公开(公告)号：US20140229737A1

公开(公告)日：2014-08-14

申请号：US13765209

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/08

CPC classification number: H04L9/088 ,  H04L9/0618 ,  H04L9/0643 ,  H04L9/0891 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3247

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

Abstract translation: 系统使用与请求相关联的信息来确定是否以及如何处理请求。 信息可以由请求者使用密钥电子签名，使得处理请求的系统可以验证请求者具有密钥并且信息是真实的。 信息可以包括识别处理请求所需的密钥的持有者的信息，其中密钥的持有者可以是系统或另一个，可能是第三方系统。 可以处理对数据解密的请求，以确保在访问解密数据之前经过一定量的时间，从而提供取消这种请求和/或以其他方式缓解潜在安全漏洞的机会。

公开(公告)号：US20140229729A1

公开(公告)日：2014-08-14

申请号：US13764963

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06

CPC classification number: H04L63/0471 ,  G06F21/602 ,  G06F21/6218 ,  G06F2221/2101 ,  H04L9/0894 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/045 ,  H04L63/08 ,  H04L67/1097 ,  H04L2209/76

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

Abstract translation: 分布式计算环境利用加密服务。 密码服务代表一个或多个实体安全地管理密钥。 密码服务被配置为接收和响应执行密码操作（例如加密和解密）的请求。 请求可以来自使用分布式计算环境和/或分布式计算环境的子系统的实体。

公开(公告)号：US11372993B2

公开(公告)日：2022-06-28

申请号：US16673753

申请日：2019-11-04

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F11/30 ,  G06F21/62 ,  G06F12/14

Abstract: Requests submitted to a computer system are evaluated for compliance with policy to ensure data security. Plaintext and associated data are used as inputs into a cipher to produce ciphertext. Whether a result of decrypting the ciphertext can be provided in response to a request is determined based at least in part on evaluation of a policy that itself is based at least in part on the associated data. Other policies include automatic rotation of keys to prevent keys from being used in enough operations to enable cryptographic attacks intended to determine the keys.

公开(公告)号：US20200266976A1

公开(公告)日：2020-08-20

申请号：US16869423

申请日：2020-05-07

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/08 ,  H04L9/30 ,  H04L9/14 ,  H04L9/06 ,  H04L9/32

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system.

公开(公告)号：US10346626B1

公开(公告)日：2019-07-09

申请号：US13854679

申请日：2013-04-01

Applicant: Amazon Technologies, Inc.

Inventor： Brian Irl Pratt ,  Kathryn Marie Shih ,  Patrick James Ward

IPC: G06F17/30 ,  G06F21/62

Abstract: Methods and systems for implementing versioned access controls are disclosed. A first task is added to a first workflow with a first version of a default role. A second version of the default role is generated after the first task is added. A second task is added to a second workflow with the second version of the default role. The first version and the second version each comprise one or more permissions for using one or more computing resources. The first task is performed using the permissions in the first version of the default role. The second task is performed using the permissions in the second version of the default role.

公开(公告)号：US20180183837A1

公开(公告)日：2018-06-28

申请号：US15900465

申请日：2018-02-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/60

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

公开(公告)号：US09705674B2

公开(公告)日：2017-07-11

申请号：US13765209

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32

CPC classification number: H04L9/088 ,  H04L9/0618 ,  H04L9/0643 ,  H04L9/0891 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3247

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

公开(公告)号：US09699219B2

公开(公告)日：2017-07-04

申请号：US15237505

申请日：2016-08-15

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: G06F21/00 ,  H04L29/06 ,  H04L9/32 ,  G06F21/60

CPC classification number: H04L63/205 ,  G06F21/60 ,  G06F21/602 ,  H04L9/3247 ,  H04L63/126 ,  H04L63/18 ,  H04L63/20 ,  H04L2463/062

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

公开(公告)号：US20170093581A1

公开(公告)日：2017-03-30

申请号：US15376451

申请日：2016-12-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/30 ,  H04L9/14 ,  H04L9/06

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

公开(公告)号：US09553854B2

公开(公告)日：2017-01-24

申请号：US13764963

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  H04L29/08

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.