公开(公告)号：US20160359924A1

公开(公告)日：2016-12-08

申请号：US15237505

申请日：2016-08-15

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/60 ,  H04L9/32

CPC classification number: H04L63/205 ,  G06F21/60 ,  G06F21/602 ,  H04L9/3247 ,  H04L63/126 ,  H04L63/18 ,  H04L63/20 ,  H04L2463/062

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

Abstract translation: 第一个服务代表服务提供商的客户向第二个服务提交请求。 该请求可能是由客户对第一个服务的请求触发的。 为了处理请求，第二服务评估一个或多个策略以确定是否通过与客户相关联的策略来允许请求的履行。 一个或多个策略可以在提交请求时发挥作用的一个或多个服务上陈述一个或多个条件。 如果确定策略允许满足请求，则第二服务满足请求。

公开(公告)号：US09420007B1

公开(公告)日：2016-08-16

申请号：US14096783

申请日：2013-12-04

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Brian Irl Pratt

IPC: G06F21/00 ,  H04L29/06 ,  H04L9/32 ,  G06F21/60

CPC classification number: H04L63/205 ,  G06F21/60 ,  G06F21/602 ,  H04L9/3247 ,  H04L63/126 ,  H04L63/18 ,  H04L63/20 ,  H04L2463/062

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

Abstract translation: 第一个服务代表服务提供商的客户向第二个服务提交请求。 该请求可能是由客户对第一个服务的请求触发的。 为了处理请求，第二服务评估一个或多个策略以确定是否通过与客户相关联的策略来允许请求的履行。 一个或多个策略可以在提交请求时发挥作用的一个或多个服务上陈述一个或多个条件。 如果确定策略允许满足请求，则第二服务满足请求。

公开(公告)号：US20160112412A1

公开(公告)日：2016-04-21

申请号：US14976398

申请日：2015-12-21

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Graeme David Baer ,  Brian Irl Pratt

IPC: H04L29/06

CPC classification number: H04L63/0838 ,  G06F21/34

Abstract: A one-time password (OTP) based security scheme is described, where a provider pre-generates a number of verification codes (e.g., OTP codes) which will be valid for a predetermined interval. The provider then encodes the verification codes (e.g., by hashing each code with a time value), and stores the verification codes into a data structure. The data structure can be provided to a verification system that can use the set of pre-generated OTP codes to authenticate requests received from users having personal security tokens.

Abstract translation: 描述了基于一次密码（OTP）的安全方案，其中提供商预先生成将在预定间隔内有效的许多验证码（例如，OTP码）。 然后，提供商对验证码进行编码（例如，通过用时间值对每个代码进行散列），并将验证码存储到数据结构中。 可以将数据结构提供给可以使用一组预先生成的OTP代码来验证从具有个人安全令牌的用户接收的请求的验证系统。

公开(公告)号：US20140310769A1

公开(公告)日：2014-10-16

申请号：US14316675

申请日：2014-06-26

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Ross O'Neill ,  Gregory B. Roth ,  Eric Jason Brandwine ,  Brian Irl Pratt ,  Bradley Jeffery Behm ,  Nathan R. Fitch

IPC: H04L29/06

Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

Abstract translation: 用于控制对一个或多个计算资源的访问的系统和方法涉及生成可用于访问所述一个或多个计算资源的会话凭证。 对计算资源的访问可以由一组策略来管理，并且可以根据它们是否被该策略集合允许而使用会话凭证进行访问的请求来实现。 会话凭证本身可以包括可用于确定是否实现访问一个或多个计算资源的请求的元数据。 元数据可以包括会话证书的用户的权限，与一个或多个用户相关的声明以及其他信息。

公开(公告)号：US20140229739A1

公开(公告)日：2014-08-14

申请号：US13765239

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F21/62

CPC classification number: G06F21/6218 ,  G06F2221/2137 ,  H04L9/088 ,  H04L63/0442 ,  H04L63/06

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.

Abstract translation: 系统使用与请求相关联的信息来确定是否以及如何处理请求。 信息可以由请求者使用密钥电子签名，使得处理请求的系统可以验证请求者具有密钥并且信息是真实的。 信息可以包括识别处理请求所需的密钥的持有者的信息，其中密钥的持有者可以是系统或另一个，可能是第三方系统。 可以处理对数据解密的请求，以确保在访问解密数据之前经过一定量的时间，从而提供取消这种请求和/或以其他方式缓解潜在安全漏洞的机会。