公开(公告)号：US11620194B1

公开(公告)日：2023-04-04

申请号：US17362463

申请日：2021-06-29

Applicant: Amazon Technologies, Inc.

Inventor： Sharad Sridhar ,  Sandesh Sanjeev ,  Ankit Kumar ,  Munjal Doshi ,  Rachit Jain

IPC: G06F11/07 ,  G06F11/20 ,  G06F9/54

Abstract: Features are disclosed for managing multiple hosts that stream sequential data to nodes for propagation. The hosts can include a primary host and a failover host that each store a replica of the sequential data. A computing device can monitor the hosts and identify the occurrence of a failover event for the primary host. For example, the computing device may determine the schema has been modified. The computing device can further determine to failover to the failover host based on the failover event. The computing device can insert a flip task into the stream of sequential data for the primary host. The insertion of the flip task may be automatic. Further, each node reading from the stream of sequential data for the primary host may encounter the flip task and failover to the failover host at the same logical position but a different absolute position.

公开(公告)号：US11582221B1

公开(公告)日：2023-02-14

申请号：US16582708

申请日：2019-09-25

Applicant: Amazon Technologies, Inc.

Inventor： Rohit Raj ,  Rachit Jain ,  Dan Popick

IPC: H04L29/06 ,  H04L9/40 ,  H04L9/00 ,  H04L9/08 ,  H04L9/32

Abstract: The present disclosure relates to generating a passphrase for an encrypted volume by at least cryptographically combing the first cryptographic key and the shared secret. Where the shared secret is split into a plurality of shares and a first number of the plurality of shares is greater than a second number of the plurality of shares and the second number of the plurality of shares is required to reconstruct the shared secret.

公开(公告)号：US10659371B1

公开(公告)日：2020-05-19

申请号：US15838290

申请日：2017-12-11

Applicant: Amazon Technologies, Inc.

Inventor： Rachit Jain ,  Andrew Oppenlander ,  Yijia Lu

IPC: G06F15/173 ,  H04L12/851 ,  H04L29/08

Abstract: Systems and methods for manage throttling limits in a distributed system are disclosed herein, according to some embodiments. A system includes a plurality of server nodes to perform a service. The system includes one or more processors a memory. The memory stores instructions that, when executed by the one or more processors, cause the one or more processors to perform operations. The operations include receiving a request for the service. The operations also include calculating whether accepting the request would exceed a service throttling limit for the plurality of server nodes for the service and whether accepting the request would exceed a node throttling limit for a server node of the plurality of server nodes. The operations also include accepting the request for processing at the server node responsive to calculating that the service throttling limit and the node throttling limit would not be exceeded.

公开(公告)号：US20230281294A1

公开(公告)日：2023-09-07

申请号：US18314076

申请日：2023-05-08

Applicant: Amazon Technologies, Inc.

Inventor： Varun Jayant Oswal ,  Liam Simon Hewitt ,  Rachit Jain

IPC: G06F21/45 ,  H04L9/40

CPC classification number: G06F21/45 ,  H04L63/101

Abstract: Managed lifecycle roles are disclosed. Managed lifecycle roles may be used for secure credential vending or otherwise. For instance, an entity (e.g., administrator or other entity) requests, via an interface of a role manager, creation of a role associated with a lifecycle definition (e.g., an expression of an enforceable expiration of the role or similar characteristic). The role manager stores the role and role lifecycle definition to a data store. Another entity requests to use the role to perform some operation with respect to a resource. A credential service validates the request against a lifecycle definition for the role (and against an access control list, in some examples) and responds to valid requests with credentials useable to perform the operation with respect to the resource. The other entity uses the credentials to perform the operation with respect to the resource. A sweep process manages attributes of the roles.

公开(公告)号：US11005853B1

公开(公告)日：2021-05-11

申请号：US15912982

申请日：2018-03-06

Applicant: Amazon Technologies, Inc.

Inventor： Ankur Agarwal ,  Praveen Akinapally ,  Conor Patrick Cahill ,  Dmitry Frenkel ,  Rachit Jain ,  Lennart Christopher Leon Kats ,  Julian Eric Naydichev

IPC: H04L29/00 ,  H04L29/06

Abstract: Transitive restrictions can be applied to requests received on a session. A session token can be issued for an active session, and a transitivity setting specified to indicate the types of requests for which the transitive restriction is to be enforced. This can include enforcing the restriction on requests received from outside a trusted environment, requests within a scope of enforcement, or enforcing the restriction at request authentication. Any request received from an untrusted source that fails to satisfy the transitive restriction will be denied. Requests from inside the trusted environment may not have the transitive restriction enforced, such as where a new token is issued. This enables services within the environment to make calls on behalf of the customer, while ensuring that third parties obtaining the session token cannot successfully initiate such calls.

公开(公告)号：US20220271993A1

公开(公告)日：2022-08-25

申请号：US17717962

申请日：2022-04-11

Applicant: Amazon Technologies, Inc.

