公开(公告)号：US09832171B1

公开(公告)日：2017-11-28

申请号：US13916964

申请日：2013-06-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0428 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/083 ,  H04L9/0891 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/16 ,  H04L9/3213 ,  H04L9/3234 ,  H04L9/3247 ,  H04L63/0435 ,  H04L63/0807

Abstract: A plurality of devices are each operable to provide information that is usable for to prove authorization with any of the other devices. The devices may have common access to a cryptographic key. A device may use the cryptographic key to encrypt a session key and provide both the session key and the encrypted session key. Requests to any of the devices can include the encrypted session key and a digital signature generated using the session key. In this manner, a device that receives the request can decrypt the session key and use the decrypted session key to verify the digital signature.

公开(公告)号：US09825911B1

公开(公告)日：2017-11-21

申请号：US14944943

申请日：2015-11-18

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： Eric Jason Brandwine

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/0236 ,  H04L61/2503 ,  H04L61/2514 ,  H04L63/10 ,  H04L63/164 ,  H04L63/20 ,  H04L65/1069 ,  H04L67/141

Abstract: Systems and methods are disclosed that make security policy decisions based on a packet of a communication establishment handshake. The packet is intercepted and provided to a policy manger. If a security check fails, the communication session is not permitted to be established. In one example, the system includes network device (e.g., a network address translator) and a policy manager. The network address translator can receive Transmission Control Protocol (TCP) communication session establishment handshake packets and redirect each packet that is part of the TCP handshake to the policy manager rather than to the computing node targeted by the packet. The policy manager prevents the redirected packet from being forwarded to a targeted computing node in the provider network to thereby disallow the communication session from being established based on a comparison of at least information in a header of the packet to a set of security policies.

公开(公告)号：US09794116B2

公开(公告)日：2017-10-17

申请号：US14715452

申请日：2015-05-18

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Ian R. Searle ,  Aaron C. Thompson ,  Kevin Christopher Miller

IPC: G06F15/16 ,  H04L12/24 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L41/0803 ,  H04L41/12 ,  H04L41/5051 ,  H04L41/5096 ,  H04L63/0227 ,  H04L63/104 ,  H04L67/16 ,  H04L67/288 ,  H04L67/38

Abstract: Techniques are described for providing managed computer networks. In some situations, the techniques include managing communications for computing nodes of a managed computer network by using one or more particular computing nodes of the managed computer network that are configured to operate as intermediate destinations to handle at least some communications that are sent by and/or directed to one or more other computing nodes of the managed computer network. For example, a manager module associated with a source computing node may select one or more particular intermediate destination computing nodes to use for one or more particular communications from the source computing node to an indicated final destination, such as based on a configured logical network topology for the managed computer network. The manager module then forwards those communications to a first of the selected intermediate destination computing nodes for further handling.

公开(公告)号：US09736016B2

公开(公告)日：2017-08-15

申请号：US14631675

申请日：2015-02-25

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: H04L12/24 ,  H04L29/14 ,  H04L12/707 ,  H04L12/703

CPC classification number: H04L41/0681 ,  H04L41/064 ,  H04L41/0654 ,  H04L41/147 ,  H04L45/22 ,  H04L45/28 ,  H04L69/40

Abstract: Techniques are described for providing managed computer networks. In some situations, the techniques include managing communications for computing nodes of a managed computer network by using one or more particular computing nodes of the managed computer network that are configured to operate as intermediate destinations to handle at least some communications that are sent by and/or directed to one or more other computing nodes of the managed computer network. In addition, the techniques may include managing the communications in accordance with configured failure behavior specified for one or more computing nodes of the computer network, such as specified failure behavior for a computing node configured to operate as an intermediate destination that indicates how communications that would otherwise be routed via the intermediate destination computing node are to be handled if the intermediate destination computing node fails or is otherwise unavailable (e.g., to block or allow such communications).

公开(公告)号：US09722932B1

公开(公告)日：2017-08-01

申请号：US14526410

申请日：2014-10-28

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: H04L12/851 ,  H04L12/741

CPC classification number: H04L47/2441 ,  H04L45/74 ,  H04L47/125

Abstract: A path selector device of a network receives a network packet. A packet flow category to which the packet belongs is identified. A candidate outbound link set corresponding to the packet flow category, comprising a subset of the available outbound links of the path selector device, is determined. The packet is transmitted on a particular outbound link of the candidate outbound link set. Subsequent packets of the packet flow category are distributed among the members of the candidate outbound link set.

公开(公告)号：US20170208099A1

公开(公告)日：2017-07-20

申请号：US15479168

申请日：2017-04-04

Applicant: Amazon Technologies, Inc.

