公开(公告)号：US09071429B1

公开(公告)日：2015-06-30

申请号：US13873083

申请日：2013-04-29

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine

IPC: H04L9/08 ,  H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0823 ,  H04L9/0822 ,  H04L9/0891 ,  H04L9/0894 ,  H04L63/06 ,  H04L63/061 ,  H04L2463/062

Abstract: Customers accessing resources and/or data in a multi-tenant environment can obtain assurance that a provider of that environment will honor only requests associated with the customer. A multi-tenant cryptographic service can be used to manage cryptographic key material and/or other security resources in the multi-tenant environment. The cryptographic service can provide a mechanism in which the service can receive requests to use the cryptographic key material to access encrypted customer data, export key material out of the cryptographic service, destroy key material managed by the cryptographic service, among others. Such an approach can enable a customer to manage key material without exposing the key material outside a secure environment.

Abstract translation: 在多租户环境中访问资源和/或数据的客户可以确保该环境的提供商只会履行与客户相关的请求。 可以使用多租户加密服务来管理多租户环境中的加密密钥资料和/或其他安全资源。 加密服务可以提供一种机制，其中服务可以接收使用加密密钥材料的访问加密客户数据的请求，从密码服务导出密钥材料，销毁密码服务管理的密钥材料等。 这种方法可以使客户能够管理关键材料，而不会将密钥材料暴露在安全环境之外。

公开(公告)号：US20150169417A1

公开(公告)日：2015-06-18

申请号：US14629234

申请日：2015-02-23

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Kevin Christopher Miller ,  Andrew J. Doane

IPC: G06F11/20 ,  H04L29/12

CPC classification number: H04L67/1029 ,  G06F9/45533 ,  G06F9/45558 ,  G06F11/1484 ,  G06F11/2007 ,  G06F11/2038 ,  G06F11/2048 ,  G06F11/2097 ,  G06F2009/45562 ,  G06F2201/85 ,  H04L61/2007 ,  H04L61/2503 ,  H04L61/6068 ,  H04L67/1097

Abstract: Techniques are described for providing managed computer networks, such as for managed virtual computer networks overlaid on one or more other underlying computer networks. In some situations, the techniques include facilitating replication of a primary computing node that is actively participating in a managed computer network, such as by maintaining one or more other computing nodes in the managed computer network as replicas, and using such replica computing nodes in various manners. For example, a particular managed virtual computer network may span multiple broadcast domains of an underlying computer network, and a particular primary computing node and a corresponding remote replica computing node of the managed virtual computer network may be implemented in distinct broadcast domains of the underlying computer network, with the replica computing node being used to transparently replace the primary computing node in the virtual computer network if the primary computing node becomes unavailable.

Abstract translation: 描述了用于提供被管理的计算机网络的技术，例如覆盖在一个或多个其他底层计算机网络上的被管理的虚拟计算机网络。 在某些情况下，这些技术包括促进主动参与被管理的计算机网络的主计算节点的复制，诸如通过将被管理计算机网络中的一个或多个其他计算节点维护为副本，以及使用各种复制计算节点 礼貌 例如，特定的受管虚拟计算机网络可以跨越底层计算机网络的多个广播域，并且被管理的虚拟计算机网络的特定主计算节点和对应的远程复制计算节点可以被实现在底层计算机的不同广播域中 网络，如果主计算节点变得不可用，则使用副本计算节点来透明地替换虚拟计算机网络中的主计算节点。

公开(公告)号：US20150121400A1

公开(公告)日：2015-04-30

申请号：US14584808

申请日：2014-12-29

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  James Alfred Gordon Greenfield

IPC: G06F9/46 ,  G06Q20/08

CPC classification number: G06F9/466 ,  G06F9/5072 ,  G06Q20/085

Abstract: Techniques are described for managing execution of programs, including using excess program execution capacity of one or more computing systems. For example, a private pool of excess computing capacity may be maintained for a user based on unused dedicated program execution capacity allocated for that user, with the private pool of excess capacity being available for priority use by that user. Such private excess capacity pools may further in some embodiments be provided in addition to a general, non-private excess computing capacity pool that is available for use by multiple users, optionally including users who are associated with the private excess capacity pools. In some such situations, excess computing capacity may be made available to execute programs on a temporary basis, such that the programs executing using the excess capacity may be terminated at any time if other preferred use for the excess capacity arises.

