公开(公告)号：US11947516B1

公开(公告)日：2024-04-02

申请号：US15902222

申请日：2018-02-22

Applicant: Amazon Technologies, Inc.

Inventor： Ankit Kumar ,  Alazel Acheson ,  Jasmeet Chhabra ,  Luke Edward Kennedy ,  Daniel Stephen Popick ,  Weixun Wang

IPC: G06F16/23 ,  G06F16/185 ,  G06F16/21 ,  G06F16/22 ,  G06F16/27

CPC classification number: G06F16/23 ,  G06F16/185 ,  G06F16/211 ,  G06F16/22 ,  G06F16/27

Abstract: The updating of a definition layer or schema for a large distributed database can be accomplished using a plurality of data store tiers. A distributed database can be made up of many individual data stores, and these data stores can be allocated across a set of tiers based on business logic or other allocation criteria. The update can be applied sequentially to the individual tiers, such that only data stores for a single tier are being updated at any given time. This can help to minimize downtime for the database as a whole, and can help to minimize problems that may result from an unsuccessful update. Such an approach can also allow for simplified error detection and rollback, as well as providing control over a rate at which the update is applied to the various data stores of the distributed database.

公开(公告)号：US20200267090A1

公开(公告)日：2020-08-20

申请号：US16866961

申请日：2020-05-05

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Jasmeet Chhabra ,  Daniel Stephen Popick

IPC: H04L12/911 ,  G06Q10/00 ,  G06F21/31 ,  G06F21/45 ,  H04L29/08 ,  H04L29/06

Abstract: User identities can managed at an organization level, instead of across multiple individual resource accounts. In a resource provider environment, access to various resources and services may require users to have identities with specific resource accounts. Users can instead be associated with organization accounts, or virtual accounts that are not associated with specific resources or services. The organization accounts are attached at the appropriate location(s) in an organizational hierarchy. A user having an organization account can project the identity in any sub-account in the organization hierarchy. This can include any lower-level resource account, or can child accounts under a relevant branch of the hierarchy. A user can validate against the organization account, and receive access to the relevant service or resources using the identity projected in the corresponding resource account.

公开(公告)号：US09325739B1

公开(公告)日：2016-04-26

申请号：US13873055

申请日：2013-04-29

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Jonathan Weiss

IPC: G06F17/00 ,  H04L29/06 ,  H04L12/24 ,  G06F21/60

CPC classification number: G06F21/6218 ,  G06F3/0482 ,  G06F3/04842 ,  G06F21/10 ,  G06F21/604 ,  G06F21/629 ,  H04L41/0893 ,  H04L63/0263 ,  H04L63/20

Abstract: A user interface is described, such as a graphical user interface (GUI), operable to receive a representation of a security policy expressed in a first policy language, where that security policy will be supported by policy evaluation engines (or other such components) that are configured to operate using security policies expressed using a second (different) policy language. The representation of the security policy is persisted in a data store in accordance with the first policy language. Subsequently, in response to receiving a request to access a resource, a second representation of the security policy is generated by translating the content of the security policy into a second policy language that is associated with the policy evaluation engine. The second representation of the security policy is then evaluated by the policy evaluation engine to grant or deny access to the resource.

Abstract translation: 描述了用户界面，诸如图形用户界面（GUI），其可操作以接收以第一策略语言表达的安全策略的表示，其中该策略评估引擎（或其他这样的组件）将支持安全策略， 被配置为使用使用第二（不同）策略语言表达的安全策略来操作。 安全策略的表示依照第一策略语言在数据存储中保留。 随后，响应于接收到访问资源的请求，通过将安全策略的内容翻译成与策略评估引擎相关联的第二策略语言来生成安全策略的第二表示。 然后策略评估引擎对安全策略的第二个表示进行评估，以授予或拒绝对资源的访问。

公开(公告)号：US11962511B2

公开(公告)日：2024-04-16

申请号：US17870609

申请日：2022-07-21

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Jasmeet Chhabra ,  Daniel Stephen Popick

IPC: H04L47/70 ,  G06F21/31 ,  G06F21/45 ,  G06Q10/00 ,  H04L9/40 ,  H04L67/02 ,  H04L67/146

CPC classification number: H04L47/70 ,  G06F21/31 ,  G06F21/45 ,  G06Q10/00 ,  H04L63/102 ,  H04L67/02 ,  H04L67/146

Abstract: User identities can managed at an organization level, instead of across multiple individual resource accounts. In a resource provider environment, access to various resources and services may require users to have identities with specific resource accounts. Users can instead be associated with organization accounts, or virtual accounts that are not associated with specific resources or services. The organization accounts are attached at the appropriate location(s) in an organizational hierarchy. A user having an organization account can project the identity in any sub-account in the organization hierarchy. This can include any lower-level resource account, or can child accounts under a relevant branch of the hierarchy. A user can validate against the organization account, and receive access to the relevant service or resources using the identity projected in the corresponding resource account.

