公开(公告)号：US10097531B2

公开(公告)日：2018-10-09

申请号：US15276691

申请日：2016-09-26

Applicant: Amazon Technologies, Inc.

Inventor： Marc J. Brooker ,  Mark Joseph Cavage ,  David Brown ,  Kevin Ross O'Neill ,  Eric Jason Brandwine ,  Christopher Richard Jacques de Kadt

IPC: H04L29/06 ,  G06F21/45 ,  G06F21/44 ,  H04L9/32

Abstract: A plurality of virtual computing resources is detected to have been provisioned. Credentials are distributed to the plurality of virtual computing resources. A credentials map that maps the credentials to the plurality of virtual computing resources is updated. The credentials for the plurality of virtual computing resources are activated to enable the plurality of virtual computing resources to use the credentials to authenticate to a second computer system that manages a resource service, with the credentials being inaccessible to resources of the resource service. A virtual computing resource of the plurality of virtual computing resources is detected to been deprovisioned, and the credentials for the virtual computing resource are deactivated.

公开(公告)号：US20170012958A1

公开(公告)日：2017-01-12

申请号：US15276691

申请日：2016-09-26

Applicant: Amazon Technologies, Inc.

Inventor： Marc J. Brooker ,  Mark Joseph Cavage ,  David Brown ,  Kevin Ross O'Neill ,  Eric Jason Brandwine ,  Christopher Richard Jacques de Kadt

IPC: H04L29/06 ,  G06F21/44

CPC classification number: H04L63/08 ,  G06F21/44 ,  H04L9/3247 ,  H04L63/10 ,  H04L63/20

Abstract: A plurality of virtual computing resources is detected to have been provisioned. Credentials are distributed to the plurality of virtual computing resources. A credentials map that maps the credentials to the plurality of virtual computing resources is updated. The credentials for the plurality of virtual computing resources are activated to enable the plurality of virtual computing resources to use the credentials to authenticate to a second computer system that manages a resource service, with the credentials being inaccessible to resources of the resource service. A virtual computing resource of the plurality of virtual computing resources is detected to been deprovisioned, and the credentials for the virtual computing resource are deactivated.

Abstract translation: 检测到多个虚拟计算资源被提供。 凭证分配给多个虚拟计算资源。 更新将凭证映射到多个虚拟计算资源的凭证图。 多个虚拟计算资源的凭证被激活，以使得多个虚拟计算资源能够使用证书来对管理资源服务的第二计算机系统进行身份验证，其中凭证对于资源服务的资源是不可访问的。 检测到多个虚拟计算资源的虚拟计算资源被取消配置，并且虚拟计算资源的凭证被去激活。

公开(公告)号：US20140310769A1

公开(公告)日：2014-10-16

申请号：US14316675

申请日：2014-06-26

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Ross O'Neill ,  Gregory B. Roth ,  Eric Jason Brandwine ,  Brian Irl Pratt ,  Bradley Jeffery Behm ,  Nathan R. Fitch

IPC: H04L29/06

Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

Abstract translation: 用于控制对一个或多个计算资源的访问的系统和方法涉及生成可用于访问所述一个或多个计算资源的会话凭证。 对计算资源的访问可以由一组策略来管理，并且可以根据它们是否被该策略集合允许而使用会话凭证进行访问的请求来实现。 会话凭证本身可以包括可用于确定是否实现访问一个或多个计算资源的请求的元数据。 元数据可以包括会话证书的用户的权限，与一个或多个用户相关的声明以及其他信息。

公开(公告)号：US20140196130A1

公开(公告)日：2014-07-10

申请号：US14204124

申请日：2014-03-11

Applicant: Amazon Technologies, Inc.

Inventor： Marc J. Brooker ,  Mark Joseph Cavage ,  David Brown ,  Kevin Ross O'Neill ,  Eric Jason Brandwine ,  Christopher Richard Jacques de Kadt

IPC: H04L29/06

CPC classification number: H04L63/08 ,  G06F21/44 ,  H04L9/3247 ,  H04L63/10 ,  H04L63/20

Abstract: Systems and methods for managing credentials distribute the credentials to subsets of a set of collectively managed computing resources. The collectively managed computing resources may include one or more virtual machine instances. The credentials distributed to the computing resources may be used by the computing resources to perform one or more actions. Actions may include performing one or more functions in connection with configuration, management, and/or operation of the one or more resources, and/or access of other computing resources. The ability to use credentials may be changed based at least in part on the occurrence of one or more events.