Abstract translation: 描述了用于管理程序的执行的技术，包括使用一个或多个计算系统的多余的程序执行能力。 例如，可以基于为该用户分配的未使用的专用程序执行能力为用户维护过剩计算能力的专用池，其中超额容量的专用池可供该用户优先使用。 在一些实施例中，还可以提供这样的私人额外容量池，除了可供多个用户使用的一般非私有额外计算能力池之外，可选地包括与私有额外容量池相关联的用户。 在某些这种情况下，可以使临时计算能力可用于执行程序，使得如果出现超额容量的其他优选使用，则可以随时终止使用过剩容量执行的程序。

公开(公告)号：US08972603B1

公开(公告)日：2015-03-03

申请号：US14081980

申请日：2013-11-15

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: G06F15/173 ,  H04L5/22 ,  H04L12/707

CPC classification number: H04L45/22 ,  H04L1/0041 ,  H04L1/0045 ,  H04L1/0057 ,  H04L41/00 ,  H04L45/24 ,  H04L69/14 ,  H04L2001/0096

Abstract: Techniques are described for providing managed computer networks. In some situations, the techniques include managing communications for computing nodes of a managed computer network by automatically determining to separate a particular outgoing packet or other outgoing communication from a source computing node into multiple parts (e.g., multiple packets) to be independently sent using two or more alternative network paths between the sending computing node and the destination for the communication. For example, a manager module associated with the source computing node may automatically determine to encode the outgoing communication into a dynamically determined quantity of multiple parts (e.g., by using a configurable erasure code), such as based on current information about available alternative paths, and another manager module associated with the destination may receive at least some of the multiple parts and decode them into the original outgoing communication, which is then provided to the destination.

Abstract translation: 描述了提供托管计算机网络的技术。 在某些情况下，这些技术包括通过自动确定将特定输出分组或其他输出通信与源计算节点分离为多个部分（例如，多个分组）以使用两个独立发送来独立地发送来管理被管理计算机网络的计算节点的通信 或者在发送计算节点和用于通信的目的地之间的更多替代网络路径。 例如，与源计算节点相关联的管理器模块可以例如基于关于可用替代路径的当前信息来自动确定将输出通信编码为动态确定的多个部分数量（例如，通过使用可配置擦除代码） 并且与目的地相关联的另一个管理器模块可以接收多个部分中的至少一些并且将它们解码为原始输出通信，然后将其提供给目的地。

公开(公告)号：US08937960B2

公开(公告)日：2015-01-20

申请号：US14265159

申请日：2014-04-29

Applicant: Amazon Technologies, Inc.

Inventor： Daniel T. Cohn ,  Eric Jason Brandwine ,  Andrew J. Doane

IPC: H04L12/28 ,  H04L12/24 ,  H04L29/12 ,  H04L29/06 ,  H04W4/02 ,  H04W80/04

CPC classification number: H04L41/0816 ,  G06F9/45533 ,  H04L41/50 ,  H04L61/103 ,  H04L61/251 ,  H04L69/167 ,  H04W4/02 ,  H04W80/045

Abstract: Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are part of a virtual computer network. In some situations, various types of modifications may be made to one or more computing nodes of an existing virtual computer network, and the described techniques include managing ongoing communications for those computing nodes so as to accommodate the modifications. Such modifications may include, for example, migrating or otherwise moving a particular computing node that is part of a virtual network to a new physical network location, or modifying other aspects of how the computing node participates in the virtual network (e.g., changing one or more virtual network addresses used by the computing node). In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

Abstract translation: 描述了用于管理多个计算节点（例如作为虚拟计算机网络的一部分的计算节点）之间的通信的技术。 在一些情况下，可以对现有虚拟计算机网络的一个或多个计算节点进行各种类型的修改，并且所描述的技术包括管理那些计算节点的持续通信，以便适应这些修改。 这样的修改可以包括例如将作为虚拟网络的一部分的特定计算节点迁移或以其他方式移动到新的物理网络位置，或修改计算节点如何参与虚拟网络的其他方面（例如，改变一个或多个 计算节点使用更多的虚拟网络地址）。 在一些情况下，计算节点可以包括托管在一个或多个物理计算机或系统上的虚拟机节点，诸如由一个或多个用户代表或代表一个或多个用户。

公开(公告)号：US20150007175A1

公开(公告)日：2015-01-01

申请号：US13932828

申请日：2013-07-01

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Eric Jason Brandwine ,  Matthew Shawn Wilson

IPC: G06F9/455

CPC classification number: G06F9/455 ,  G06F9/45558 ,  G06F9/5077 ,  G06F12/14 ,  G06F12/145 ,  G06F21/53 ,  G06F21/57 ,  G06F2009/45562 ,  G06F2009/45587 ,  G06F2212/1052 ,  H04L9/0643 ,  H04L9/08 ,  H04L9/32 ,  H04L9/321 ,  H04L63/04

Abstract: Approaches to enable the configuration of computing resources for executing virtual machines on behalf of users to be cryptographically attested to or verified. When a user requests a virtual machine to be provisioned, an operator of the virtualized computing environment can initiate a two phase launch of the virtual machine. In the first phase, the operator provisions the virtual machine on a host computing device and obtains cryptographic measurements of the software and/or hardware resources on the host computing device. The operator may then provide those cryptographic measurements to the user that requested the virtual machine. If the user approves the cryptographic measurements, the operator may proceed with the second phase and actually launch the virtual machine on the host. In some cases, operator may compare the cryptographic measurements to a list of approved measurements to determine whether the host computing device is acceptable for hosting the virtual machine.

