公开(公告)号：US11108805B2

公开(公告)日：2021-08-31

申请号：US16020865

申请日：2018-06-27

Applicant: Amazon Technologies, Inc.

Inventor： Catherine Dodge ,  Nikhil Reddy Cheruku ,  John Byron Cook ,  Temesghen Kahsai Azene ,  William Jo Kocik ,  Sean McLaughlin ,  Mark Edward Stalzer ,  Blake Whaley ,  Yiwen Wu

IPC: G06F21/00 ,  H04L29/06 ,  G06F16/2455 ,  H04L12/24 ,  H04L12/26

Abstract: Methods, systems, and computer-readable media for automated packetless network reachability analysis are disclosed. An analysis is performed of network configuration data for a network comprising a host computer. Based at least in part on the analysis, one or more ports at the host computer that are reachable from another computer are determined. Based at least in part on the analysis, one or more routes to the one or more ports are determined. A report is generated that is descriptive of the one or more ports and the one or more routes.

公开(公告)号：US10664379B2

公开(公告)日：2020-05-26

申请号：US16122676

申请日：2018-09-05

Applicant: Amazon Technologies, Inc.

Inventor： Juan Rodriguez Hortala ,  Neha Rungta ,  Mark R. Tuttle ,  Serdar Tasiran ,  Michael Tautschnig ,  Andrea Nedic ,  Carsten Varming ,  John Byron Cook ,  Sean McLaughlin

IPC: G06F9/44 ,  G06F11/36 ,  G06F9/54 ,  G06F8/65 ,  G06F9/50

Abstract: A method for verifying source code for a program includes determining that a new version of the source code is available. One or more verification tools are determined to use for verification of the new version of the source code from a verification specification associated with the source code. A plurality of verification tasks to perform for the verification of the new version of the source code are automatically determined from the verification specification associated with the source code. The plurality of verification tasks for the new version of the source code are automatically performed using the one or more verification tools. A determination is then made as to whether the new version of the source code is verified.

公开(公告)号：US20230262087A1

公开(公告)日：2023-08-17

申请号：US18306947

申请日：2023-04-25

Applicant: Amazon Technologies, Inc.

Inventor： Catherine Dodge ,  Nikhil Reddy Cheruku ,  John Byron Cook ,  Temesghen Kahsai Azene ,  William Jo Kocik ,  Sean McLaughlin ,  Mark Edward Stalzer ,  Blake Whaley ,  Yiwen Wu

IPC: H04L9/40 ,  H04L41/0866 ,  H04L41/12 ,  H04L41/22 ,  H04L43/06

CPC classification number: H04L63/1433 ,  H04L41/0866 ,  H04L41/12 ,  H04L41/22 ,  H04L43/06 ,  H04L63/0272 ,  H04L63/1441

Abstract: Methods, systems, and computer-readable media for automated packetless network reachability analysis are disclosed. An analysis is performed of network configuration data for a network comprising a host computer. Based at least in part on the analysis, one or more ports at the host computer that are reachable from another computer are determined. Based at least in part on the analysis, one or more routes to the one or more ports are determined. A report is generated that is descriptive of the one or more ports and the one or more routes.

公开(公告)号：US20220191206A1

公开(公告)日：2022-06-16

申请号：US17119868

申请日：2020-12-11

Applicant: Amazon Technologies, Inc.

Inventor： John Byron Cook ,  Neha Rungta ,  Carsten Varming ,  Daniel George Peebles ,  Daniel Kroening ,  Alejandro Naser Pastoriza

IPC: H04L29/06 ,  H04L12/24

Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.

公开(公告)号：US11757886B2

公开(公告)日：2023-09-12

申请号：US17119868

申请日：2020-12-11

Applicant: Amazon Technologies, Inc.

Inventor： John Byron Cook ,  Neha Rungta ,  Carsten Varming ,  Daniel George Peebles ,  Daniel Kroening ,  Alejandro Naser Pastoriza

IPC: H04L9/40 ,  H04L41/0604 ,  H04L41/22 ,  G06F21/62 ,  G06F16/901

CPC classification number: H04L63/101 ,  G06F21/62 ,  H04L41/0627 ,  H04L41/22 ,  H04L63/0435 ,  H04L63/10 ,  H04L63/105 ,  H04L63/20 ,  G06F16/9024

Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.

公开(公告)号：US11483350B2

公开(公告)日：2022-10-25

申请号：US16369215

申请日：2019-03-29

Applicant: Amazon Technologies, Inc.

