公开(公告)号：US09276754B1

公开(公告)日：2016-03-01

申请号：US14563891

申请日：2014-12-08

Applicant: Amazon Technologies, Inc.

Inventor： Graeme D. Baer ,  David M. Hulme ,  Benjamin E. Seidenberg

IPC: G06F21/00 ,  H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  H04L9/14 ,  G06F11/30

CPC classification number: H04L9/3263 ,  G06F21/6209 ,  H04L9/0816 ,  H04L9/0825 ,  H04L9/083 ,  H04L9/0891 ,  H04L2209/24 ,  H04L2209/64

Abstract: A material set, such as an asymmetric keypair, is processed using an associated workflow to prepare the material set for activation and/or use. In one embodiment, a material set is generated and information about the material set is communicated to a workflow manager. Based at least on the information, the workflow manager generates a workflow that when accomplished will allow the material set to be activated and/or used. In another embodiment, a service provider provides a key manager, workflow manager and destination for the key, such as a load balancer that terminates SSL connections. A key can be generated by the key manager, sent through the workflow manager for processing (potentially communicated to third parties such as a certificate authority, if needed) and installed at a destination.

Abstract translation: 使用关联的工作流来处理诸如非对称密钥对的材料集以准备用于激活和/或使用的材料集。 在一个实施例中，生成材料集，并且关于材料集的信息被传送到工作流管理器。 至少基于信息，工作流管理器生成工作流程，当完成时将允许材料集被激活和/或使用。 在另一个实施例中，服务提供商为密钥提供密钥管理器，工作流管理器和目的地，诸如终止SSL连接的负载均衡器。 密钥管理器可以生成一个密钥，通过工作流管理器发送以进行处理（可能会传送给第三方，如果需要的话），并安装在目的地。

公开(公告)号：US09148414B1

公开(公告)日：2015-09-29

申请号：US13676811

申请日：2012-11-14

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Benjamin E. Seidenberg

IPC: G06F21/00 ,  H04L29/06 ,  H04L9/32 ,  G06F17/40 ,  G06F15/16 ,  G06F21/30 ,  G06F21/64 ,  H04L29/08

CPC classification number: H04L63/08 ,  G06F21/305 ,  G06F21/31 ,  G06F21/64 ,  G06F21/645 ,  H04L9/3247 ,  H04L63/0272 ,  H04L63/0407 ,  H04L67/125

Abstract: Customers accessing resources or services in a multi-tenant environment can obtain assurance that a provider of that environment will honor only requests associated with the customer and will reject any requests that might have been tampered with or otherwise falsely generated. Various endpoints or interfaces can be used, which can be located in the multi-tenant environment, in a customer environment, or in a separate location. These endpoints or interfaces can sign unsigned requests, or otherwise increase the credentials of a signed request, on behalf of a customer. In some embodiments, additional metadata can be added that can increase the authentication level of the requests. Such an approach can enable a customer to provide or delegate access to the resources without exposing the credentials outside a secure environment.

Abstract translation: 在多租户环境中访问资源或服务的客户可以确保该环境的提供商将仅履行与客户相关联的请求，并拒绝任何可能被篡改或以其他方式虚假生成的请求。 可以使用各种端点或接口，其可以位于多租户环境中，在客户环境中或在单独位置。 这些端点或接口可以代表客户签署未签名的请求，或以其他方式增加签名请求的凭据。 在一些实施例中，可以添加可以增加请求的认证级别的附加元数据。 这种方法可以使客户能够在不暴露安全环境之外的证书的情况下提供或委派对资源的访问。