公开(公告)号：US20220191042A1

公开(公告)日：2022-06-16

申请号：US17687502

申请日：2022-03-04

Applicant: Amazon Technologies, Inc.

Inventor： Daniel Stephen Popick

IPC: H04L9/32 ,  H04L9/40

Abstract: Devices and techniques for secure transmission of content over third-party networks are provided. Keys are established for secure transport of content between a source and recipient via a third party. The source generates a content package that includes an encrypted payload, and a payload handler. In some instances, the content package may also include user interface code for obtaining a secret from the recipient. The content package may be signed (e.g., the message content hashed and the result of the hash added to the content package). The content package is transmitted over a connection to a content delivery service for delivery to recipient(s) via another connection. The content delivery service receives the package and forwards the package to recipient(s) without decrypting the payload. A recipient receives the package from the content delivery service, validates the package and decrypts the payload. The payload may be presented to a display application.

公开(公告)号：US10860550B1

公开(公告)日：2020-12-08

申请号：US15475024

申请日：2017-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Mahendra Manshi Chheda ,  James Robert Englert ,  Srikanth Mandadi ,  Alazel Acheson ,  Daniel Stephen Popick

IPC: G06F16/23 ,  G06F16/21 ,  G06F16/22

Abstract: Versions of a schema may be maintained for application to hierarchical data structures. Updates to include in a new version of a schema may be received. The updates may be evaluated for compatibility with a current version of the schema. Compatible updates may be included in the new version of the schema. Incompatible updates may not be included in the new version of the schema. The new version of the schema may be made available for application to hierarchical data structures inclusive of the compatible updates to the schema.

公开(公告)号：US09934399B2

公开(公告)日：2018-04-03

申请号：US15138028

申请日：2016-04-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Jonathan Weiss

IPC: G06F17/00 ,  H04L29/06 ,  G06F21/62 ,  H04L12/24 ,  G06F21/60 ,  G06F3/0482 ,  G06F3/0484 ,  G06F21/10

CPC classification number: G06F21/6218 ,  G06F3/0482 ,  G06F3/04842 ,  G06F21/10 ,  G06F21/604 ,  G06F21/629 ,  H04L41/0893 ,  H04L63/0263 ,  H04L63/20

Abstract: A user interface is described, such as a graphical user interface (GUI), operable to receive a representation of a security policy expressed in a first policy language, where that security policy will be supported by policy evaluation engines (or other such components) that are configured to operate using security policies expressed using a second (different) policy language. The representation of the security policy is persisted in a data store in accordance with the first policy language. Subsequently, in response to receiving a request to access a resource, a second representation of the security policy is generated by translating the content of the security policy into a second policy language that is associated with the policy evaluation engine. The second representation of the security policy is then evaluated by the policy evaluation engine to grant or deny access to the resource.

公开(公告)号：US20160352753A1

公开(公告)日：2016-12-01

申请号：US15237352

申请日：2016-08-15

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Bradley Jeffery Behm

IPC: H04L29/06

CPC classification number: H04L63/105 ,  G06F21/31 ,  G06F21/335 ,  G06F21/6218 ,  G06Q20/06 ,  G06Q2220/00 ,  H04L63/08

Abstract: Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Delegation profiles are established that are associated with at least one secured account of at least one customer. Each delegation profile includes information such as a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once a delegation profile is created, the profile can be available for external principals or services that provide a user credential delegated access under the account, where that credential is provided by a trusted identity service. Access can be provided across accounts using the user credential.

Abstract translation: 可以委派权限来访问与一个或多个不同帐户相关联的资源，这些帐户可能与一个或多个不同的实体相关联。 建立与至少一个客户的至少一个安全帐户相关联的授权配置文件。 每个委托简档都包括信息，例如一个名称，一个验证策略，它指定可能在该帐户外部的主体，以及哪些被允许承担该委托简档的授权策略，以及一个授权策略，指示帐户中允许的行为， 在代理简介中行事。 一旦创建了一个授权配置文件，该配置文件可用于在该帐户下提供用户凭据委派访问的外部主体或服务，该凭证由受信任的身份服务提供。 可以使用用户凭据在各个帐户之间提供访问。

公开(公告)号：US20160239677A1

公开(公告)日：2016-08-18

申请号：US15138028

申请日：2016-04-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Jonathan Weiss

IPC: G06F21/62 ,  G06F3/0484 ,  G06F3/0482

CPC classification number: G06F21/6218 ,  G06F3/0482 ,  G06F3/04842 ,  G06F21/10 ,  G06F21/604 ,  G06F21/629 ,  H04L41/0893 ,  H04L63/0263 ,  H04L63/20

Abstract: A user interface is described, such as a graphical user interface (GUI), operable to receive a representation of a security policy expressed in a first policy language, where that security policy will be supported by policy evaluation engines (or other such components) that are configured to operate using security policies expressed using a second (different) policy language. The representation of the security policy is persisted in a data store in accordance with the first policy language. Subsequently, in response to receiving a request to access a resource, a second representation of the security policy is generated by translating the content of the security policy into a second policy language that is associated with the policy evaluation engine. The second representation of the security policy is then evaluated by the policy evaluation engine to grant or deny access to the resource.

