公开(公告)号：US09898618B1

公开(公告)日：2018-02-20

申请号：US15636466

申请日：2017-06-28

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Bradley Jeffery Behm ,  Patrick J. Ward ,  Graeme Baer ,  Eric Jason Brandwine

IPC: G06F21/62 ,  H04L9/32

CPC classification number: G06F21/6227 ,  G06F17/30389 ,  G06F17/30427 ,  G06F17/30477 ,  G06F21/602 ,  G06F21/6218 ,  H04L9/3247 ,  H04L9/3263

Abstract: A database access system may protect a field by storing the field as one or more underlying fields within a database. The database engine may not have access to keys used to protect the underlying fields within the database, such as by encryption, while the database access system may have access to the keys. Underlying fields may be used to store protected data and aid in the querying of protected data. The database access system may modify queries to use the underlying fields, which may include encrypting query terms and/or modifying query terms to fit the use of the underlying fields. The database access system may modify query results to match the format of the original query, which may include decrypting protected results and/or removing underlying fields.

公开(公告)号：US20150341368A1

公开(公告)日：2015-11-26

申请号：US14817194

申请日：2015-08-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Bradley Jeffery Behm

IPC: H04L29/06

CPC classification number: H04L63/102 ,  G06F21/00 ,  G06F2221/2115 ,  G06Q50/01 ,  H04L9/3263 ,  H04L63/08 ,  H04L63/0884 ,  H04L67/20

Abstract: Systems and methods are described for delegating permissions to enable account access to entities not directly associated with the account. The systems determine a delegation profile associated with a secured account of at least one customer. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

Abstract translation: 描述的系统和方法用于委派权限来启用帐户访问与帐户无直接关联的实体。 系统确定与至少一个客户的安全帐户相关联的授权简档。 授权简介包括一个名称，一个确认策略，指定可能在该帐户外部以及被允许承担该授权简档的主体，以及一个授权策略，指示该帐户内允许的行为在这些主体内的主体 委托简介。 创建授权配置文件后，可以将其提供给外部主体或服务。 这些外部主体或服务可以使用委托简档来获取使用委托简档的凭据在帐户中执行各种操作的凭据。

公开(公告)号：US20150304294A1

公开(公告)日：2015-10-22

申请号：US14629332

申请日：2015-02-23

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: H04L29/06

CPC classification number: H04L63/08 ,  G06F21/62 ,  G06F2221/2141 ,  H04L63/10

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

Abstract translation: 描述了授权以启用帐户访问的系统和方法。 系统利用可以在至少一个用户的安全帐户内创建的委托简档。 授权简介包括一个名称，一个确认策略，指定可能在该帐户外部以及被允许承担该授权简档的主体，以及一个授权策略，指示在该帐户内为在 委托简介。 创建授权配置文件后，可以将其提供给外部主体或服务。 这些外部主体或服务可以使用委托简档来获取使用委托简档的凭据在帐户中执行各种操作的凭据。

公开(公告)号：US11102189B2

公开(公告)日：2021-08-24

申请号：US14316675

申请日：2014-06-26

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Ross O'Neill ,  Gregory B. Roth ,  Eric Jason Brandwine ,  Brian Irl Pratt ,  Bradley Jeffery Behm ,  Nathan R. Fitch

IPC: H04L29/06 ,  H04L9/32

Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

公开(公告)号：US10904233B2

公开(公告)日：2021-01-26

申请号：US15601914

申请日：2017-05-22

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Graeme D. Baer

IPC: H04L29/06 ,  G06F21/62 ,  H04L9/32 ,  H04L9/08 ,  G06F21/31 ,  G06F21/45

Abstract: A credential, such as a password, for an entity is used to generate multiple keys. The generated keys are distributed to credential verification systems to enable the credential verification systems to perform authentication operations. The keys are generated such that access to a generated key allows for authentication with a proper subset of the credential verification systems. Thus, unauthorized access to information used by one authentication system does not, by itself, allow for successful authentication with other authentication systems.

公开(公告)号：US10652232B2

公开(公告)日：2020-05-12

申请号：US15409120

申请日：2017-01-18

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nicholas Alexander Allen ,  Cristian M. Ilac

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08

Abstract: Session-specific information stored to a cookie or other secure token can be selected and/or caused to vary over time, such that older copies will become less useful over time. Such an approach reduces the ability of entities obtaining a copy of the cookie from performing unauthorized tasks on a session. A cookie received with a request can contain a timestamp and an operation count for a session that may need to fall within an acceptable range of the current values in order for the request to be processed. A cookie returned with a response can be set to the correct value or incremented from the previous value based on various factors. The allowable bands can decrease with age of the session, and various parameter values such as a badness factor for a session can be updated continually based on the events for the session.

公开(公告)号：US10425223B2

公开(公告)日：2019-09-24

申请号：US15984198

申请日：2018-05-18

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Marc R. Barbour ,  Bradley Jeffrey Behm ,  Cristian M. Ilac ,  Eric Jason Brandwine

IPC: H04L9/08 ,  G06F21/60 ,  H04L29/06 ,  H04L9/14

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

公开(公告)号：US20190036973A1

公开(公告)日：2019-01-31

申请号：US16140393

申请日：2018-09-24

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Graeme D. Baer ,  Eric Jason Brandwine

IPC: H04L29/06 ,  G06F15/173

Abstract: Techniques for processing data according to customer-defined rules are disclosed. In particular, methods and systems for implementing a data alteration service using one or resources of a distributed computing system are described. The data alteration service is flexibly configurable by entities using the distributed computing system, and may be used to augment, compress, filter or otherwise modify data crossing a customer boundary.

公开(公告)号：US09928469B1

公开(公告)日：2018-03-27

申请号：US13633748

申请日：2012-10-02

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Adam K. Loghry ,  David John Ward, Jr.

IPC: G06Q10/00 ,  G06Q40/06

CPC classification number: G06Q10/00 ,  G06Q40/06

Abstract: Techniques for administrating computing resources include identifying, dynamically and/or based at least in part on historical data, a set of server computer systems expected to have availability for at least a portion of a future time period. A pricing scheme for implementing computer system instances for the future time period based at least in part on the availability of the server computer systems is generated. Accounting records in accordance with a price, determined based at least in part on the pricing scheme, for fulfilling requests to implement computer system instances for a predetermined finite amount of time are generated.

公开(公告)号：US20170373840A9

公开(公告)日：2017-12-28

申请号：US14980033

申请日：2015-12-28

Applicant: Amazon Technologies, Inc.

Inventor： Nathan R. Fitch ,  Gregory B. Roth ,  Graeme D. Baer

IPC: H04L9/08

CPC classification number: H04L9/085 ,  H04L9/0825 ,  H04L9/3226 ,  H04L9/3234 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/06 ,  H04L67/02

Abstract: Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.