公开(公告)号：US11847241B1

公开(公告)日：2023-12-19

申请号：US15958520

申请日：2018-04-20

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Jasmeet Chhabra ,  Travis William Hickey ,  Ahmad Kayed Kamel Aljolani ,  Daniel Stephen Popick ,  Akshay Mohan Sumant

IPC: G06F21/62 ,  H04L9/40 ,  G06F21/60 ,  H04L67/10

CPC classification number: G06F21/6218 ,  G06F21/604 ,  H04L63/102 ,  H04L63/20 ,  G06F2221/2141 ,  H04L67/10

Abstract: A request to modify a set of permissions (e.g., delete the permissions, replace the set of permissions with a different set of permissions) is received at a computing device. A set of services are prevented from using the set of permissions to access resources. The set of permissions are changed while the set of services are prevented from using the set of permissions to access resources.

公开(公告)号：US20200334374A1

公开(公告)日：2020-10-22

申请号：US16919305

申请日：2020-07-02

Applicant: Amazon Technologies, Inc.

Inventor： Srikanth Mandadi ,  Mahendra Manshi Chheda ,  Alazel Acheson ,  Daniel Stephen Popick ,  James Robert Englert

IPC: G06F21/62 ,  G06F16/22 ,  G06F16/23

Abstract: A schema for a hierarchical data structure may include application specific extensions to the schema applied to a hierarchical data structure. Class may be added to the schema by individual applications granted access to a hierarchical data structure. When an access request for an object of the hierarchical data structure is received, the class may be identified in the schema and applied to process the access request to the object. Different classes may be added by different applications without disrupting the utilization of the schema for accessing the hierarchical data structure of other applications.

公开(公告)号：US20190268245A1

公开(公告)日：2019-08-29

申请号：US16406758

申请日：2019-05-08

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Derek Avery Lyon ,  John Michael Morkel ,  Graeme David Baer ,  Ajith Harshana Ranabahu ,  Khaled Salah Sedky

IPC: H04L12/24 ,  G06F21/62 ,  H04L29/06

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

公开(公告)号：US10097558B2

公开(公告)日：2018-10-09

申请号：US15237352

申请日：2016-08-15

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Bradley Jeffery Behm

IPC: H04L29/06 ,  G06F21/31 ,  G06F21/33 ,  G06F21/62 ,  G06Q20/06

Abstract: Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Delegation profiles are established that are associated with at least one secured account of at least one customer. Each delegation profile includes information such as a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once a delegation profile is created, the profile can be available for external principals or services that provide a user credential delegated access under the account, where that credential is provided by a trusted identity service. Access can be provided across accounts using the user credential.

公开(公告)号：US09466051B1

公开(公告)日：2016-10-11

申请号：US13760769

申请日：2013-02-06

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Bradley Jeffery Behm

IPC: G06Q20/02 ,  G06Q30/02 ,  H04L29/06 ,  G06F21/31

CPC classification number: G06Q20/02 ,  G06F21/31 ,  G06F21/6218 ,  G06Q20/3578 ,  G06Q20/405 ,  G06Q30/0277 ,  H04L63/08 ,  H04L63/0823 ,  H04L63/102

Abstract: Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Delegation profiles are established that are associated with at least one secured account of at least one customer. Each delegation profile includes information such as a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once a delegation profile is created, the profile can be available for external principals or services that provide a user credential delegated access under the account, where that credential is provided by a trusted identity service. Access can be provided across accounts using the user credential.

Abstract translation: 可以委派权限来访问与一个或多个不同帐户相关联的资源，这些帐户可能与一个或多个不同的实体相关联。 建立与至少一个客户的至少一个安全帐户相关联的授权配置文件。 每个委托简档都包括信息，例如一个名称，一个验证策略，它指定可能在该帐户外部的主体，以及哪些被允许承担该委托简档的授权策略，以及一个授权策略，指示帐户中允许的行为， 在代理简介中行事。 一旦创建了一个授权配置文件，该配置文件可用于在该帐户下提供用户凭据委派访问的外部主体或服务，该凭证由受信任的身份服务提供。 可以使用用户凭据在各个帐户之间提供访问。

公开(公告)号：US11516193B1

公开(公告)日：2022-11-29

申请号：US16947881

申请日：2020-08-21

Applicant: Amazon Technologies, Inc.

Inventor： Jasmeet Chhabra ,  Daniel Stephen Popick ,  Luke Edward Kennedy

IPC: H04L29/06 ,  H04L9/40

Abstract: A key distribution host determines a trust level of a user authentication server, wherein the trust level is based, at least in part, on one or more attributes of the user authentication server and provides one or more authentication keys to the user authentication server only if the trust level of the user authentication server is above a threshold value.