公开(公告)号：US20240095338A1

公开(公告)日：2024-03-21

申请号：US17810291

申请日：2022-06-30

Applicant: Amazon Technologies, Inc.

Inventor： Joshua Benjamin Levinson ,  Colm MacCarthaigh ,  Alexander Graf ,  Iulia-Daniela Doras-Prodan ,  Petre Eftime

IPC: G06F21/53 ,  G06F9/455 ,  H04L9/08

CPC classification number: G06F21/53 ,  G06F9/455 ,  H04L9/0891 ,  G06F2221/2149

Abstract: An instance secrets management isolated runtime environment is launched at a virtualization server, and utilizes a subset of memory assigned to a compute instance. The subset of memory is inaccessible from entities external to the runtime environment. A secrets manager of the runtime environment provides a security artifact to an application, running at the compute instance, which has requested access to a resource. The artifact is generated by the secrets manager using a security secret associated with the compute instance; the secret is not accessible to programs external to the runtime environment. In response to a determination that the artifact is valid, the application obtains access to the resource.

公开(公告)号：US20240004681A1

公开(公告)日：2024-01-04

申请号：US17809859

申请日：2022-06-29

Applicant: Amazon Technologies, Inc.

Inventor： Alexander Graf ,  Ioannis Aslanidis ,  Deepak Gupta ,  Jonathan Daniel Bean

IPC: G06F9/455 ,  G06F21/44

CPC classification number: G06F9/45558 ,  G06F21/44 ,  G06F2009/45587 ,  G06F2009/45579 ,  G06F2009/45595

Abstract: A virtualized computing service provides a computing instance capable of requesting attestation of the authenticity of the hypervisor implementing the computing instances. An attestation device included in a virtualization host maintains a log of hash values representing hypervisor versions that have been implemented at the virtualization host. Also, an independent auditor (e.g., attestation service) is provided software configurations that are known to be authentic. The independent auditor generates hash values for the authentic hypervisor versions. The computing instance receives a response from the local attestation device indicating hash values of hypervisor versions currently and/or previously deployed on the virtualization host, and the computing instance forwards the hash values to the independent auditor to authenticate that they match the hash values of the known authentic hypervisor versions. In some embodiments, a similar process may also be used to attest to the authenticity of operating systems used by the computing instance.