公开(公告)号：US11036869B2

公开(公告)日：2021-06-15

申请号：US15173523

申请日：2016-06-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F21/60 ,  H04L29/06 ,  H04L9/08

Abstract: A security module securely manages keys. The security module is usable to implement a cryptography service that includes a request processing component. The request processing component responds to requests by causing the security module to perform cryptographic operations that the request processing component cannot perform due to a lack of access to appropriate keys. The security module may be a member of a group of security modules that securely manage keys. Techniques for passing secret information from one security module to the other prevent unauthorized access to secret information.

公开(公告)号：US20200287942A1

公开(公告)日：2020-09-10

申请号：US16880886

申请日：2020-05-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/33 ,  G06F21/60

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

公开(公告)号：US10771586B1

公开(公告)日：2020-09-08

申请号：US13854669

申请日：2013-04-01

Applicant: Amazon Technologies, Inc.

Inventor： Brian Irl Pratt ,  Kathryn Marie Shih ,  Patrick James Ward

IPC: G06F9/50 ,  H04L29/08

Abstract: Methods and systems for implementing custom access controls are disclosed. A first task is added to a first workflow. A first role is generated for the first workflow. The first role comprises a first set of one or more permissions for using one or more computing resources. The one or more permissions in the first role are selected based on the first task. The first task is performed using the one or more computing resources in accordance with the first role.

公开(公告)号：US10601789B2

公开(公告)日：2020-03-24

申请号：US15823450

申请日：2017-11-27

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/14 ,  H04L9/32 ,  H04L9/16

Abstract: A plurality of devices are each operable to provide information that is usable for to prove authorization with any of the other devices. The devices may have common access to a cryptographic key. A device may use the cryptographic key to encrypt a session key and provide both the session key and the encrypted session key. Requests to any of the devices can include the encrypted session key and a digital signature generated using the session key. In this manner, a device that receives the request can decrypt the session key and use the decrypted session key to verify the digital signature.

公开(公告)号：US10313346B1

公开(公告)日：2019-06-04

申请号：US14553915

申请日：2014-11-25

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Ross O'Neill ,  Mark Joseph Cavage ,  Nathan R. Fitch ,  Anders Samuelsson ,  Brian Irl Pratt ,  Yunong Jeff Xiao ,  Bradley Jeffery Behm ,  James E. Scharf, Jr.

IPC: H04L29/06 ,  H04L12/24

Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

公开(公告)号：US20170324782A1

公开(公告)日：2017-11-09

申请号：US15638227

申请日：2017-06-29

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  H04L9/32

CPC classification number: H04L63/205 ,  G06F21/60 ,  G06F21/602 ,  H04L9/3247 ,  H04L63/126 ,  H04L63/18 ,  H04L63/20 ,  H04L2463/062

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

公开(公告)号：US20170272423A1

公开(公告)日：2017-09-21

申请号：US15610295

申请日：2017-05-31

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/62

CPC classification number: H04L63/08 ,  G06F21/62 ,  G06F2221/2141 ,  H04L63/10

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

公开(公告)号：US20170195119A1

公开(公告)日：2017-07-06

申请号：US15462604

申请日：2017-03-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/08 ,  H04L9/16

CPC classification number: H04L63/0428 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/083 ,  H04L9/0891 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/16 ,  H04L9/3213 ,  H04L9/3234 ,  H04L9/3247 ,  H04L63/0435 ,  H04L63/0807

Abstract: A plurality of devices, having common access to a first key under which a set of data objects used by the plurality of devices are encrypted, is caused to replace the first key with a second key by at least causing a device of the plurality of devices to encrypt a subset of the set of data objects that are not selected for electronic shredding, allow access to a data object of the subset regardless of whether the data object is encrypted using the first key or the second key. At a time after the data object becomes accessible by using the second key, each of the plurality of devices is verified have common access to the second key, and the plurality of devices is caused to lose access to the first key.

公开(公告)号：US09300639B1

公开(公告)日：2016-03-29

申请号：US13916915

申请日：2013-06-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/08 ,  H04L29/06

CPC classification number: H04L63/0428 ,  H04L9/08 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/3213 ,  H04L63/062 ,  H04L63/0807 ,  H04L63/102 ,  H04L63/205 ,  H04L2209/603 ,  H04L2209/68

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The service may utilize multiple security modules. A coordinator may coordinate the security modules to ensure that the security modules operate with consistent operational parameters. A security module may propose a set of parameters for acceptance by the coordinator. If accepted, the coordinator may update the security modules in accordance with the proposal.

Abstract translation: 分布式计算环境利用加密服务。 密码服务代表一个或多个实体安全地管理密钥。 该服务可以利用多个安全模块。 协调员可以协调安全模块，以确保安全模块以一致的操作参数运行。 安全模块可以提出一组参数以供协调者接受。 如果接受，协调员可以根据提案更新安全模块。

公开(公告)号：US09218476B1

公开(公告)日：2015-12-22

申请号：US13671304

申请日：2012-11-07

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Brian Irl Pratt

IPC: G06F21/34

CPC classification number: H04L63/0838 ,  G06F21/34

Abstract: A one-time password (OTP) based security scheme is described, where a provider pre-generates a number of verification codes (e.g., OTP codes) which will be valid for a predetermined interval. The provider then encodes the verification codes (e.g., by hashing each code with a time value), and stores the verification codes into a data structure. The data structure can be provided to a verification system that can use the set of pre-generated OTP codes to authenticate requests received from users having personal security tokens.

Abstract translation: 描述了基于一次密码（OTP）的安全方案，其中提供商预先生成将在预定间隔内有效的许多验证码（例如，OTP码）。 然后，提供商对验证码进行编码（例如，通过用时间值对每个代码进行散列），并将验证码存储到数据结构中。 可以将数据结构提供给可以使用一组预先生成的OTP代码来验证从具有个人安全令牌的用户接收的请求的验证系统。