公开(公告)号：US10346607B2

公开(公告)日：2019-07-09

申请号：US15238639

申请日：2016-08-16

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Kruse

IPC: G06F17/00 ,  G06F21/45 ,  G06F21/31

Abstract: A system and method for a credentials agent that automatically rotates and stores security credentials to be used at least in part to authenticate calling applications with a computing resource service provider. Upon determining that a first set of credentials are due to be rotated, the credentials agent may obtain a second set of credentials and store the second set of credentials in a data store. The credentials agent may give notice to a calling application that the first set of credentials is due to be rotated, whereupon the calling application may obtain the second set of credentials and be authenticated to access a resource of the computing resource service provider at least in part by providing the second set of credentials. The authorization system provides visualizations and alerts to administrators of unexpected states that may be caused by misconfigured applications or malicious users.

公开(公告)号：US09544292B2

公开(公告)日：2017-01-10

申请号：US14963760

申请日：2015-12-09

Applicant: Amazon Technologies, Inc.

Inventor： James Leon Irving, Jr. ,  Andrew Paul Mikulski ,  Gregory Branchek Roth ,  William Frederick Kruse

IPC: H04L29/00 ,  H04L29/06

CPC classification number: H04L63/08 ,  H04L63/10 ,  H04L63/102 ,  H04L63/108 ,  H04L63/12

Abstract: A credential management system is described that provides a way to disable and/or rotate credentials, such as when a credential is suspected to have been compromised, while minimizing potential impact to various systems that may depend on such credentials. The credentials may be disabled temporarily at first and the availability of various resources is monitored for changes. If no significant drop of availability in the resources has occurred, the credential may be disabled for a longer period of time. In this manner, the credentials may be disabled and re-enabled for increasingly longer time intervals until it is determined with sufficient confidence/certainty that disabling the credential will not adversely impact critical systems, at which point the credential can be rotated and/or permanently disabled. This process also enables the system to determine which systems are affected by a credential in cases where such information is not known.

Abstract translation: 描述了一种凭证管理系统，其提供了一种方法来禁用和/或转动凭证，例如当证书被怀疑已经被泄露时，同时最小化可能依赖于这些证书的各种系统的潜在影响。 首先可以临时禁用凭据，并监控各种资源的可用性以进行更改。 如果资源中的可用性没有明显下降，则该凭证可能会被禁用较长时间。 以这种方式，凭证可以被禁用并被重新启用，以便越来越长的时间间隔，直到以足够的置信/确定性确定，禁用证书将不会对关键系统产生不利影响，在该时刻可以转移和/或永久地证明证书 残疾人士 该过程还使系统能够确定在不知道这些信息的情况下哪些系统受到凭证的影响。

公开(公告)号：US09424419B1

公开(公告)日：2016-08-23

申请号：US14524321

申请日：2014-10-27

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Kruse

IPC: G06F21/45 ,  G06F21/31

CPC classification number: G06F21/45 ,  G06F21/31

Abstract: A system and method for a credentials agent that automatically rotates and stores security credentials usable at least in part to authenticate calling applications with a computing resource service provider. Upon determining that a first set of credentials are due to be rotated, the credentials agent may obtain a second set of credentials and store the second set of credentials in a data store. The credentials agent may give notice to a calling application that the first set of credentials is due to be rotated, whereupon the calling application may obtain the second set of credentials and be authenticated to access a resource of the computing resource service provider at least in part by providing the second set of credentials. The authorization system provides visualizations and alerts to administrators of unexpected states that may be caused by misconfigured applications or malicious users.

Abstract translation: 用于凭证代理的系统和方法，其自动地旋转并存储至少部分地可用于使用计算资源服务提供者认证呼叫应用的安全凭证。 在确定第一组凭据将被旋转时，凭证代理可以获得第二组凭证并将第二组凭证存储在数据存储中。 凭证代理可以通知呼叫应用程序第一组凭证将被转动，于是呼叫应用程序可以获得第二组凭证并被认证以至少部分访问计算资源服务提供者的资源 通过提供第二套凭证。 授权系统向管理员提供了可能由于配置错误的应用程序或恶意用户造成的意外状态的可视化和警报。

公开(公告)号：US20200213362A1

公开(公告)日：2020-07-02

申请号：US16810331

申请日：2020-03-05

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Kruse ,  Nima Sharifi Mehr

IPC: H04L29/06 ,  G06F11/00 ,  G06Q10/10

Abstract: A customer of a policy management service may use an interface with a configuration and management service to interact with policies that may be applicable to the customer's one or more resources. The customer may create and/or modify the policies and the configuration and management service may notify one or more other entities of the created and/or modified policies. The one or more other entities may be operated by user authorized to approve the created and/or modified policies. Interactions with the configuration and management service may be the same as the interactions with the policy management service.

公开(公告)号：US20160357955A1

公开(公告)日：2016-12-08

申请号：US15238639

申请日：2016-08-16

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Kruse

IPC: G06F21/45 ,  G06F21/31

CPC classification number: G06F21/45 ,  G06F21/31

Abstract: A system and method for a credentials agent that automatically rotates and stores security credentials to be used at least in part to authenticate calling applications with a computing resource service provider. Upon determining that a first set of credentials are due to be rotated, the credentials agent may obtain a second set of credentials and store the second set of credentials in a data store. The credentials agent may give notice to a calling application that the first set of credentials is due to be rotated, whereupon the calling application may obtain the second set of credentials and be authenticated to access a resource of the computing resource service provider at least in part by providing the second set of credentials. The authorization system provides visualizations and alerts to administrators of unexpected states that may be caused by misconfigured applications or malicious users.

