公开(公告)号：US09319392B1

公开(公告)日：2016-04-19

申请号：US14040373

申请日：2013-09-27

Applicant: Amazon Technologies, Inc.

Inventor： James Leon Irving, Jr. ,  Andrew Paul Mikulski ,  Gregory Branchek Roth ,  William Frederick Kruse

IPC: H04L29/06

CPC classification number: H04L63/08 ,  H04L63/10 ,  H04L63/102 ,  H04L63/108 ,  H04L63/12

Abstract: A credential management system is described that provides a way to disable and/or rotate credentials, such as when a credential is suspected to have been compromised, while minimizing potential impact to various systems that may depend on such credentials. The credentials may be disabled temporarily at first and the availability of various resources is monitored for changes. If no significant drop of availability in the resources has occurred, the credential may be disabled for a longer period of time. In this manner, the credentials may be disabled and re-enabled for increasingly longer time intervals until it is determined with sufficient confidence/certainty that disabling the credential will not adversely impact critical systems, at which point the credential can be rotated and/or permanently disabled. This process also enables the system to determine which systems are affected by a credential in cases where such information is not known.

Abstract translation: 描述了一种凭证管理系统，其提供了一种方法来禁用和/或转动凭证，例如当证书被怀疑已经被泄露时，同时最小化可能依赖于这些证书的各种系统的潜在影响。 首先可以临时禁用凭据，并监控各种资源的可用性以进行更改。 如果资源中的可用性没有明显下降，则该凭证可能会被禁用较长时间。 以这种方式，凭证可以被禁用并被重新启用，以便越来越长的时间间隔，直到以足够的置信/确定性确定，禁用证书将不会对关键系统产生不利影响，此时凭证可以被旋转和/或永久地 残疾人士 该过程还使系统能够确定在不知道这些信息的情况下哪些系统受到凭证的影响。

公开(公告)号：US09425966B1

公开(公告)日：2016-08-23

申请号：US13826888

申请日：2013-03-14

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Eric Jason Brandwine ,  Gregory Alan Rubin ,  Patrick James Ward ,  James Leon Irving, Jr. ,  Andrew Paul Mikulski ,  Donald Lee Bailey, Jr.

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/30

CPC classification number: H04L9/3263 ,  H04L9/302 ,  H04L9/3268 ,  H04L63/0823 ,  H04L63/1433

Abstract: Methods and apparatus for a security mechanism evaluation service are disclosed. A storage medium stores program instructions that when executed on a processor define a programmatic interface enabling a client to submit an evaluation request for a security mechanism. On receiving an evaluation request from a client indicating a particular security mechanism using public-key encryption, the instructions when executed, identify resources of a provider network to be used to respond. The instructions, when executed, provide to the client, one or more of: (a) a trustworthiness indicator for a certificate authority that issued a public-key certificate in accordance with the particular security mechanism; (b) a result of a syntax analysis of the public-key certificate; or (c) a vulnerability indicator for a key pair.

Abstract translation: 公开了用于安全机制评估服务的方法和装置。 存储介质存储当在处理器上执行时定义编程接口的程序指令，使得客户端能够提交对安全机制的评估请求。 在从客户端接收到指示使用公钥加密的特定安全机制的评估请求时，执行指令时，识别要用于响应的提供商网络的资源。 指令在执行时向客户提供以下一个或多个：（a）根据特定安全机制发布公钥证书的认证机构的可信赖性指示符; （b）公钥证书的语法分析结果; 或（c）密钥对的漏洞指示符。

公开(公告)号：US10110629B1

公开(公告)日：2018-10-23

申请号：US15080504

申请日：2016-03-24

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Hingle Kruse ,  Hassan Sultan ,  Nicholas Howard Brown ,  James Leon Irving, Jr. ,  Donald Lee Bailey, Jr.

IPC: H04L29/06

Abstract: A honeypot resource management service receives a request to provision one or more honeypot resources. In response to the request, the service identifies at least one computing resource service that is to be used to present the one or more honeypot resources. The service generates configuration information that is transmitted to the at least one computing resource service to cause the computing resource service to present the one or more honeypot resources to users in accordance with a set of parameters specified in the configuration information.

公开(公告)号：US09544292B2

公开(公告)日：2017-01-10

申请号：US14963760

申请日：2015-12-09

Applicant: Amazon Technologies, Inc.

Inventor： James Leon Irving, Jr. ,  Andrew Paul Mikulski ,  Gregory Branchek Roth ,  William Frederick Kruse

IPC: H04L29/00 ,  H04L29/06

CPC classification number: H04L63/08 ,  H04L63/10 ,  H04L63/102 ,  H04L63/108 ,  H04L63/12

Abstract: A credential management system is described that provides a way to disable and/or rotate credentials, such as when a credential is suspected to have been compromised, while minimizing potential impact to various systems that may depend on such credentials. The credentials may be disabled temporarily at first and the availability of various resources is monitored for changes. If no significant drop of availability in the resources has occurred, the credential may be disabled for a longer period of time. In this manner, the credentials may be disabled and re-enabled for increasingly longer time intervals until it is determined with sufficient confidence/certainty that disabling the credential will not adversely impact critical systems, at which point the credential can be rotated and/or permanently disabled. This process also enables the system to determine which systems are affected by a credential in cases where such information is not known.

Abstract translation: 描述了一种凭证管理系统，其提供了一种方法来禁用和/或转动凭证，例如当证书被怀疑已经被泄露时，同时最小化可能依赖于这些证书的各种系统的潜在影响。 首先可以临时禁用凭据，并监控各种资源的可用性以进行更改。 如果资源中的可用性没有明显下降，则该凭证可能会被禁用较长时间。 以这种方式，凭证可以被禁用并被重新启用，以便越来越长的时间间隔，直到以足够的置信/确定性确定，禁用证书将不会对关键系统产生不利影响，在该时刻可以转移和/或永久地证明证书 残疾人士 该过程还使系统能够确定在不知道这些信息的情况下哪些系统受到凭证的影响。