公开(公告)号：US10853350B1

公开(公告)日：2020-12-01

申请号：US14838042

申请日：2015-08-27

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： Nima Sharifi Mehr

IPC: G06F16/23 ,  G06F16/28

Abstract: Described are techniques for determining a data policy suitable for association with a data object based on the data access pattern for the data object. Correspondence between the data access pattern of the data object and pattern data, indicative of data access patterns stored in association with data policies, may be determined. Based on the correspondence between the data access pattern of the data object and a particular data access pattern of the pattern data, the data policy associated with the particular data access pattern may be suitable for use with the data object. A set of suitable data policies may be refined based on the content or metadata associated with the data object and the code or deployment status of services that access the data object. Once the access pattern for a data object is known, subsequent interactions with the data object may be analyzed to identify anomalous traffic.

公开(公告)号：US10776498B2

公开(公告)日：2020-09-15

申请号：US16548733

申请日：2019-08-22

Applicant: Amazon Technologies, Inc.

Inventor： Muhammad Wasiq ,  Nima Sharifi Mehr

IPC: G06F21/57 ,  H04L29/06 ,  G06F21/62 ,  H04L9/08 ,  G06N20/00

Abstract: An end-to-end request path associated with an application frontend is determined. A change to a service in the end-to-end request path is identified. A weight value to associate with the change is determined based at least in part on the characteristics of the change. The weight value is aggregated with weight values associated with other code changes is obtained from aggregating the weight value with the weight values of other code changes to produce a collective weight of the code changes. A security review is determined to be triggered based at least in part on the collective weight reaching a value relative to a threshold.

公开(公告)号：US10764294B1

公开(公告)日：2020-09-01

申请号：US15067042

申请日：2016-03-10

Applicant: Amazon Technologies, Inc.

Inventor： Muhammad Wasiq ,  Nima Sharifi Mehr

IPC: H04L29/06 ,  H04L9/32

Abstract: A service request and a credential are sent from a customer environment to a service provider. The service provider maintains information, such as a credential whitelist, that identifies which credentials may be used with each customer environment. The service provider identifies the particular customer environment from which the service request was submitted using the IP address of the requester (or other environment-identifying information), and retrieves information that restricts the use of the credentials. A request may be approved or rejected based on the presence of the associated credential in a whitelist notwithstanding whether the credential otherwise authorizes the service request. In some examples, the system is used to limit data exfiltration from a customer environment.

公开(公告)号：US20200228572A1

公开(公告)日：2020-07-16

申请号：US16832265

申请日：2020-03-27

Applicant: Amazon Technologies, Inc.

Inventor： Nima Sharifi Mehr

IPC: H04L29/06

Abstract: A customer of a resource allocation service can register a function to be executed using virtual resources, where the function includes customer code to be executed. Customer events are defined as triggers for a registered function, and a resource instance is allocated to execute the registered function when triggering event is detected. An identity role associated with the triggering function is used to obtain access credentials for any data source which a triggering event might require for processing. An event-specific access credential is generated that provides a subset of these access privileges using a template policy for the registered function that is filled with values specific to the triggering event. The filled template policy and base credential are used to generate an event-specific credential valid only for access needed for the event. This event-specific credential can be passed with the event data for processing by an allocated instance.

公开(公告)号：US20200213362A1

公开(公告)日：2020-07-02

申请号：US16810331

申请日：2020-03-05

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Kruse ,  Nima Sharifi Mehr

IPC: H04L29/06 ,  G06F11/00 ,  G06Q10/10

Abstract: A customer of a policy management service may use an interface with a configuration and management service to interact with policies that may be applicable to the customer's one or more resources. The customer may create and/or modify the policies and the configuration and management service may notify one or more other entities of the created and/or modified policies. The one or more other entities may be operated by user authorized to approve the created and/or modified policies. Interactions with the configuration and management service may be the same as the interactions with the policy management service.

公开(公告)号：US10581919B2

公开(公告)日：2020-03-03

申请号：US15953262

申请日：2018-04-13

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Hingle Kruse ,  Bharath Mukkati Prakash ,  Ashish Rangole ,  Nima Sharifi Mehr ,  Jeffrey John Wierer ,  Kunal Chadha ,  Chenxi Zhang ,  Hardik Nagda ,  Kai Zhao

IPC: H04L9/32 ,  H04L29/06

Abstract: A computing resource service receives a request to access the service and perform various actions. In response to the request, the computing resource service obtains a set of active policies that are applicable to the request. As a result of the service determining that the set of active policies fail to provide sufficient permissions for fulfillment of the request, the service determines if an enforcement policy is available that is applicable to the request. The service evaluates the request using the enforcement policy such that if the enforcement policy includes permissions sufficient for fulfillment of the request, the request is fulfilled.

公开(公告)号：US10567434B1

公开(公告)日：2020-02-18

申请号：US14483071

申请日：2014-09-10

Applicant: Amazon Technologies, Inc.

Inventor： Nima Sharifi Mehr

IPC: H04L29/06

Abstract: A secure channel is generated using a third party to the channel. A first secure channel between two computer systems is established. The first secure channel is used to relay information about a third party. The third party provides security parameters for a second secure channel to enable the two computer systems to communicate over a second secure channel.

公开(公告)号：US10530887B1

公开(公告)日：2020-01-07

申请号：US15371107

申请日：2016-12-06

Applicant: Amazon Technologies, Inc.

Inventor： Nima Sharifi Mehr

IPC: G06F15/16 ,  H04L29/08 ,  H04L29/06

Abstract: Systems for processing requests to execute a program code of a user use a message queue service to store requests when there are not enough resources to process the requests. The message queue service determines whether a request to be queued is associated with data that the program code needs in order to process the request. If so, the message queue service locates and retrieves the data and stores the data in a cache storage that provides faster access by the program code to the pre-fetched data. This provides faster execution of asynchronous instances of the program code.

公开(公告)号：US10523434B1

公开(公告)日：2019-12-31

申请号：US15061937

申请日：2016-03-04

Applicant: Amazon Technologies, Inc.

Inventor： Nima Sharifi Mehr

IPC: H04L9/08 ,  G06F21/60 ,  G06F9/445 ,  G06F21/62

Abstract: The present document describes a data storage system that includes a sandboxed execution environment. The execution environment is made available to clients of the data storage system. Clients are able to upload executable instructions to the execution environment, which can be used to manipulate data stored on the data storage system. In various examples, clients use the execution environment to perform key rotation operations on encrypted data stored on the data storage system. Clients transfer executable instructions and cryptographic keys to the execution environment, where the encrypted data stored on the data storage system can be read into the execution environment, decrypted with an old key, re-encrypted with a new key, and returned to the data storage system.

公开(公告)号：US10454689B1

公开(公告)日：2019-10-22

申请号：US14838165

申请日：2015-08-27

Applicant: Amazon Technologies, Inc.

Inventor： Nima Sharifi Mehr

IPC: H04L9/32 ,  H04L29/06

Abstract: A client maintains a pinned collection of trusted digital certificates. An original digital certificate in the collection may be updated by sending a request to the certificate authority that issued the original digital certificate. The certificate authority generates an updated certificate, signs the updated certificate with a private key of the updated certificate, and also signs the updated certificate with the private key of the original digital certificate. The server provides the updated certificate to the client. The client can validate the signature created with the updated private key using the updated public key of the certificate authority, and the signature created with the original private key can be validated using the original public key of the certificate authority. If both signatures are valid, a continuity of trust may be established, and the updated certificate added to the collection of trusted digital certificates.