公开(公告)号：US11677789B2

公开(公告)日：2023-06-13

申请号：US17119663

申请日：2020-12-11

Applicant: Amazon Technologies, Inc.

Inventor： Neha Rungta ,  Daniel George Peebles ,  Andrew Jude Gacek ,  Marvin Theimer ,  Rebecca Claire Weiss ,  Brigid Ann Johnson

IPC: G06F15/16 ,  H04L9/40 ,  H04L41/5051 ,  H04L41/50

CPC classification number: H04L63/205 ,  H04L41/5051 ,  H04L41/5096 ,  H04L63/102

Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.

公开(公告)号：US11777991B2

公开(公告)日：2023-10-03

申请号：US17107082

申请日：2020-11-30

Applicant: Amazon Technologies, Inc.

Inventor： Homer Strong ,  Brigid Ann Johnson ,  Mathangi Ramesh

IPC: H04L9/40 ,  G06N7/01

CPC classification number: H04L63/20 ,  G06N7/01

Abstract: A first permission allocated to a first identity may be identified. Permission usage information may be analyzed. The permission usage information may include permission usage history information and permission usage pattern data. An estimated probability of a future usage of the first permission by the first identity may be forecasted based, at least in part, on the permission usage information. A first recommendation relating to allocation of the first permission to the first identity may be determined based, at least in part, on the estimated probability. The first recommendation may be a recommendation for the first identity to retain the first permission or a recommendation to deallocate the first permission from the first identity. An indication of the first recommendation may be provided to a user.

公开(公告)号：US11032287B1

公开(公告)日：2021-06-08

申请号：US16122192

申请日：2018-09-05

Applicant: Amazon Technologies, Inc.

Inventor： Mingkun Wang ,  Jasmeet Chhabra ,  Hang Li ,  Chenguang Yin ,  Dan Popick ,  Alazel Acheson ,  Apurv Awasthi ,  Brigid Ann Johnson ,  Conor P. Cahill

IPC: H04L29/06 ,  G06F21/62 ,  G06F17/00 ,  G06F21/60

Abstract: A method and system for generating permissions policies and permission boundary policies are described. The system receives a first request from a central administrator to create a delegated administrator, the first request specifying with one or more access permissions. The system generates a permission boundary policy that specifies the one or more access permissions and a first permissions policy that grants permissions to the delegated administrator to at least one of create an IAM principal with the permission boundary policy or attach a second permissions policy to the IAM principal. An effective permission given to the IAM principal is an intersection of access permissions specified in the first permissions policy and the one or more access permissions in the permission boundary policy. The system attaches the first permissions policy and the permission boundary policy to the delegated administrator.

公开(公告)号：US10944561B1

公开(公告)日：2021-03-09

申请号：US15979248

申请日：2018-05-14

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Rachit Jain ,  Brigid Ann Johnson ,  Praveen Akinapally ,  Varun Jayant Oswal ,  Jasmeet Chhabra ,  Ritwick Dhar ,  Luke Edward Kennedy ,  Per Mikael Horal

IPC: H04L9/32 ,  H04L29/06 ,  G06F21/62 ,  G06F21/60

Abstract: A security token service receives a request for a token. The request indicates a set of access control policies that define a set of permissions for access to a resource. The security token service generates the token to comprise a set of identifiers of the set of access control policies. The security token service provides the token in response to the request to enable the token to be used to access the resource in accordance with the set of access control policies.

公开(公告)号：US20240223618A1

公开(公告)日：2024-07-04

申请号：US18604379

申请日：2024-03-13

Applicant: Amazon Technologies, Inc.

Inventor： Jacob A. Kjelstrup ,  Bharath Mukkati Prakash ,  Brigid Ann Johnson ,  Ujjwal Rajkumar Pugalia

IPC: H04L9/40 ,  G06N20/00

CPC classification number: H04L63/205 ,  G06N20/00 ,  H04L63/105

Abstract: Methods, systems, and computer-readable media for auto-tuning permissions using a learning mode are disclosed. A plurality of access requests to a plurality of services and resources by an application are determined during execution of the application in a learning mode in a pre-production environment. The plurality of services and resources are hosted in a multi-tenant provider network. A subset of the services and resources that were used by the application during the learning mode are determined. An access control policy is generated that permits access to the subset of the services and resources used by the application during the learning mode. The access control policy is attached to a role associated with the application to permit access to the subset of the services and resources in a production environment.

公开(公告)号：US11968241B1

公开(公告)日：2024-04-23

申请号：US16453931

申请日：2019-06-26

Applicant: Amazon Technologies, Inc.

Inventor： Jacob A. Kjelstrup ,  Bharath Mukkati Prakash ,  Brigid Ann Johnson ,  Ujjwal Rajkumar Pugalia

IPC: H04L9/40 ,  G06N20/00

CPC classification number: H04L63/205 ,  G06N20/00 ,  H04L63/105

Abstract: Methods, systems, and computer-readable media for auto-tuning permissions using a learning mode are disclosed. A plurality of access requests to a plurality of services and resources by an application are determined during execution of the application in a learning mode in a pre-production environment. The plurality of services and resources are hosted in a multi-tenant provider network. A subset of the services and resources that were used by the application during the learning mode are determined. An access control policy is generated that permits access to the subset of the services and resources used by the application during the learning mode. The access control policy is attached to a role associated with the application to permit access to the subset of the services and resources in a production environment.

公开(公告)号：US20230216887A1

公开(公告)日：2023-07-06

申请号：US17107082

申请日：2020-11-30

Applicant: Amazon Technologies, Inc.

Inventor： Homer Strong ,  Brigid Ann Johnson ,  Mathangi Ramesh

IPC: H04L29/06 ,  G06N7/00

CPC classification number: H04L63/20 ,  G06N7/005

Abstract: A first permission allocated to a first identity may be identified. Permission usage information may be analyzed. The permission usage information may include permission usage history information and permission usage pattern data. An estimated probability of a future usage of the first permission by the first identity may be forecasted based, at least in part, on the permission usage information. A first recommendation relating to allocation of the first permission to the first identity may be determined based, at least in part, on the estimated probability. The first recommendation may be a recommendation for the first identity to retain the first permission or a recommendation to deallocate the first permission from the first identity. An indication of the first recommendation may be provided to a user.