公开(公告)号：US12164652B1

公开(公告)日：2024-12-10

申请号：US17546494

申请日：2021-12-09

Applicant: Amazon Technologies, Inc.

Inventor： Meng Li ,  Vishal Gori ,  Zhixing Xu ,  Niloofar Razavi ,  Oksana Tkachuk

IPC: G06F21/60 ,  G06F21/31 ,  G06F21/45 ,  G06F21/62

Abstract: Techniques are described for analyzing privilege escalation risks within the accounts, roles, and policies that comprise an organization's cloud provider environment. Privilege escalation refers broadly to scenarios in which a principal (e.g., a person or application) is able to gain access to resources or actions in a cloud provider environment that exceed a level intended for that principal. In the context of cloud provider environments, for example, such privilege escalation risks can result from the misconfiguration of policies and permissions attached to identities (e.g., users, groups of users, or roles) within an organization's environment. A multi-layer reasoning framework is used to build an ontology model of an organization's identities and relations among the identities, including defined access relationships, permission mutation relationships, and credential mutation relationships. The framework is further used to query the ontology model to identify particular identities associated with one or more specific types of privilege escalation risks.

公开(公告)号：US12132735B1

公开(公告)日：2024-10-29

申请号：US17855302

申请日：2022-06-30

Applicant: Amazon Technologies, Inc.

Inventor： Niloofar Razavi ,  Oksana Tkachuk ,  Zhixing Xu ,  Saeed Nejati ,  Meng Li

IPC: H04L29/06 ,  G06F16/33 ,  G06F16/36 ,  H04L9/40

CPC classification number: H04L63/10 ,  G06F16/334 ,  G06F16/367 ,  H04L63/1433 ,  H04L63/20

Abstract: Techniques are described for a domain-specific language and associated framework for implementing analyses of security, operational, or functional properties involving computing resources. The specification language enables users to readily define the semantics of a set of cross-resource relations of interest using a human-readable language. For example, the language enables users to express properties over computing resources based on a user-defined set of cross-resource relations. The specification language is human-readable, allowing users to easily add new cross-resource relations or to modify existing relations and properties, thereby enabling users to readily modify existing analyses or to create new ones entirely. The specification language is also machine-readable such that a compiler and other tools can automatically generate an ontology model based on local resource configurations, augment the graph with the cross-resource relations defined in the specifications, and perform graph reachability analyses based on defined properties of interest.