公开(公告)号：US10121026B1

公开(公告)日：2018-11-06

申请号：US14986051

申请日：2015-12-31

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： Mark Ryland

IPC: G06F21/70 ,  H05K7/14

Abstract: A secure containment enclosure such as an equipment rack is disclosed that includes an electronic locking system. The electronic locking system locks and, upon receipt of a valid credential to a credential input device, unlocks an access door to the secure containment enclosure. The electronic locking system locks the access door during normal operation, and is prevented from unlocking the access door during normal operation and for a predetermined period of time after the secure containment enclosure is powered off to ensure that all data on electronic devices in the secure containment enclosure is erased. Other security features include storage encryption, network encryption, preventing administrative logon access to customers' compute nodes, and dedicated instances in which only virtual machines from specified customer accounts can be located on the same electronic device.

公开(公告)号：US09438506B2

公开(公告)日：2016-09-06

申请号：US14103628

申请日：2013-12-11

Applicant: Amazon Technologies, Inc.

Inventor： Mark Ryland

IPC: H04L9/32 ,  H04L12/56 ,  H04L12/66 ,  H04L12/701 ,  H04L12/24 ,  H04L12/911

CPC classification number: H04L45/00 ,  G06F2009/45595 ,  H04L12/4633 ,  H04L41/0893 ,  H04L47/70 ,  H04L63/10 ,  H04L63/20

Abstract: Methods and apparatus for providing identity and access management-based access control for connections between entities in virtual (overlay) network environments. At the encapsulation layer of the overlay network, an out-of-band connection creation process may be leveraged to enforce access control and thus allow or deny overlay network connections between sources and targets according to policies. For example, resources may be given identities, identified resources may assume roles, and policies may be defined for the roles that include permissions regarding establishing connections to other resources. When a given resource (the source) attempts to establish a connection to another resource (the target), role(s) may be determined, policies for the role(s) may be identified, and permission(s) checked to determine if a connection from the source to the target over the overlay network is to be allowed or denied.

Abstract translation: 用于为虚拟（覆盖）网络环境中的实体之间的连接提供身份和基于访问管理的访问控制的方法和装置。 在覆盖网络的封装层，可以利用带外连接创建过程来实现访问控制，并且因此根据策略允许或拒绝源和目标之间的覆盖网络连接。 例如，资源可以被给予身份，所识别的资源可以承担角色，并且可以为包括关于建立与其他资源的连接的许可的角色定义策略。 当给定资源（源）尝试建立与另一资源（目标）的连接时，可以确定角色，角色的策略可以被识别，并且检查许可以确定是否 允许或拒绝从覆盖网络上的源到目标的连接。

公开(公告)号：US09817703B1

公开(公告)日：2017-11-14

申请号：US14096948

申请日：2013-12-04

Applicant: Amazon Technologies, Inc.

Inventor： Mark Ryland ,  Alexander Slutsker ,  David Craig Yanacek

IPC: G06F12/00 ,  G06F12/14 ,  G06F17/00 ,  G06F7/00 ,  G06F9/52

CPC classification number: G06F9/52

Abstract: A compute cluster including multiple compute nodes may implement distributed lock management using conditional updates to a distributed key value data store. It may be determined, at one or more compute nodes of a compute cluster, that particular lock is available based on a respective lock entry for the particular lock maintained in a lock manager table at a key value data store. The key value data store may be configured to perform conditional write requests for updates to data store at the key value, and may maintain data according to a distributed durability scheme. Compute nodes that determine that a lock is available may send a conditional write request to the key value data store in order to acquire the particular lock. The compute node that acquired the particular lock may be identified based on the successfully completed conditional write request to the respective lock entry.

公开(公告)号：US12177185B1

公开(公告)日：2024-12-24

申请号：US17958057

申请日：2022-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Mark Ryland ,  Joshua Benjamin Levinson

IPC: H04L9/40

Abstract: Techniques are described for enabling users of a cloud provider network to create policies used to control the use of temporary security credentials by computing resources other than a computing resource to which the credentials were issued. An identity and access management service encodes, into temporary security credentials, information about the virtual private network to which the credentials are issued. When a computing resource subsequently issues requests to perform actions and uses the temporary security credentials to sign the request, the cloud provider network further adds, to the network traffic, information associated with the virtual private network from which the request originates. A user can then create a policy with a statement indicating that request are to be permitted only if, e.g., the identity of the virtual private network as encoded in the temporary security credentials matches the identity of the virtual private network identified by the information included in the request.

公开(公告)号：US11914696B1

公开(公告)日：2024-02-27

申请号：US17039864

申请日：2020-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Dean H Saxe ,  Conor P Cahill ,  Dennis Tighe ,  Jonathan Robert Hurd ,  Brian Mead Tyler ,  Cristian Marius Ilac ,  Mark Ryland

IPC: G06F21/40 ,  G06F21/62 ,  G06F9/48

CPC classification number: G06F21/40 ,  G06F9/4843 ,  G06F21/62 ,  G06F2221/2137 ,  G06F2221/2141

Abstract: Quorum-based access control management may be implemented. Quorum controls may be created for determining whether to perform or deny access control operations to perform privileged tasks. When an access control operation is received, approval of the operation may be requested from members for the quorum control. If a policy for the quorum control is satisfied by approval responses, then approval to perform the access control operation may be provided.