-
公开(公告)号:US10511584B1
公开(公告)日:2019-12-17
申请号:US15280692
申请日:2016-09-29
Applicant: Amazon Technologies, Inc.
Inventor: Graeme David Baer , Conor Patrick Cahill
Abstract: A secure shell (SSH) bastion service can proxy customer SSH traffic through SSH host resources before routing the traffic to the target resource instances in a customer allocation of a multi-tenant environment. The bastion service supports connections directly from a customer allocation management console, which enables the specification of a target instance and selection of an option to establish a secure connection to that instance. The bastion service handles authentication and authorization, ensuring that all security requirements are satisfied. An SSH server of the bastion service can route the traffic to the target instance using the appropriate port for SSH traffic. A second SSH connection is established from the bastion service to the SSH server executing on the target instance, providing end-to-end security of traffic from the client device to the target instance of the customer allocation.
-
公开(公告)号:US10263792B2
公开(公告)日:2019-04-16
申请号:US15652161
申请日:2017-07-17
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Graeme David Baer
IPC: G06F21/00 , H04L9/32 , H04L29/06 , G06F21/33 , G06F21/31 , H04L9/08 , G06F9/455 , H04L9/14 , H04L9/30 , H04L29/08
Abstract: An escrow platform is described that can be used to enable access to devices. The escrow platform can be used to sign cryptographic network protocol challenges on behalf of clients so that the secrets used to sign cryptographic network protocol challenges do not have to be exposed to the clients. The escrow platform can store or control access to private keys, and the corresponding public keys can be stored on respective target platforms. A client can attempt to access a target platform and in response the target platform can issue a challenge. The client platform can send the challenge to the escrow platform, which can use the corresponding private key to sign the challenge. The signed challenge can be sent back to the client, which can forward it to the target platform. The target platform can verify the expected private key and grant access.
-
Patent Agency Ranking
公开(公告)号:US20190007525A1
公开(公告)日:2019-01-03
申请号:US16127140
申请日:2018-09-10
Applicant: Amazon Technologies, Inc.
Inventor: Edward Bradford Smith, II , Graeme David Baer , Manivannan Sundaram
CPC classification number: H04L67/327 , H04L63/06 , H04L63/061 , H04L63/08 , H04L63/10 , H04L63/102 , H04L63/123 , H04L63/166
Abstract: The present document describes systems and methods that authorize client resources such as computers, servers, computing appliances, and virtual machines to access online services provided by an online service provider. To authorize a client resource, a client submits a registration request on behalf of the client resource to an authorization service provided by the service provider. The authorization service returns an activation code to the client. The activation code may expire after an amount of time, or upon first use. The client provides the activation code to an agent running on the client resource. The agent establishes communication with the authorization service, and upon providing the activation code to the authorization service, receives an authorization token that can be used by the client resource to access online services in accordance with security roles or permissions specified with the registration request.
-
公开(公告)号:US09954856B2
公开(公告)日:2018-04-24
申请号:US14976398
申请日:2015-12-21
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Graeme David Baer , Brian Irl Pratt
CPC classification number: H04L63/0838 , G06F21/34
Abstract: A one-time password (OTP) based security scheme is described, where a provider pre-generates a number of verification codes (e.g., OTP codes) which will be valid for a predetermined interval. The provider then encodes the verification codes (e.g., by hashing each code with a time value), and stores the verification codes into a data structure. The data structure can be provided to a verification system that can use the set of pre-generated OTP codes to authenticate requests received from users having personal security tokens.
-
公开(公告)号:US09847983B1
公开(公告)日:2017-12-19
申请号:US14264897
申请日:2014-04-29
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Benjamin Tillman Farley , Graeme David Baer
IPC: H04L29/06
CPC classification number: H04L63/08 , H04L63/0428 , H04L63/068
Abstract: Technologies are disclosed herein for epoch-based expiration of temporary security credentials. A temporary security credential is issued that identifies one or more epochs and that specifies one or more versions of the identified epochs during which the temporary security credential is valid. The temporary security credential may then be utilized to request access to another system, service or component. In order to determine whether such a request may be granted, current epoch versions for the epochs identified in the temporary security credential are obtained. The current epoch versions for the identified epochs are then compared to epoch versions specified in the temporary security credential to determine if the request can be granted. The current epoch versions may be periodically modified in order to expire previously issued temporary security credentials. A temporary security credential might also specify an expiration time after which the temporary security credential is no longer valid.
-
公开(公告)号:US20170126746A1
公开(公告)日:2017-05-04
申请号:US15261069
申请日:2016-09-09
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Graeme David Baer , Eric Jason Brandwine
IPC: H04L29/06
CPC classification number: H04L63/205 , G06F21/6218 , H04L63/0218 , H04L63/0272 , H04L63/08 , H04L63/083 , H04L63/0861 , H04L63/10 , H04L63/123 , H04L63/1458 , H04L63/168 , H04L67/10 , H04L67/1002
Abstract: Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.
-
公开(公告)号:US20160248593A1
公开(公告)日:2016-08-25
申请号:US15146836
申请日:2016-05-04
Applicant: Amazon Technologies, Inc.
Inventor: Gregory Branchek Roth , Graeme David Baer
CPC classification number: H04L9/3247 , H04L9/14 , H04L9/3213 , H04L63/0807 , H04L2463/062
Abstract: A system and method wherein an authentication request to verify authentication information submitted to a first system in connection with a first request submitted to the first system is received from the first system. A response to the authentication request is generated that includes information usable by a second system to make, without communicating with the authentication system, based at least in part on the information and one or more cryptographic processes, a determination whether fulfillment of a second request from the first system is allowable under authority of the authentication system, with the determination being based at least in part on policy information included in the information that specifies one or more policies applicable to an identity that is associated with the first request. The response generated is provided to the first system.
Abstract translation: 一种系统和方法,其中从第一系统接收到验证提交给提交给第一系统的认证信息的认证请求与第一系统提交的第一请求相关联。 生成对认证请求的响应,其包括由第二系统可用的信息,至少部分地基于该信息和一个或多个密码处理而进行认证系统的通信,确定是否满足第二请求 所述第一系统在所述认证系统的权限下是允许的,所述确定至少部分地基于所述信息中包括的策略信息,所述策略信息指定适用于与所述第一请求相关联的身份的一个或多个策略。 生成的响应被提供给第一系统。
-
-
-
-
-
-
Search Results
47
records
(took 0.022 seconds)
