公开(公告)号：US20150347763A1

公开(公告)日：2015-12-03

申请号：US14714982

申请日：2015-05-18

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Eric D. Crahen ,  Graeme D. Baer ,  Eric J. Brandwine ,  Nathan R. Fitch

IPC: G06F21/60 ,  G06F9/455 ,  G06F9/445

CPC classification number: G06F21/602 ,  G06F9/44505 ,  G06F9/45558 ,  G06F21/606 ,  G06F2009/45587 ,  G06Q30/06 ,  H04L63/0209 ,  H04L63/0428 ,  H04L63/0471 ,  H04L63/08 ,  H04L63/166

Abstract: A support system negotiates secure connections on behalf of multiple guest systems using a set of credentials associated with the guest systems. The operation of the secure connection may be transparent to the guest system such that guest system may send and receive messages that are encrypted or decrypted by the support system, such as a hypervisor. As the support system is in between the guest system and a destination, the support system may act as a local endpoint to the secure connection. Messages may be altered by the support system to indicate to a guest system which communications were secured. The credentials may be managed by the support system such that the guest system does not require access to the credentials.

Abstract translation: 支持系统使用与guest虚拟机系统相关联的一组凭据代表多个客户系统协商安全连接。 安全连接的操作对客户系统可能是透明的，使得客系统可以发送和接收由诸如管理程序之类的支持系统加密或解密的消息。 由于支持系统在客户系统和目的地之间，支持系统可以充当安全连接的本地端点。 消息可以由支持系统改变以向客系统指示哪些通信被保护。 证书可以由支持系统管理，使得客户机系统不需要访问凭证。

公开(公告)号：US11658971B1

公开(公告)日：2023-05-23

申请号：US16427099

申请日：2019-05-30

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Ross O'Neill ,  Mark Joseph Cavage ,  Nathan R. Fitch ,  Anders Samuelsson ,  Brian Irl Pratt ,  Yunong Jeff Xiao ,  Bradley Jeffery Behm ,  James E. Scharf, Jr.

IPC: H04L9/40 ,  H04L41/28 ,  H04L67/00

CPC classification number: H04L63/10 ,  H04L41/28 ,  H04L63/0263 ,  H04L63/20 ,  H04L67/00 ,  H04L63/08 ,  H04L63/102

Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

公开(公告)号：US10313346B1

公开(公告)日：2019-06-04

申请号：US14553915

申请日：2014-11-25

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Ross O'Neill ,  Mark Joseph Cavage ,  Nathan R. Fitch ,  Anders Samuelsson ,  Brian Irl Pratt ,  Yunong Jeff Xiao ,  Bradley Jeffery Behm ,  James E. Scharf, Jr.

IPC: H04L29/06 ,  H04L12/24

Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

公开(公告)号：US10313112B2

公开(公告)日：2019-06-04

申请号：US14980033

申请日：2015-12-28

Applicant: Amazon Technologies, Inc.

Inventor： Nathan R. Fitch ,  Gregory B. Roth ,  Graeme D. Baer

IPC: H04L9/08 ,  H04L9/32 ,  H04L29/06 ,  H04L29/08

Abstract: Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.

公开(公告)号：US10110579B2

公开(公告)日：2018-10-23

申请号：US14834218

申请日：2015-08-24

Applicant: Amazon Technologies, Inc.

Inventor： Nathan R. Fitch ,  Gregory B. Roth ,  Graeme D. Baer

IPC: G06F21/30 ,  H04L9/32 ,  H04L29/06 ,  H04L9/08 ,  G06F21/31

Abstract: Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.

公开(公告)号：US09985969B1

公开(公告)日：2018-05-29

申请号：US13853926

申请日：2013-03-29

Applicant: Amazon Technologies, Inc.