Inventor： Pauline Virginie Bolignano ,  Tyler Bray ,  John Byron Cook ,  Andrew Jude Gacek ,  Kasper Søe Luckow ,  Andrea Nedic ,  Neha Rungta ,  Cole Schlesinger ,  Carsten Varming

IPC: H04L9/40 ,  G06F8/41 ,  G06F9/54

Abstract: Techniques for intent-based governance are described. For example, in some instances a method of receiving an indication of a change involving of one or more of code, a policy, a network configuration, or a governance requirement rule impacting a resource in a provider network for an account that is to be analyzed using one or more governance requirement rules; determining one or more governance requirement rules to evaluate for compliance after the update; evaluating the determined one or more governance requirement rules for compliance using one or more reasoning engines according to one or more policies; and making a result of the evaluating available to a user provides such governance.

公开(公告)号：US20200007569A1

公开(公告)日：2020-01-02

申请号：US16020865

申请日：2018-06-27

Applicant: Amazon Technologies, Inc.

Inventor： Catherine Dodge ,  Nikhil Reddy Cheruku ,  John Byron Cook ,  Temesghen Kahsai Azene ,  William Jo Kocik ,  Sean McLaughlin ,  Mark Edward Stalzer ,  Blake Whaley ,  Yiwen Wu

IPC: H04L29/06 ,  H04L12/24 ,  H04L12/26 ,  G06F17/30

Abstract: Methods, systems, and computer-readable media for automated packetless network reachability analysis are disclosed. An analysis is performed of network configuration data for a network comprising a host computer. Based at least in part on the analysis, one or more ports at the host computer that are reachable from another computer are determined. Based at least in part on the analysis, one or more routes to the one or more ports are determined. A report is generated that is descriptive of the one or more ports and the one or more routes.

公开(公告)号：US11861409B2

公开(公告)日：2024-01-02

申请号：US17218541

申请日：2021-03-31

Applicant: Amazon Technologies, Inc.

Inventor： John Byron Cook ,  Andres Philipp Noetzli ,  Neha Rungta ,  Jingmei Hu

IPC: G06F9/46 ,  G06F9/50 ,  G06F9/54

CPC classification number: G06F9/505 ,  G06F9/5038 ,  G06F9/5072 ,  G06F9/541

Abstract: Techniques are described for efficiently distributing across multiple computing resources satisfiability modulo theories (SMT) queries expressed in propositional logic with string variables. As part of the computing-related services provided by a cloud provider network, many cloud providers also offer identity and access management services, which generally help users to control access and permissions to the services and resources (e.g., compute instances, storage resources, etc.) obtained by users via a cloud provider network. By using resource policies, for example, users can granularly control which identities are able to access specific resources associated with the users' accounts and how those identities can use the resources. The ability to efficiently distribute the analysis of SMT queries expressed in propositional logic with string variables among any number of separate computing resources (e.g., among separate processes, compute instances, containers, etc.) enables the efficient analysis of such policies.

公开(公告)号：US11671442B2

公开(公告)日：2023-06-06

申请号：US17459908

申请日：2021-08-27

Applicant: Amazon Technologies, Inc.

Inventor： Catherine Dodge ,  Nikhil Reddy Cheruku ,  John Byron Cook ,  Temesghen Kahsai Azene ,  William Jo Kocik ,  Sean McLaughlin ,  Mark Edward Stalzer ,  Blake Whaley ,  Yiwen Wu

IPC: H04L9/40 ,  H04L41/0866 ,  H04L41/12 ,  H04L41/22 ,  H04L43/06

CPC classification number: H04L63/1433 ,  H04L41/0866 ,  H04L41/12 ,  H04L41/22 ,  H04L43/06 ,  H04L63/0272 ,  H04L63/1441

Abstract: Methods, systems, and computer-readable media for automated packetless network reachability analysis are disclosed. An analysis is performed of network configuration data for a network comprising a host computer. Based at least in part on the analysis, one or more ports at the host computer that are reachable from another computer are determined. Based at least in part on the analysis, one or more routes to the one or more ports are determined. A report is generated that is descriptive of the one or more ports and the one or more routes.

公开(公告)号：US11483317B1

公开(公告)日：2022-10-25

申请号：US16206859

申请日：2018-11-30

Applicant: Amazon Technologies, Inc.

Inventor： Pauline Virginie Bolignano ,  John Byron Cook ,  Andrew Jude Gacek ,  Kasper Luckow ,  Neha Rungta ,  Cole Schlesinger ,  Ian Sweet ,  Carsten Varming

IPC: H04L9/40 ,  G06F16/901 ,  G06F9/54

Abstract: A policy auditing service can be implemented, in accordance with at least one embodiment that obtains a set of parameters that indicates a snapshot of a policy configuration for an account, a query, and a security policy. The security policy may encode a security requirement or invariant. The policy auditing system may determine states that can be reached via mutative operations (e.g., role assumption) and use a policy analyzer service to determine whether assuming a role results in a grant of access that is at least as permissive as the security policy of the set of parameters.