Abstract translation: 用于凭证代理的系统和方法，其自动旋转并存储至少部分地用于使用计算资源服务提供商来认证呼叫应用的安全凭证。 在确定第一组凭据将被旋转时，凭证代理可以获得第二组凭证，并将第二组凭证存储在数据存储中。 凭证代理可以通知呼叫应用程序第一组凭证将被转动，于是呼叫应用程序可以获得第二组凭证并被认证以至少部分访问计算资源服务提供者的资源 通过提供第二套凭证。 授权系统向管理员提供了可能由于配置错误的应用程序或恶意用户造成的意外状态的可视化和警报。

公开(公告)号：US09319392B1

公开(公告)日：2016-04-19

申请号：US14040373

申请日：2013-09-27

Applicant: Amazon Technologies, Inc.

Inventor： James Leon Irving, Jr. ,  Andrew Paul Mikulski ,  Gregory Branchek Roth ,  William Frederick Kruse

IPC: H04L29/06

CPC classification number: H04L63/08 ,  H04L63/10 ,  H04L63/102 ,  H04L63/108 ,  H04L63/12

Abstract: A credential management system is described that provides a way to disable and/or rotate credentials, such as when a credential is suspected to have been compromised, while minimizing potential impact to various systems that may depend on such credentials. The credentials may be disabled temporarily at first and the availability of various resources is monitored for changes. If no significant drop of availability in the resources has occurred, the credential may be disabled for a longer period of time. In this manner, the credentials may be disabled and re-enabled for increasingly longer time intervals until it is determined with sufficient confidence/certainty that disabling the credential will not adversely impact critical systems, at which point the credential can be rotated and/or permanently disabled. This process also enables the system to determine which systems are affected by a credential in cases where such information is not known.

Abstract translation: 描述了一种凭证管理系统，其提供了一种方法来禁用和/或转动凭证，例如当证书被怀疑已经被泄露时，同时最小化可能依赖于这些证书的各种系统的潜在影响。 首先可以临时禁用凭据，并监控各种资源的可用性以进行更改。 如果资源中的可用性没有明显下降，则该凭证可能会被禁用较长时间。 以这种方式，凭证可以被禁用并被重新启用，以便越来越长的时间间隔，直到以足够的置信/确定性确定，禁用证书将不会对关键系统产生不利影响，此时凭证可以被旋转和/或永久地 残疾人士 该过程还使系统能够确定在不知道这些信息的情况下哪些系统受到凭证的影响。

公开(公告)号：US11588855B2

公开(公告)日：2023-02-21

申请号：US16810331

申请日：2020-03-05

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Kruse ,  Nima Sharifi Mehr

IPC: H04L9/40 ,  G06F11/00 ,  G06Q10/10

Abstract: A customer of a policy management service may use an interface with a configuration and management service to interact with policies that may be applicable to the customer's one or more resources. The customer may create and/or modify the policies and the configuration and management service may notify one or more other entities of the created and/or modified policies. The one or more other entities may be operated by user authorized to approve the created and/or modified policies. Interactions with the configuration and management service may be the same as the interactions with the policy management service.

公开(公告)号：US11271949B1

公开(公告)日：2022-03-08

申请号：US16451926

申请日：2019-06-25

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Kruse ,  Ryan Pickren ,  Guifre Ruiz Utges ,  Zak Aaron Edwards

IPC: H04L29/06 ,  H04L67/02 ,  H04L51/00

Abstract: The disclosure herein pertains to a security vulnerability scanner. The security vulnerability scanner parses a URL into a network portion and a fragment portion. The security vulnerability scanner then runs the URL on a network-side browser to generate processed results. Advantageously, the security vulnerability scanner is able to mimic a client side browser by running various fragment portions in order to analyze security risks.

公开(公告)号：US09602482B1

公开(公告)日：2017-03-21

申请号：US14104986

申请日：2013-12-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  William Frederick Kruse

IPC: H04L9/00 ,  H04L29/06

CPC classification number: H04L63/08 ,  H04L63/0807 ,  H04L63/107

Abstract: Technology for managing an API request is described. In an example implementation, an authentication service may receive a request to access a service. The authentication service may be configured to determine a proximity of a client device from which the request originated to the service. The authentication service may be further configured to grant the request based in part on the determined proximity of the client device to the service with respect to a policy.

公开(公告)号：US09313230B1

公开(公告)日：2016-04-12

申请号：US14493212

申请日：2014-09-22

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Kruse ,  Nima Sharifi Mehr

IPC: G06F17/00 ,  H04L29/06 ,  G06F17/50 ,  G06F11/00

CPC classification number: H04L63/20 ,  G06F11/004 ,  G06F11/1446 ,  G06F2201/00 ,  G06Q10/10

Abstract: A customer of a policy management service may use an interface with a configuration and management service to interact with policies that may be applicable to the customer's one or more resources. The customer may create and/or modify the policies and the configuration and management service may notify one or more other entities of the created and/or modified policies. The one or more other entities may be operated by user authorized to approve the created and/or modified policies. Interactions with the configuration and management service may be the same as the interactions with the policy management service.

Abstract translation: 策略管理服务的客户可以使用与配置和管理服务的接口与可能适用于客户的一个或多个资源的策略进行交互。 客户可以创建和/或修改策略，配置和管理服务可以通知一个或多个其他实体创建和/或修改的策略。 一个或多个其他实体可以由被授权以批准所创建和/或修改的策略的用户操作。 与配置和管理服务的交互可能与与策略管理服务的交互相同。