Inventor： Mark Joseph Cavage ,  John Cormie ,  Nathan R. Fitch ,  Don Johnson ,  Peter Sirota

IPC: H04L29/06 ,  G06F21/62 ,  G06F21/60

CPC classification number: H04L63/10 ,  G06F21/604 ,  G06F21/6218 ,  G06F2221/2141 ,  H04L63/0227 ,  H04L63/102 ,  H04L63/20

Abstract: Techniques are described for managing access to computing-related resources that, for example, may enable multiple distinct parties to independently control access to the resources (e.g., such that a request to access a resource succeeds only if all of multiple associated parties approve that access). For example, an executing software application may, on behalf of an end user, make use of computing-related resources of one or more types that are provided by one or more remote third-party network services (e.g., data storage services provided by an online storage service)—in such a situation, both the developer user who created the software application and the end user may be allowed to independently specify access rights for one or more particular such computing-related resources (e.g., stored data files), such that neither the end user nor the software application developer user may later access those resources without the approval of the other party.

公开(公告)号：US09954866B2

公开(公告)日：2018-04-24

申请号：US14866673

申请日：2015-09-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Nathan R. Fitch ,  Cristian M. Ilac ,  Eric D. Crahen

IPC: H04L9/08 ,  H04L29/06 ,  G06F21/33 ,  H04L9/32

CPC classification number: H04L63/102 ,  G06F21/335 ,  G06F2221/2137 ,  H04L9/083 ,  H04L9/0861 ,  H04L9/088 ,  H04L9/32 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/06 ,  H04L63/08 ,  H04L2209/38

Abstract: A delegation request is submitted to a session-based authentication service, fulfilment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

公开(公告)号：US20170272423A1

公开(公告)日：2017-09-21

申请号：US15610295

申请日：2017-05-31

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: H04L29/06 ,  G06F21/62

CPC classification number: H04L63/08 ,  G06F21/62 ,  G06F2221/2141 ,  H04L63/10

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

公开(公告)号：US09727743B1

公开(公告)日：2017-08-08

申请号：US15012639

申请日：2016-02-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Bradley Jeffery Behm ,  Patrick J. Ward ,  Graeme D. Baer ,  Eric Jason Brandwine

IPC: G06F21/62 ,  G06F21/60 ,  G06F17/30

CPC classification number: G06F21/6227 ,  G06F17/30389 ,  G06F17/30427 ,  G06F17/30477 ,  G06F21/602 ,  G06F21/6218 ,  H04L9/3247 ,  H04L9/3263

Abstract: A database access system may protect a field by storing the field as one or more underlying fields within a database. The database engine may not have access to keys used to protect the underlying fields within the database, such as by encryption, while the database access system may have access to the keys. Underlying fields may be used to store protected data and aid in the querying of protected data. The database access system may modify queries to use the underlying fields, which may include encrypting query terms and/or modifying query terms to fit the use of the underlying fields. The database access system may modify query results to match the format of the original query, which may include decrypting protected results and/or removing underlying fields.

公开(公告)号：US20160021118A1

公开(公告)日：2016-01-21

申请号：US14866673

申请日：2015-09-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Nathan R. Fitch ,  Cristian M. Ilac ,  Eric D. Crahen

IPC: H04L29/06

CPC classification number: H04L63/102 ,  G06F21/335 ,  G06F2221/2137 ,  H04L9/083 ,  H04L9/0861 ,  H04L9/088 ,  H04L9/32 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/06 ,  H04L63/08 ,  H04L2209/38

Abstract: A delegation request is submitted to a session-based authentication service, fulfillment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

Abstract translation: 委托请求被提交给基于会话的认证服务，其实现涉及授予实体对计算资源的访问权限。 从基于会话的认证服务接收会话密钥。 所述会话密钥至少部分地基于与所述基于会话的认证服务共享的限制和秘密凭证而生成，并且至少部分地可用于证明对所述计算资源拥有所述访问特权。 会话密钥提供给实体，而不提供共享的秘密凭证。