公开(公告)号：US10944561B1

公开(公告)日：2021-03-09

申请号：US15979248

申请日：2018-05-14

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Rachit Jain ,  Brigid Ann Johnson ,  Praveen Akinapally ,  Varun Jayant Oswal ,  Jasmeet Chhabra ,  Ritwick Dhar ,  Luke Edward Kennedy ,  Per Mikael Horal

IPC: H04L9/32 ,  H04L29/06 ,  G06F21/62 ,  G06F21/60

Abstract: A security token service receives a request for a token. The request indicates a set of access control policies that define a set of permissions for access to a resource. The security token service generates the token to comprise a set of identifiers of the set of access control policies. The security token service provides the token in response to the request to enable the token to be used to access the resource in accordance with the set of access control policies.

公开(公告)号：US10715458B1

公开(公告)日：2020-07-14

申请号：US15836565

申请日：2017-12-08

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Jasmeet Chhabra ,  Daniel Stephen Popick

IPC: H04L12/911 ,  H04L29/06 ,  H04L29/08 ,  G06F21/45 ,  G06Q10/00 ,  G06F21/31

Abstract: User identities can managed at an organization level, instead of across multiple individual resource accounts. In a resource provider environment, access to various resources and services may require users to have identities with specific resource accounts. Users can instead be associated with organization accounts, or virtual accounts that are not associated with specific resources or services. The organization accounts are attached at the appropriate location(s) in an organizational hierarchy. A user having an organization account can project the identity in any sub-account in the organization hierarchy. This can include any lower-level resource account, or can child accounts under a relevant branch of the hierarchy. A user can validate against the organization account, and receive access to the relevant service or resources using the identity projected in the corresponding resource account.

公开(公告)号：US20200267090A1

公开(公告)日：2020-08-20

申请号：US16866961

申请日：2020-05-05

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Jasmeet Chhabra ,  Daniel Stephen Popick

IPC: H04L12/911 ,  G06Q10/00 ,  G06F21/31 ,  G06F21/45 ,  H04L29/08 ,  H04L29/06

Abstract: User identities can managed at an organization level, instead of across multiple individual resource accounts. In a resource provider environment, access to various resources and services may require users to have identities with specific resource accounts. Users can instead be associated with organization accounts, or virtual accounts that are not associated with specific resources or services. The organization accounts are attached at the appropriate location(s) in an organizational hierarchy. A user having an organization account can project the identity in any sub-account in the organization hierarchy. This can include any lower-level resource account, or can child accounts under a relevant branch of the hierarchy. A user can validate against the organization account, and receive access to the relevant service or resources using the identity projected in the corresponding resource account.

公开(公告)号：US10511584B1

公开(公告)日：2019-12-17

申请号：US15280692

申请日：2016-09-29

Applicant: Amazon Technologies, Inc.

Inventor： Graeme David Baer ,  Conor Patrick Cahill

IPC: H04L9/32 ,  H04L29/06

Abstract: A secure shell (SSH) bastion service can proxy customer SSH traffic through SSH host resources before routing the traffic to the target resource instances in a customer allocation of a multi-tenant environment. The bastion service supports connections directly from a customer allocation management console, which enables the specification of a target instance and selection of an option to establish a secure connection to that instance. The bastion service handles authentication and authorization, ensuring that all security requirements are satisfied. An SSH server of the bastion service can route the traffic to the target instance using the appropriate port for SSH traffic. A second SSH connection is established from the bastion service to the SSH server executing on the target instance, providing end-to-end security of traffic from the client device to the target instance of the customer allocation.

公开(公告)号：US12028461B2

公开(公告)日：2024-07-02

申请号：US18196266

申请日：2023-05-11

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Hingle Kruse ,  Conor Patrick Cahill ,  Jeffrey Cicero Canton ,  Dmitry Frenkel ,  Harshad Vasant Kulkarni ,  Colin Watson ,  Andrew Paul Mikulski

IPC: H04L9/32 ,  G06F12/14 ,  H04L9/40

CPC classification number: H04L9/3247 ,  G06F12/1408 ,  H04L63/061 ,  H04L63/126 ,  G06F2212/402

Abstract: A request to add tags (e.g., labels, key-value pairs, or metadata) to resources can be digitally signed by the entity making the request, such that the source can be verified and an authorization determination made for each tag. For a request involving multiple services (or entities) that can each add tags, any tag added by a service can be included in the request and digitally signed by that service. Each service processing the request can also digitally sign the request before forwarding, so that each service signs a version of the request, which includes elements signed by other services earlier in the request chain. When the request is received to a tagging service, the service ensures that every tag was digitally signed by the appropriate authorized entity or service, and validates the signatures to ensure that no data was modified or omitted, before adding the tags to the designated resource(s).

公开(公告)号：US10819747B1

公开(公告)日：2020-10-27

申请号：US14498784

申请日：2014-09-26

Applicant: Amazon Technologies, Inc.