Abstract translation: 允许代表用户配置用于执行虚拟机的计算资源的方法被加密地验证或验证。 当用户请求虚拟机被配置时，虚拟化计算环境的操作者可以启动虚拟机的两阶段启动。 在第一阶段中，操作者将主机计算设备上的虚拟机提供给主机计算设备上的软件和/或硬件资源的加密测量。 然后，操作者可以向请求虚拟机的用户提供那些加密测量。 如果用户批准加密测量，则操作员可以继续进行第二阶段，并且在主机上实际启动虚拟机。 在某些情况下，操作员可以将加密测量值与已批准测量列表进行比较，以确定主机计算设备是否可接受托管虚拟机。

公开(公告)号：US20140258732A1

公开(公告)日：2014-09-11

申请号：US14282386

申请日：2014-05-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffery Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: G06F21/62

CPC classification number: H04N21/44055 ,  G06F21/60 ,  G06F21/602 ,  G06F21/6218 ,  G06F21/64 ,  H04L9/0819 ,  H04L9/088 ,  H04L9/3242 ,  H04L2209/24 ,  H04L2209/38 ,  H04N21/4627

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract translation: 用于认证的系统和方法从认证方和认证者之间共享的秘密凭证生成密钥。 密钥的生成可以涉及利用用于专门化密钥的参数形式的专门信息。 可以使用由多个机构保存的密钥导出的密钥和/或信息来生成其他密钥，使得可以在不访问密钥的情况下验证需要这样的密钥和/或信息的签名。 还可以导出密钥以形成分配的密钥的层次结构，使得密钥持有者解密数据的能力取决于密钥在层级中相对于用于加密数据的密钥的位置的位置。 密钥层次也可以用于将密钥集分配给内容处理设备，以使得设备能够解密内容，使得未经授权的内容的源或潜在来源可以从解密的内容中识别。

公开(公告)号：US20140229732A1

公开(公告)日：2014-08-14

申请号：US13765265

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F21/62

CPC classification number: G06F21/602 ,  G06F2221/2135 ,  G06F2221/2143 ,  G06F2221/2151 ,  H04L63/0428 ,  H04L63/062

Abstract: A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.

公开(公告)号：US20140208096A1

公开(公告)日：2014-07-24

申请号：US13746737

申请日：2013-01-22

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Matthew Shawn Wilson

IPC: H04L9/32

CPC classification number: H04L9/3263 ,  G06F9/45558 ,  G06F21/335 ,  G06F21/51 ,  G06F21/53 ,  G06F21/602 ,  G06F21/629 ,  G06F2009/45587 ,  G06F2221/033 ,  G06F2221/2107 ,  G06F2221/2115 ,  G06F2221/2141 ,  G06F2221/2149 ,  H04L63/0823

Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order authorize and authenticate requests sent to a virtualization later. The interfaces can be invoked to perform security monitoring, forensic capture, and/or patch software systems at runtime. In addition to the foregoing, other aspects are described in the claims, detailed description, and figures.

Abstract translation: 描述了形式化的一组接口（例如，应用程序编程接口（API）），其使用诸如不对称（或对称）密码学的安全方案，以便稍后授权和验证发送到虚拟化的请求。 可以调用这些接口，以便在运行时执行安全监控，法医捕获和/或补丁软件系统。 除了上述之外，其他方面在权利要求，详细描述和附图中描述。

公开(公告)号：US12212606B1

公开(公告)日：2025-01-28

申请号：US18391457

申请日：2023-12-20

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L9/40 ,  G06F21/33 ,  G06F21/44 ,  G06F21/57 ,  G06F21/64 ,  H04L9/08 ,  H04L9/32

Abstract: Custom policies are definable for use in a system that enforces policies. A user, for example, may author a policy using a policy language and transmit the system through an application programming interface call. The custom policies may specify conditions for computing environment attestations that are provided with requests to the system. When a custom policy applies to a request, the system may determine whether information in the attestation is sufficient for the request to be fulfilled.