公开(公告)号：US20250106256A1

公开(公告)日：2025-03-27

申请号：US18371034

申请日：2023-09-21

Applicant: Amazon Technologies, Inc.

Inventor： Amit GOEL ,  Chengpeng LI ,  Chungha SUNG ,  Loris D'ANTONI ,  Neha RUNGTA

IPC: H04L9/40 ,  H04L43/50

Abstract: Techniques for analyzing access control policies across multiple provider networks. These techniques compile various policies into a unified policy language broad enough to include diverse policy features, yet specific enough for automated analysis. An automated differential testing method is employed to confirm the accuracy of this compilation by generating access requests, ensuring both original and translated policies consistently grant or deny access. Moreover, an abstraction technique is used to simplify and correlate the complex details of different policies, enabling easier user inquiries about them. For instance, users can determine if an account has write access in one network but not in another. This abstraction sometimes involves replacing actions in original policies, ensuring their compatibility in the target policy language.

公开(公告)号：US20240330709A1

公开(公告)日：2024-10-03

申请号：US18193546

申请日：2023-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Alexandre DAVID ,  Jeremiah M. DUNHAM ,  Amit GOEL ,  Dejan JOVANOVIC ,  Rami Gokhan KICI

IPC: G06N5/01 ,  G06N5/045

CPC classification number: G06N5/013 ,  G06N5/045

Abstract: Techniques are described for executing satisfiability modulo theories (SMT) solvers in a “shadow” system configuration where input queries are provided to a primary SMT solver system and additionally to one or more secondary SMT solver systems. SMT solver systems can be used by cloud providers and in other computing environments to analyze the implications of configured user account policies defining permissions with respect to users' computing resources and associated actions within a computing environment, to help ensure the security of computing resources and user data, etc. The results generated by a primary SMT solver system can be provided to one or more secondary SMT solver systems, where each of the secondary SMT systems can comprise different system components or different versions of system components, to assess the correctness of the primary SMT solver system, to compare performance metrics, among other possible types of analyses.

公开(公告)号：US20240202545A1

公开(公告)日：2024-06-20

申请号：US18066881

申请日：2022-12-15

Applicant: Amazon Technologies, Inc.

Inventor： Kevin LOTZ ,  Bruno DUTERTRE ,  John Byron COOK ,  Amit GOEL ,  Robert JONES ,  Benjamin KIESL-REITER ,  Soon Ho KONG ,  Rupak MAJUMDAR

IPC: G06N5/01 ,  G06N5/04

CPC classification number: G06N5/013 ,  G06N5/04

Abstract: Techniques are described for providing a SAT-based solver for a quantifier-free theory of strings and bit vectors. The solver can be used by an automated reasoning service of a cloud provider network to analyze policies and the consequences of policies. The solver reduces an input formula to a Boolean satisfiability problem by encoding the input formula into an equisatisfiable propositional formula, where the satisfiability of the equisatisfiable propositional formula is determined by a SAT solver. Rather than using a traditional DPLL(T) style algorithm, the solver described herein bounds the length of variables in an input formula and reduces the problem to a single formula, which can then be solved using incremental SAT solving. The solver can be used independently or as part of a portfolio of solvers used to determine the satisfiability or unsatisfiability of certain formula corresponding, e.g., to questions about users' policies within a cloud provider network.

公开(公告)号：US20240114035A1

公开(公告)日：2024-04-04

申请号：US17957904

申请日：2022-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Neha RUNGTA ,  Chungha SUNG ,  Amit GOEL ,  Zvonimir RAKAMARIC ,  Loris D'ANTONI

IPC: H04L9/40

CPC classification number: H04L63/107 ,  H04L63/102

Abstract: Techniques are described for providing a policy refiner application used to analyze and recommend modifications to identity and access management policies created by users of a cloud provider network (e.g., to move the policies toward least-privilege permissions). A policy refiner application receives as input a policy to analyze, and a log of events related to activity associated with one or more accounts of a cloud provider network. The policy refiner application can identify, from the log of events, actions that were permitted based on particular statements contained in the policy. Based on field values contained in the corresponding events, the policy refiner application generates an abstraction of the field values, where the abstraction of the field values may represent a more restrictive version of the field from a policy perspective. These abstractions can be presented to users as recommendations for modifying their policy to reduce the privileges granted by the policy.