公开(公告)号：US10110587B2

公开(公告)日：2018-10-23

申请号：US15610295

申请日：2017-05-31

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/62

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

公开(公告)号：US20150304294A1

公开(公告)日：2015-10-22

申请号：US14629332

申请日：2015-02-23

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: H04L29/06

CPC classification number: H04L63/08 ,  G06F21/62 ,  G06F2221/2141 ,  H04L63/10

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

Abstract translation: 描述了授权以启用帐户访问的系统和方法。 系统利用可以在至少一个用户的安全帐户内创建的委托简档。 授权简介包括一个名称，一个确认策略，指定可能在该帐户外部以及被允许承担该授权简档的主体，以及一个授权策略，指示在该帐户内为在 委托简介。 创建授权配置文件后，可以将其提供给外部主体或服务。 这些外部主体或服务可以使用委托简档来获取使用委托简档的凭据在帐户中执行各种操作的凭据。

公开(公告)号：US09083749B1

公开(公告)日：2015-07-14

申请号：US13654111

申请日：2012-10-17

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Kevin Ross O'Neill ,  Brian Irl Pratt

IPC: G06F21/60 ,  H04L29/06

CPC classification number: H04L63/20 ,  H04L63/10

Abstract: Customers accessing resources or services in a distributed environment can obtain assurance that a provider of that environment will only allow requests to access those resources or services when those requests satisfy at least one security policy associated with the customer. A customer can provide a security policy update that might be written in a different representation (e.g., version) than is supported by all relevant policy evaluation engines across the distributed environment. A component or service such as an access management service can evaluate the representation of the policy, as well as the representations supported by the evaluation engines, and can determine if the features of the policy update are supported by the representations of the engines. If so, the policy update can be translated to express the policy document in the supported representation(s), such that the policy can be utilized without having to update the relevant engines.

Abstract translation: 在分布式环境中访问资源或服务的客户可以确保当这些请求满足与客户相关联的至少一个安全策略时，该环境的提供者只允许请求访问这些资源或服务。 客户可以提供可能以不同表示形式（例如，版本）编写的安全策略更新，而不是所有相关的策略评估引擎在分布式环境中所支持的更新。 诸如访问管理服务的组件或服务可以评估策略的表示以及评估引擎支持的表示，并且可以确定策略更新的特征是否由引擎的表示支持。 如果是这样，则可以转换策略更新以在支持的表示中表达策略文档，使得可以利用该策略而不必更新相关引擎。

公开(公告)号：US11102189B2

公开(公告)日：2021-08-24

申请号：US14316675

申请日：2014-06-26

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Ross O'Neill ,  Gregory B. Roth ,  Eric Jason Brandwine ,  Brian Irl Pratt ,  Bradley Jeffery Behm ,  Nathan R. Fitch

IPC: H04L29/06 ,  H04L9/32

Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

公开(公告)号：US10216921B1

公开(公告)日：2019-02-26

申请号：US15258980

申请日：2016-09-07

Applicant: Amazon Technologies, Inc.

Inventor： Cornelle Christiaan Pretorius Janse Van Rensburg ,  Mark Joseph Cavage ,  Marc John Brooker ,  David Everard Brown ,  Abhinav Agrawal ,  Matthew S. Garman ,  Kevin Ross O'Neill ,  Eric Jason Brandwine ,  Christopher Richard Jacques de Kadt

IPC: H04L29/06 ,  G06F21/45 ,  H04L29/08

Abstract: Systems and methods for attesting to information about a computing resource involve electronically signed documents. For a computing resource, a document containing information about the resource is generated and electronically signed. The document may be provided to one or more entities as an attestation to at least some of the information contained in the document. Attestation to information in the document may be a prerequisite for performance of one or more actions that may be taken in connection with the computing resource.

公开(公告)号：US09756031B1

公开(公告)日：2017-09-05

申请号：US14513147

申请日：2014-10-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Cristian M. Ilac ,  James E. Scharf, Jr. ,  Nathan R. Fitch ,  Graeme D. Baer ,  Brian Irl Pratt ,  Kevin Ross O'Neill

IPC: H04L29/06 ,  G06F21/00 ,  H04L29/08

CPC classification number: H04L63/08 ,  G06F21/123 ,  G06Q20/3821 ,  H04L63/0428 ,  H04L67/22

Abstract: Systems and methods provide a storage media on a portable physical object associated with a set of credentials that enables access to a set of computing resources associated with a set of Web services. In some embodiments, information including a set of credentials is prepackaged onto the storage media of the portable physical object. A pre-activated subscription to the set of Web services in a distributed system is provisioned. Access to the set of Web services is enabled when the portable physical object is coupled with a computing device and the set of credentials is authenticated. In some embodiments, the portable physical object is purchased by a user on a prepaid basis without requiring the user to register an account with the set of Web services, allowing the user to remain anonymous with respect to interaction with the set of Web services.

