A computing resource service provides flexible configuration of authorization rules. A set of authorization rules which define whether fulfillment of requests. The set of authorization rules are applied to a request of a first type which is mapped to a request of a second type. The request of the second type is used for fulfillment of the request of the first type when the authorization rules so allow.

公开(公告)号：US11228449B2

公开(公告)日：2022-01-18

申请号：US16113471

申请日：2018-08-27

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Matthew Shawn Wilson

IPC: G06F21/00 ,  H04L9/32 ,  G06F21/33 ,  G06F21/51 ,  G06F21/53 ,  G06F21/62 ,  G06F9/455 ,  H04L29/06 ,  G06F21/60

Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order authorize and authenticate requests sent to a virtualization later. The interfaces can be invoked to perform security monitoring, forensic capture, and/or patch software systems at runtime. In addition to the foregoing, other aspects are described in the claims, detailed description, and figures.

公开(公告)号：US20210326442A1

公开(公告)日：2021-10-21

申请号：US17321356

申请日：2021-05-14

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Alan Rubin ,  Eric Jason Brandwine ,  Nicholas Alexander Allen ,  Andrew Kyle Driggs

IPC: G06F21/57 ,  H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  G06F21/64 ,  H04L9/14

Abstract: A service provider provides virtual computing services using a fleet of one or more host computer systems. Each of the host computer systems may be equipped with a trusted platform module (“TPM”). The service provider, the host computer systems, and the virtual computing environments generate attestations that prove the integrity of the system. The attestations are signed with a one-time-use cryptographic key that is verifiable against the public keys of the service provider, a host computer system, and a virtual computing environment. The public key of the host computer system is integrated into a hash tree that links the public key of the host computer system to the public key of the service provider. The public key of the virtual computing environment is signed using a one-time-use graphic key issued to the host computer system that hosts the virtual computing environment.