公开(公告)号：US10210341B2

公开(公告)日：2019-02-19

申请号：US13765239

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F11/30 ,  G06F21/62 ,  H04L29/06 ,  H04L9/08 ,  G06F21/00

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

公开(公告)号：US10121017B2

公开(公告)日：2018-11-06

申请号：US13765239

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F11/30 ,  G06F21/62 ,  H04L9/08 ,  H04L29/06 ,  G06F21/00

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

公开(公告)号：US10110587B2

公开(公告)日：2018-10-23

申请号：US15610295

申请日：2017-05-31

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/62

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

公开(公告)号：US09906564B2

公开(公告)日：2018-02-27

申请号：US15638227

申请日：2017-06-29

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  H04L9/32

CPC classification number: H04L63/205 ,  G06F21/60 ,  G06F21/602 ,  H04L9/3247 ,  H04L63/126 ,  H04L63/18 ,  H04L63/20 ,  H04L2463/062

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

公开(公告)号：US20170134348A1

公开(公告)日：2017-05-11

申请号：US15410450

申请日：2017-01-19

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/62 ,  H04L29/08 ,  G06F21/60

CPC classification number: H04L63/0471 ,  G06F21/602 ,  G06F21/6218 ,  G06F2221/2101 ,  H04L9/0894 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/045 ,  H04L63/08 ,  H04L67/1097 ,  H04L2209/76

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

公开(公告)号：US20150304294A1

公开(公告)日：2015-10-22

申请号：US14629332

申请日：2015-02-23

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: H04L29/06

CPC classification number: H04L63/08 ,  G06F21/62 ,  G06F2221/2141 ,  H04L63/10

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

Abstract translation: 描述了授权以启用帐户访问的系统和方法。 系统利用可以在至少一个用户的安全帐户内创建的委托简档。 授权简介包括一个名称，一个确认策略，指定可能在该帐户外部以及被允许承担该授权简档的主体，以及一个授权策略，指示在该帐户内为在 委托简介。 创建授权配置文件后，可以将其提供给外部主体或服务。 这些外部主体或服务可以使用委托简档来获取使用委托简档的凭据在帐户中执行各种操作的凭据。

公开(公告)号：US09083749B1

公开(公告)日：2015-07-14

申请号：US13654111

申请日：2012-10-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Kevin Ross O'Neill ,  Brian Irl Pratt

IPC: G06F21/60 ,  H04L29/06

CPC classification number: H04L63/20 ,  H04L63/10

Abstract: Customers accessing resources or services in a distributed environment can obtain assurance that a provider of that environment will only allow requests to access those resources or services when those requests satisfy at least one security policy associated with the customer. A customer can provide a security policy update that might be written in a different representation (e.g., version) than is supported by all relevant policy evaluation engines across the distributed environment. A component or service such as an access management service can evaluate the representation of the policy, as well as the representations supported by the evaluation engines, and can determine if the features of the policy update are supported by the representations of the engines. If so, the policy update can be translated to express the policy document in the supported representation(s), such that the policy can be utilized without having to update the relevant engines.

Abstract translation: 在分布式环境中访问资源或服务的客户可以确保当这些请求满足与客户相关联的至少一个安全策略时，该环境的提供者只允许请求访问这些资源或服务。 客户可以提供可能以不同表示形式（例如，版本）编写的安全策略更新，而不是所有相关的策略评估引擎在分布式环境中所支持的更新。 诸如访问管理服务的组件或服务可以评估策略的表示以及评估引擎支持的表示，并且可以确定策略更新的特征是否由引擎的表示支持。 如果是这样，则可以转换策略更新以在支持的表示中表达策略文档，使得可以利用该策略而不必更新相关引擎。

公开(公告)号：US11695555B2

公开(公告)日：2023-07-04

申请号：US16869423

申请日：2020-05-07

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/08 ,  H04L9/32 ,  H04L9/06 ,  H04L9/14 ,  H04L9/30

CPC classification number: H04L9/088 ,  H04L9/0618 ,  H04L9/0643 ,  H04L9/0891 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3247

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system.

公开(公告)号：US11658971B1

公开(公告)日：2023-05-23

申请号：US16427099

申请日：2019-05-30

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Ross O'Neill ,  Mark Joseph Cavage ,  Nathan R. Fitch ,  Anders Samuelsson ,  Brian Irl Pratt ,  Yunong Jeff Xiao ,  Bradley Jeffery Behm ,  James E. Scharf, Jr.

IPC: H04L9/40 ,  H04L41/28 ,  H04L67/00

CPC classification number: H04L63/10 ,  H04L41/28 ,  H04L63/0263 ,  H04L63/20 ,  H04L67/00 ,  H04L63/08 ,  H04L63/102

Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

公开(公告)号：US11431757B2

公开(公告)日：2022-08-30

申请号：US16880886

申请日：2020-05-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: H04L9/40 ,  H04L9/32 ,  G06F21/33 ,  G06F21/60

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.