公开(公告)号：US09686261B2

公开(公告)日：2017-06-20

申请号：US14629332

申请日：2015-02-23

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: G06F7/04 ,  H04L29/06 ,  G06F21/62

CPC classification number: H04L63/08 ,  G06F21/62 ,  G06F2221/2141 ,  H04L63/10

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

公开(公告)号：US09479492B1

公开(公告)日：2016-10-25

申请号：US14145654

申请日：2013-12-31

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Kevin Ross O'Neill

IPC: H04L29/06 ,  G06F21/10 ,  G06F21/31

CPC classification number: H04L63/08 ,  G06F21/10 ,  G06F21/31 ,  H04L63/0807 ,  H04L63/10 ,  H04L63/20

Abstract: Techniques are described for enabling principals to inject context information into a credential (e.g. session credential). Once the credential has been issued, any arbitrary principal is allowed to inject context information into the existing credential. The injected context is scoped to the principal that made the injection. Subsequently, at authentication time, when the credential is used to request access to a particular resource, the system can verify whether the principal that made the injection is trusted and if the principal is deemed trusted, the context information can be applied to a policy that controls access to one or more resources, or can alternatively be translated into some context residing in a different namespace which can then be applied to the policy. In addition, the system enables arbitrary users to insert additional deny statements into an existing credential, which further restrict the scope of permissions granted by the credential.

Abstract translation: 描述了使主体能够将上下文信息注入凭证（例如会话凭证）中的技术。 证书颁发后，允许任意任意的主体将上下文信息注入到现有证书中。 注入的上下文作用于进行注射的主体。 随后，在验证时，当凭证被用于请求对特定资源的访问时，系统可以验证进行注入的主体是否被信任，并且如果主体被认为是可信的，则该上下文信息可以应用于 控制对一个或多个资源的访问，或者可以将其转换为驻留在不同命名空间中的某些上下文，然后可以将其应用于该策略。 此外，系统允许任意用户将额外的拒绝语句插入到现有凭证中，这进一步限制了凭据授予的权限范围。

公开(公告)号：US10911428B1

公开(公告)日：2021-02-02

申请号：US14634513

申请日：2015-02-27

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Kevin Ross O'Neill ,  Eric Jason Brandwine ,  Brian Irl Pratt ,  Bradley Jeffery Behm ,  Nathan R. Fitch

IPC: H04L29/06 ,  H04L9/32

Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

公开(公告)号：US09455975B2

公开(公告)日：2016-09-27

申请号：US14204124

申请日：2014-03-11

Applicant: Amazon Technologies, Inc.

Inventor： Marc J. Brooker ,  Mark Joseph Cavage ,  David Brown ,  Kevin Ross O'Neill ,  Eric Jason Brandwine ,  Christopher Richard Jacques de Kadt

IPC: H04L29/06 ,  G06F21/44 ,  H04L9/32

CPC classification number: H04L63/08 ,  G06F21/44 ,  H04L9/3247 ,  H04L63/10 ,  H04L63/20

Abstract: Systems and methods for managing credentials distribute the credentials to subsets of a set of collectively managed computing resources. The collectively managed computing resources may include one or more virtual machine instances. The credentials distributed to the computing resources may be used by the computing resources to perform one or more actions. Actions may include performing one or more functions in connection with configuration, management, and/or operation of the one or more resources, and/or access of other computing resources. The ability to use credentials may be changed based at least in part on the occurrence of one or more events.

Abstract translation: 用于管理凭据的系统和方法将凭证分发到一组共同管理的计算资源的子集。 共同管理的计算资源可以包括一个或多个虚拟机实例。 分配给计算资源的证书可以被计算资源用于执行一个或多个动作。 操作可以包括执行与一个或多个资源的配置，管理和/或操作有关的一个或多个功能，和/或其他计算资源的访问。 至少部分地基于一个或多个事件的发生来改变使用凭证的能力。