Inventor： Stephen E. Schmidt ,  Eric Jason Brandwine ,  Luis Felipe Cabrera

IPC: H04L29/06 ,  H04L9/32 ,  H04L12/24

CPC classification number: H04L63/20 ,  G06F21/50 ,  G06F21/53 ,  G06F21/57 ,  G06F21/577 ,  H04L9/3247 ,  H04L41/0803 ,  H04L63/0263 ,  H04L63/1408

Abstract: Systems and methods are provided for configuring and monitoring computing resources of an entity for compliance with one or more standards. In one implementation, a server receives one or more identifiers of one or more standards and determines a plurality of configuration settings for the computing resources of the entity, based on the received one or more identifiers. The plurality of configuration settings comply with the one or more standards. The computing resources of the entity are configured according to the plurality of configuration settings. The server detects an event related to the computing resources. The detected event and the plurality of configuration settings are evaluated for compliance with the one or more standards. A determination is made whether the entity is compliant with the one or more standards, based on the evaluation, and an action is taken, based on the determination.

公开(公告)号：US09705855B2

公开(公告)日：2017-07-11

申请号：US14981804

申请日：2015-12-28

Applicant: Amazon Technologies, Inc.

Inventor： Todd Lawrence Cignetti ,  Andrew J. Doane ,  Eric Jason Brandwine ,  Robert Eric Fitzgerald

IPC: H04L29/06 ,  G06F9/455 ,  H04L9/32

CPC classification number: H04L63/061 ,  G06F9/45533 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/0876

Abstract: Organizations maintain and generate large amounts of sensitive information using computer hardware resources and services of a service provider. Furthermore, there is a need to be able to delete large amounts of data securely and quickly by encrypting the data with a key and destroying the key. To ensure that information stored remotely is secured and capable of secure deletion, cryptographic keys used by the organization should be prevented from being persistently stored during serialization operations. If the keys used to encrypt the data have not been exposed during serialization operation, they may be deleted or destroyed enabling the destruction of data encrypted with the keys.

公开(公告)号：US09608813B1

公开(公告)日：2017-03-28

申请号：US13916999

申请日：2013-06-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/08

CPC classification number: H04L63/0428 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/083 ,  H04L9/0891 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/16 ,  H04L9/3213 ,  H04L9/3234 ,  H04L9/3247 ,  H04L63/0435 ,  H04L63/0807

Abstract: A plurality of devices have common access to a cryptographic key. The cryptographic key is rotated by providing the devices simultaneous access to both the cryptographic key and a new cryptographic key and then revoking access to the cryptographic key. Keys stored externally and encrypted under the cryptographic key can be reencrypted under the new cryptographic key. Keys intended for electronic shredding can be left encrypted under the old cryptographic key.

公开(公告)号：US20170070508A1

公开(公告)日：2017-03-09

申请号：US15093403

申请日：2016-04-07

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: H04L29/06

CPC classification number: H04L63/101 ,  H04L63/02 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/0272 ,  H04L63/0428 ,  H04L63/10 ,  H04L63/20 ,  H04L67/10

Abstract: Systems and methods for providing access to a remote network via an external endpoint are provided. A client establishes a secure connection between an external endpoint and a remote network. Transmissions from clients to the external endpoint are supplemented with additional information regarding handling within the remote network, and then transmitted to an internal endpoint within the remote network. The internal endpoint processes the transmission based on the supplemental information and returns a response to the external endpoint. A response is then returned to the client. Access policies may be created by authorized users to establish processing of client transmissions. These policies may be stored and enforced by the internal endpoint or the external endpoint.

Abstract translation: 提供了通过外部端点提供对远程网络的访问的系统和方法。 客户端在外部端点和远程网络之间建立安全连接。 从客户到外部端点的传输补充有关远程网络中处理的附加信息，然后传输到远程网络内的内部端点。 内部端点根据补充信息处理传输，并向外部端点返回响应。 然后将响应返回给客户端。 授权用户可以创建访问策略来建立客户端传输的处理。 这些策略可能由内部端点或外部端点存储和实施。

公开(公告)号：US09590959B2

公开(公告)日：2017-03-07

申请号：US13764963

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  H04L29/08

CPC classification number: H04L63/0471 ,  G06F21/602 ,  G06F21/6218 ,  G06F2221/2101 ,  H04L9/0894 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/045 ,  H04L63/08 ,  H04L67/1097 ,  H04L2209/76

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

Abstract translation: 分布式计算环境利用加密服务。 密码服务代表一个或多个实体安全地管理密钥。 密码服务被配置为接收和响应执行密码操作（例如加密和解密）的请求。 请求可以来自使用分布式计算环境和/或分布式计算环境的子系统的实体。