公开(公告)号：US20180288059A1

公开(公告)日：2018-10-04

申请号：US15997330

申请日：2018-06-04

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/101 ,  H04L63/02 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/0272 ,  H04L63/0428 ,  H04L63/10 ,  H04L63/20 ,  H04L67/10

Abstract: Systems and methods for providing access to a remote network via an external endpoint are provided. A client establishes a secure connection between an external endpoint and a remote network. Transmissions from clients to the external endpoint are supplemented with additional information regarding handling within the remote network, and then transmitted to an internal endpoint within the remote network. The internal endpoint processes the transmission based on the supplemental information and returns a response to the external endpoint. A response is then returned to the client. Access policies may be created by authorized users to establish processing of client transmissions. These policies may be stored and enforced by the internal endpoint or the external endpoint.

公开(公告)号：US10078754B1

公开(公告)日：2018-09-18

申请号：US14035735

申请日：2013-09-24

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Gregory Branchek Roth ,  Jamie Hunter

IPC: G06F21/60

CPC classification number: G06F21/602 ,  G06F21/78 ,  G06F2221/2107 ,  H04L9/088

Abstract: Techniques for providing cryptographic keys for encrypted system volumes on machine instances in virtualized and/or distributed systems are described herein. At a time after detecting the requirement for a cryptographic key by a virtual machine instance, one or more computer system entities within a computer system invoke one or more computer system capabilities at least to create one or more virtual hardware devices capable of representing or providing appropriate cryptographic keys. The virtual hardware devices are connected to the machine instance under the control of the computer system so that the encrypted system volumes may be used. After the cryptographic key is no longer needed, it is detached from the machine instance.

公开(公告)号：US10067781B2

公开(公告)日：2018-09-04

申请号：US14887088

申请日：2015-10-19

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Don Johnson ,  Marvin M. Theimer

IPC: H04L29/00 ,  G06F9/455 ,  G06F21/00 ,  G06F21/62

Abstract: Generally described, aspects of the present disclosure relate to for managing the configuration and security policies of hosted virtual machine networks. Hosted virtual machine networks are configured in a manner such that a virtual machine manager component can establish service manifests that correspond to information required by the virtual machine network from a user/customer. The virtual machine manager component can also publish in the service manifests contractual information, such as security risk assessments, that are deemed to have been provided and accepted by the user/customer in instantiating virtual machine networks. If the processed service manifest information remains valid, a substrate network process requests or independently instantiate services or components in accordance with the configuration information and security risk information included in the processed service manifest.

公开(公告)号：US10061915B1

公开(公告)日：2018-08-28

申请号：US14476593

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: G06F21/00 ,  G06F21/50 ,  H04L29/08 ,  H04L29/06 ,  G06F9/455

Abstract: Systems and methods for providing computer system monitoring as a service of a computing resource service provider, monitoring capacity computer system of a customer of the computing resource service provider, and based on the request, launching a monitoring agent in a protected execution environment in which the monitoring agent is configured to generate an assessment of the computer system and provide the assessment of the computer system.

公开(公告)号：US09992203B2

公开(公告)日：2018-06-05

申请号：US15093403

申请日：2016-04-07

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/101 ,  H04L63/02 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/0272 ,  H04L63/0428 ,  H04L63/10 ,  H04L63/20 ,  H04L67/10

Abstract: Systems and methods for providing access to a remote network via an external endpoint are provided. A client establishes a secure connection between an external endpoint and a remote network. Transmissions from clients to the external endpoint are supplemented with additional information regarding handling within the remote network, and then transmitted to an internal endpoint within the remote network. The internal endpoint processes the transmission based on the supplemental information and returns a response to the external endpoint. A response is then returned to the client. Access policies may be created by authorized users to establish processing of client transmissions. These policies may be stored and enforced by the internal endpoint or the external endpoint.

公开(公告)号：US09979694B2

公开(公告)日：2018-05-22

申请号：US14936314

申请日：2015-11-09

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Don Johnson ,  Marvin M. Theimer

IPC: G06F9/455 ,  G06F15/16 ,  H04L29/12 ,  H04L29/08

CPC classification number: H04L61/2503 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L61/6068 ,  H04L67/18 ,  H04L67/28 ,  H04L67/2814 ,  H04L67/2823

Abstract: Systems and method are provided for using proxy addresses to manage communications sent between virtual machine networks hosted by a substrate network. In some embodiments, the substrate network may identify a communication addressed from an instantiated component of a first hosted virtual network to a first proxy component of the first hosted virtual network. The substrate network may cause the communication to be received by a second instantiated component of a second host virtual network. Specifically, the substrate network may alter a destination address of the communication from a proxy address of the first proxy component to a network address of the second instantiated component. The substrate network may also alter a source address of the communication from a network address of the first instantiated component to a proxy address of a second proxy component.

公开(公告)号：US09912696B2

公开(公告)日：2018-03-06

申请号：US13932872

申请日：2013-07-01

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Matthew James Wren

IPC: H04L29/06 ,  H04L9/32

Abstract: Data received through a proxy for a service is analyzed for compliance with one or more data policies, such as one or more data loss prevention policies. When data satisfies the criteria of one or more data policies, the data is manipulated at the proxy prior to transmission of the data to the service. In some examples, the manipulation of the data includes encryption.

公开(公告)号：US09876773B1

公开(公告)日：2018-01-23

申请号：US14949225

申请日：2015-11-23

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Ian R. Searle

IPC: H04L29/06

CPC classification number: H04L63/06 ,  H04L61/103 ,  H04L61/15 ,  H04L63/0428 ,  H04L63/123

Abstract: Systems and methods provide logic for distributing cryptographic keys in a physical network comprising a plurality of physical nodes. In one implementation, a computer-implemented method is provided for distributing cryptographic keys in a physical network. The method includes receiving information mapping a virtual network address of a virtual node to a physical network address of a physical node. The virtual node may be associated with a virtual network hosted by the physical node, and the received mapping information identifies a virtual network address of the node and the physical network address of the node. The mapping service transmits a current version of a cryptographic key and an identifier of the current version to the physical node.

公开(公告)号：US09871850B1

公开(公告)日：2018-01-16

申请号：US14311167

申请日：2014-06-20

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Bradley Eugene Marshall

IPC: H04L29/08

CPC classification number: H04L67/10 ,  H04L45/306 ,  H04L67/1002 ,  H04L67/1008 ,  H04L67/1019 ,  H04L67/327

Abstract: An edge node of a content delivery network (CDN) service receives a representation of a browsing request from a client-side component of a split-browser service (SBS). The SBS includes a browsing engine implemented at a provider network. The edge node determines whether content retrieval analysis of the browsing request is to be performed at the edge node. In response to a determination that content retrieval analysis of the browsing request is not to be performed at the edge node, the edge node uses a routing knowledge base of the CDN service to identify a network route to the SBS browsing engine and transmits the representation of the browsing request via the identified network route to the SBS browsing engine for content retrieval and related processing.

公开(公告)号：US09854001B1

公开(公告)日：2017-12-26

申请号：US14225300

申请日：2014-03-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L29/06

CPC classification number: H04L63/20

Abstract: A system enforces policies in connection with requests to access resources. Users are provided the ability to obtain information about the policies the system enforces. Some of the users have associated restrictions such that, when those users request information about the policies, the information provided is incomplete. The information provided may lack information about one or more policies that apply to the users.