Abstract translation: 用于管理凭据的系统和方法将凭证分发到一组共同管理的计算资源的子集。 共同管理的计算资源可以包括一个或多个虚拟机实例。 分配给计算资源的证书可以被计算资源用于执行一个或多个动作。 操作可以包括执行与一个或多个资源的配置，管理和/或操作有关的一个或多个功能，和/或其他计算资源的访问。 至少部分地基于一个或多个事件的发生来改变使用凭证的能力。

公开(公告)号：US11658971B1

公开(公告)日：2023-05-23

申请号：US16427099

申请日：2019-05-30

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Ross O'Neill ,  Mark Joseph Cavage ,  Nathan R. Fitch ,  Anders Samuelsson ,  Brian Irl Pratt ,  Yunong Jeff Xiao ,  Bradley Jeffery Behm ,  James E. Scharf, Jr.

IPC: H04L9/40 ,  H04L41/28 ,  H04L67/00

CPC classification number: H04L63/10 ,  H04L41/28 ,  H04L63/0263 ,  H04L63/20 ,  H04L67/00 ,  H04L63/08 ,  H04L63/102

Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

公开(公告)号：US10313346B1

公开(公告)日：2019-06-04

申请号：US14553915

申请日：2014-11-25

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Ross O'Neill ,  Mark Joseph Cavage ,  Nathan R. Fitch ,  Anders Samuelsson ,  Brian Irl Pratt ,  Yunong Jeff Xiao ,  Bradley Jeffery Behm ,  James E. Scharf, Jr.

IPC: H04L29/06 ,  H04L12/24

Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

公开(公告)号：US20190036901A1

公开(公告)日：2019-01-31

申请号：US16152132

申请日：2018-10-04

Applicant: Amazon Technologies, Inc.

Inventor： Marc J. Brooker ,  Mark Joseph Cavage ,  David Brown ,  Kevin Ross O'Neill ,  Eric Jason Brandwine ,  Christopher Richard Jacques de Kadt

IPC: H04L29/06 ,  G06F21/44

Abstract: A plurality of virtual computing resources is detected to have been provisioned. Credentials are distributed to the plurality of virtual computing resources. A credentials map that maps the credentials to the plurality of virtual computing resources is updated. The credentials for the plurality of virtual computing resources are activated to enable the plurality of virtual computing resources to use the credentials to authenticate to a second computer system that manages a resource service, with the credentials being inaccessible to resources of the resource service. A virtual computing resource of the plurality of virtual computing resources is detected to been deprovisioned, and the credentials for the virtual computing resource are deactivated.

公开(公告)号：US20170272423A1

公开(公告)日：2017-09-21

申请号：US15610295

申请日：2017-05-31

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/62

CPC classification number: H04L63/08 ,  G06F21/62 ,  G06F2221/2141 ,  H04L63/10

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

公开(公告)号：US09443074B1

公开(公告)日：2016-09-13

申请号：US14099785

申请日：2013-12-06

Applicant: Amazon Technologies, Inc.

Inventor： Cornelle Christiaan Pretorius Janse Van Rensburg ,  Mark Joseph Cavage ,  Marc John Brooker ,  David Everard Brown ,  Abhinav Agrawal ,  Matthew S. Garman ,  Kevin Ross O'Neill ,  Eric Jason Brandwine ,  Christopher Richard Jacques de Kadt

IPC: H04L29/06 ,  G06F21/45

CPC classification number: G06F21/45 ,  H04L63/0823 ,  H04L63/20 ,  H04L67/1002

Abstract: Systems and methods for attesting to information about a computing resource involve electronically signed documents. For a computing resource, a document containing information about the resource is generated and electronically signed. The document may be provided to one or more entities as an attestation to at least some of the information contained in the document. Attestation to information in the document may be a prerequisite for performance of one or more actions that may be taken in connection with the computing resource.