Inventor： Ian Man Hin Leung ,  Rachit Jain

IPC: H04L41/0803 ,  H04L41/06 ,  H04L47/70 ,  H04L43/10

Abstract: A recovery workflow is part of an automated management service for bare metal hosts allocated for single-tenant operation in a multi-tenant environment. The health of the hosts is monitored using a set of health criteria. If it is detected that one of the host machines fails a health check then a host recovery workflow can be initiated. As part of the workflow, the failed host can be repurposed or retired. A spare host class can be used to obtain a new host to take over for the failed host. Once deployed, the operation of the new host can be tested. Upon passing the test, the new host can take over for the failed host. A new host resource can be automatically requested to be added to the spare host class in order to ensure that there are sufficient resources available in case of an additional failure.

公开(公告)号：US20240248979A1

公开(公告)日：2024-07-25

申请号：US18595317

申请日：2024-03-04

Applicant: Amazon Technologies, Inc.

Inventor： Rachit Jain ,  Douglas Spencer Hewitt ,  Conor P. Cahill ,  Ogbeide Derrick Oigiagbe

IPC: G06F21/45 ,  H04L9/40

CPC classification number: G06F21/45 ,  H04L63/0884 ,  H04L63/102 ,  H04L63/20

Abstract: An Identity and Access Management Service implements persistent source values PSVs) for assumed identities. A source value (e.g., an original identifier of an entity) is persisted across assumed identities, facilitating identification of entities (users or applications) responsible for actions taken by the assumed (e.g., alternative) identities. The Manager receives a request to assume an identity. The request includes the entities current credentials and a PSV. The current credentials are authenticated and a persistent source value policy may be relied on to determine whether and/or how to grant the assumed identity. The PSV may be copied from credentials in the request in order to be included in the credentials for the requested identity that the Manager provides in response to the request. Use of the requested credentials, including the PSV, to access services or resources may be logged, the logs including the PSV from the request to assume the identity.

公开(公告)号：US11947657B2

公开(公告)日：2024-04-02

申请号：US17108854

申请日：2020-12-01

Applicant: Amazon Technologies, Inc.

Inventor： Rachit Jain ,  Douglas Spencer Hewitt ,  Conor P Cahill ,  Ogbeide Derrick Oigiagbe

IPC: G06F21/45 ,  H04L9/40

CPC classification number: G06F21/45 ,  H04L63/0884 ,  H04L63/102 ,  H04L63/20

Abstract: An Identity and Access Management Service implements persistent source values PSVs) for assumed identities. A source value (e.g., an original identifier of an entity) is persisted across assumed identities, facilitating identification of entities (users or applications) responsible for actions taken by the assumed (e.g., alternative) identities. The Manager receives a request to assume an identity. The request includes the entities current credentials and a PSV. The current credentials are authenticated and a persistent source value policy may be relied on to determine whether and/or how to grant the assumed identity. The PSV may be copied from credentials in the request in order to be included in the credentials for the requested identity that the Manager provides in response to the request. Use of the requested credentials, including the PSV, to access services or resources may be logged, the logs including the PSV from the request to assume the identity.

公开(公告)号：US11790075B1

公开(公告)日：2023-10-17

申请号：US16915753

申请日：2020-06-29

Applicant: Amazon Technologies, Inc.

Inventor： Varun Jayant Oswal ,  Liam Simon Hewitt ,  Rachit Jain

IPC: G06F21/45 ,  H04L9/40 ,  G06F21/00 ,  H04L29/06

CPC classification number: G06F21/45 ,  H04L63/101

Abstract: Managed lifecycle roles are disclosed. Managed lifecycle roles may be used for secure credential vending or otherwise. For instance, an entity (e.g., administrator or other entity) requests, via an interface of a role manager, creation of a role associated with a lifecycle definition (e.g., an expression of an enforceable expiration of the role or similar characteristic). The role manager stores the role and role lifecycle definition to a data store. Another entity requests to use the role to perform some operation with respect to a resource. A credential service validates the request against a lifecycle definition for the role (and against an access control list, in some examples) and responds to valid requests with credentials useable to perform the operation with respect to the resource. The other entity uses the credentials to perform the operation with respect to the resource. A sweep process manages attributes of the roles.

公开(公告)号：US11546335B2

公开(公告)日：2023-01-03

申请号：US16586742

申请日：2019-09-27

Applicant: Amazon Technologies, Inc.

Inventor： Rachit Jain ,  Sulay Shah ,  Conor Cahill ,  Praveen Akinapally ,  Ian Leung ,  Rohit Raj ,  Brigid Johnson

IPC: H04L29/06 ,  H04L9/40 ,  G06F16/182

Abstract: Techniques for managing permissions to cloud-based resources with session-specific attributes are described. A first request to create a first session to permit access to resources of a provider network is received under an assumed role. The first request is permitted based on an evaluation of a rule associated with the role. Session data including a user-specified attribute included with the first request is generated. A second request to perform an action with a resource hosted by the provider network is received. The user-specified attribute is obtained from the session data based at least in part on the second request. The second request is permitted based on an evaluation of another rule with the user-specified attribute.