Abstract translation: 描述了用户界面，诸如图形用户界面（GUI），其可操作以接收以第一策略语言表达的安全策略的表示，其中该策略评估引擎（或其他这样的组件）将支持安全策略， 被配置为使用使用第二（不同）策略语言表达的安全策略来操作。 安全策略的表示依照第一策略语言在数据存储中保留。 随后，响应于接收到访问资源的请求，通过将安全策略的内容翻译成与策略评估引擎相关联的第二策略语言来生成安全策略的第二表示。 然后策略评估引擎对安全策略的第二个表示进行评估，以授予或拒绝对资源的访问。

公开(公告)号：US11924247B1

公开(公告)日：2024-03-05

申请号：US17839289

申请日：2022-06-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Daniel Stephen Popick ,  Derek Avery Lyon ,  John Michael Morkel ,  Graeme David Baer ,  Ajith Harshana Ranabahu ,  Khaled Salah Sedky

IPC: H04L9/40 ,  G06F16/93 ,  G06F21/33 ,  G06F21/60 ,  G06F21/62 ,  H04L43/55 ,  G06F3/06 ,  G06F21/12 ,  G06F21/31 ,  G06F21/52 ,  G06F21/57

CPC classification number: H04L63/164 ,  G06F16/93 ,  G06F21/33 ,  G06F21/604 ,  G06F21/6218 ,  H04L43/55 ,  H04L63/102 ,  G06F3/0601 ,  G06F21/125 ,  G06F21/31 ,  G06F21/316 ,  G06F21/52 ,  G06F21/577 ,  H04L63/08 ,  H04L63/1441

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

公开(公告)号：US11574070B2

公开(公告)日：2023-02-07

申请号：US16919305

申请日：2020-07-02

Applicant: Amazon Technologies, Inc.

Inventor： Srikanth Mandadi ,  Mahendra Manshi Chheda ,  Alazel Acheson ,  Daniel Stephen Popick ,  James Robert Englert

IPC: G06F21/62 ,  G06F16/22 ,  G06F16/23 ,  H04L67/1097

Abstract: A schema for a hierarchical data structure may include application specific extensions to the schema applied to a hierarchical data structure. Class may be added to the schema by individual applications granted access to a hierarchical data structure. When an access request for an object of the hierarchical data structure is received, the class may be identified in the schema and applied to process the access request to the object. Different classes may be added by different applications without disrupting the utilization of the schema for accessing the hierarchical data structure of other applications.

公开(公告)号：US20220400084A1

公开(公告)日：2022-12-15

申请号：US17870609

申请日：2022-07-21

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Jasmeet Chhabra ,  Daniel Stephen Popick

IPC: H04L47/70 ,  H04L9/40 ,  H04L67/146 ,  G06F21/45 ,  H04L67/02 ,  G06Q10/00 ,  G06F21/31

Abstract: User identities can managed at an organization level, instead of across multiple individual resource accounts. In a resource provider environment, access to various resources and services may require users to have identities with specific resource accounts. Users can instead be associated with organization accounts, or virtual accounts that are not associated with specific resources or services. The organization accounts are attached at the appropriate location(s) in an organizational hierarchy. A user having an organization account can project the identity in any sub-account in the organization hierarchy. This can include any lower-level resource account, or can child accounts under a relevant branch of the hierarchy. A user can validate against the organization account, and receive access to the relevant service or resources using the identity projected in the corresponding resource account.

公开(公告)号：US11411881B2

公开(公告)日：2022-08-09

申请号：US16866961

申请日：2020-05-05

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Jasmeet Chhabra ,  Daniel Stephen Popick

IPC: H04L47/70 ,  H04L9/40 ,  H04L67/146 ,  G06F21/45 ,  H04L67/02 ,  G06Q10/00 ,  G06F21/31

Abstract: User identities can managed at an organization level, instead of across multiple individual resource accounts. In a resource provider environment, access to various resources and services may require users to have identities with specific resource accounts. Users can instead be associated with organization accounts, or virtual accounts that are not associated with specific resources or services. The organization accounts are attached at the appropriate location(s) in an organizational hierarchy. A user having an organization account can project the identity in any sub-account in the organization hierarchy. This can include any lower-level resource account, or can child accounts under a relevant branch of the hierarchy. A user can validate against the organization account, and receive access to the relevant service or resources using the identity projected in the corresponding resource account.

公开(公告)号：US11271750B1

公开(公告)日：2022-03-08

申请号：US15282618

申请日：2016-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Daniel Stephen Popick

IPC: H04L29/06 ,  H04L9/32

Abstract: Devices and techniques for secure transmission of content over third-party networks are provided. Keys are established for secure transport of content between a source and recipient via a third party. The source generates a content package that includes an encrypted payload, and a payload handler. In some instances, the content package may also include user interface code for obtaining a secret from the recipient. The content package may be signed (e.g., the message content hashed and the result of the hash added to the content package). The content package is transmitted over a connection to a content delivery service for delivery to recipient(s) via another connection. The content delivery service receives the package and forwards the package to recipient(s) without decrypting the payload. A recipient receives the package from the content delivery service, validates the package and decrypts the payload. The payload may be presented to a display application.