Inventor： Khaled Salah Sedky ,  Kai Zhao ,  Jacob Andreas Kjelstrup ,  Ajith Harshana Ranabahu ,  Conor Patrick Cahill

IPC: G06F21/00 ,  H04L29/06 ,  G06F9/48 ,  G06F9/50 ,  H04W4/02

Abstract: A system and method for generating a policy entitlement map usable to provide a visualization of policies based at least in part on a set of resources of a service of a computing resource service provider, a set of actions that can be taken with the set of resources, or one or more identities. The policy entitlement map may be generated to reflect a set of actions performable by identities of the one or more identities, a set of resources accessible by the identities, or a set of actions that may be performed on the resources.

公开(公告)号：US10536277B1

公开(公告)日：2020-01-14

申请号：US14979308

申请日：2015-12-22

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Hingle Kruse ,  Conor Patrick Cahill ,  Jeffrey Cicero Canton ,  Dmitry Frenkel ,  Harshad Vasant Kulkarni ,  Colin Watson ,  Andrew Paul Mikulski

IPC: H04L29/06 ,  H04L9/32 ,  G06F12/14

Abstract: A request to add tags (e.g., labels, key-value pairs, or metadata) to resources can be digitally signed by the entity making the request, such that the source can be verified and an authorization determination made for each tag. For a request involving multiple services (or entities) that can each add tags, any tag added by a service can be included in the request and digitally signed by that service. Each service processing the request can also digitally sign the request before forwarding, so that each service signs a version of the request, which includes elements signed by other services earlier in the request chain. When the request is received to a tagging service, the service ensures that every tag was digitally signed by the appropriate authorized entity or service, and validates the signatures to ensure that no data was modified or omitted, before adding the tags to the designated resource(s).

公开(公告)号：US11962511B2

公开(公告)日：2024-04-16

申请号：US17870609

申请日：2022-07-21

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Jasmeet Chhabra ,  Daniel Stephen Popick

IPC: H04L47/70 ,  G06F21/31 ,  G06F21/45 ,  G06Q10/00 ,  H04L9/40 ,  H04L67/02 ,  H04L67/146

CPC classification number: H04L47/70 ,  G06F21/31 ,  G06F21/45 ,  G06Q10/00 ,  H04L63/102 ,  H04L67/02 ,  H04L67/146

Abstract: User identities can managed at an organization level, instead of across multiple individual resource accounts. In a resource provider environment, access to various resources and services may require users to have identities with specific resource accounts. Users can instead be associated with organization accounts, or virtual accounts that are not associated with specific resources or services. The organization accounts are attached at the appropriate location(s) in an organizational hierarchy. A user having an organization account can project the identity in any sub-account in the organization hierarchy. This can include any lower-level resource account, or can child accounts under a relevant branch of the hierarchy. A user can validate against the organization account, and receive access to the relevant service or resources using the identity projected in the corresponding resource account.

公开(公告)号：US11847241B1

公开(公告)日：2023-12-19

申请号：US15958520

申请日：2018-04-20

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Jasmeet Chhabra ,  Travis William Hickey ,  Ahmad Kayed Kamel Aljolani ,  Daniel Stephen Popick ,  Akshay Mohan Sumant

IPC: G06F21/62 ,  H04L9/40 ,  G06F21/60 ,  H04L67/10

CPC classification number: G06F21/6218 ,  G06F21/604 ,  H04L63/102 ,  H04L63/20 ,  G06F2221/2141 ,  H04L67/10

Abstract: A request to modify a set of permissions (e.g., delete the permissions, replace the set of permissions with a different set of permissions) is received at a computing device. A set of services are prevented from using the set of permissions to access resources. The set of permissions are changed while the set of services are prevented from using the set of permissions to access resources.

公开(公告)号：US11695569B2

公开(公告)日：2023-07-04

申请号：US17212915

申请日：2021-03-25

Applicant: Amazon Technologies, Inc.

Inventor： William Frederick Hingle Kruse ,  Conor Patrick Cahill ,  Jeffrey Cicero Canton ,  Dmitry Frenkel ,  Harshad Vasant Kulkarni ,  Colin Watson ,  Andrew Paul Mikulski

IPC: H04L9/32 ,  G06F12/14 ,  H04L9/40

CPC classification number: H04L9/3247 ,  G06F12/1408 ,  H04L63/061 ,  H04L63/126 ,  G06F2212/402

Abstract: A request to add tags (e.g., labels, key-value pairs, or metadata) to resources can be digitally signed by the entity making the request, such that the source can be verified and an authorization determination made for each tag. For a request involving multiple services (or entities) that can each add tags, any tag added by a service can be included in the request and digitally signed by that service. Each service processing the request can also digitally sign the request before forwarding, so that each service signs a version of the request, which includes elements signed by other services earlier in the request chain. When the request is received to a tagging service, the service ensures that every tag was digitally signed by the appropriate authorized entity or service, and validates the signatures to ensure that no data was modified or omitted, before adding the tags to the designated resource(s).