公开(公告)号：US11777995B2

公开(公告)日：2023-10-03

申请号：US17567318

申请日：2022-01-03

Applicant: Amazon Technologies, Inc.

Inventor： Ujjwal Rajkumar Pugalia ,  Sean McLaughlin ,  Neha Rungta ,  Andrew Jude Gacek ,  Matthias Schlaipfer ,  John Michael Renner ,  Jihong Chen ,  Alex Li ,  Erin Westfall ,  Daniel George Peebles ,  Himanshu Gupta

IPC: G06F15/16 ,  H04L9/40

CPC classification number: H04L63/20 ,  H04L63/08 ,  H04L63/102 ,  H04L63/105

Abstract: Resource state validation may be performed for access management policies by an identity and access management system. An access management policy associated with an account for network-based services may be received and validated according to resource state obtained for resources associated with the account. A correction for a portion of the access management policy may be identified according to the validation and provided via an interface for the identity and access management system.

公开(公告)号：US11757886B2

公开(公告)日：2023-09-12

申请号：US17119868

申请日：2020-12-11

Applicant: Amazon Technologies, Inc.

Inventor： John Byron Cook ,  Neha Rungta ,  Carsten Varming ,  Daniel George Peebles ,  Daniel Kroening ,  Alejandro Naser Pastoriza

IPC: H04L9/40 ,  H04L41/0604 ,  H04L41/22 ,  G06F21/62 ,  G06F16/901

CPC classification number: H04L63/101 ,  G06F21/62 ,  H04L41/0627 ,  H04L41/22 ,  H04L63/0435 ,  H04L63/10 ,  H04L63/105 ,  H04L63/20 ,  G06F16/9024

Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.

公开(公告)号：US11736525B1

公开(公告)日：2023-08-22

申请号：US16904467

申请日：2020-06-17

Applicant: Amazon Technologies, Inc.

Inventor： Neha Rungta ,  Willem Conradie Visser ,  Daniel George Peebles

IPC: H04L9/40 ,  G06F21/57 ,  G06F21/62 ,  H04L41/0893

CPC classification number: H04L63/20 ,  G06F21/577 ,  G06F21/6218 ,  H04L41/0893 ,  H04L63/10

Abstract: Methods, systems, and computer-readable media for generating access control policies using static analysis are disclosed. An access control policy generator performs static analysis of program code of a software product. The static analysis identifies one or more calls to one or more external components in the program code. The access control policy generator determines a mapping of the one or more calls to one or more actions. The one or more actions are selected from a plurality of known actions supported by an access control policy manager. The access control policy generator generates an access control policy associated with the software product. The access control policy comprises one or more permissions with respect to the one or more external components. The access control policy permits the software product to access the plurality of external components using the access control policy manager during execution of the software product.

公开(公告)号：US11677789B2

公开(公告)日：2023-06-13

申请号：US17119663

申请日：2020-12-11

Applicant: Amazon Technologies, Inc.

Inventor： Neha Rungta ,  Daniel George Peebles ,  Andrew Jude Gacek ,  Marvin Theimer ,  Rebecca Claire Weiss ,  Brigid Ann Johnson

IPC: G06F15/16 ,  H04L9/40 ,  H04L41/5051 ,  H04L41/50

CPC classification number: H04L63/205 ,  H04L41/5051 ,  H04L41/5096 ,  H04L63/102

Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.

公开(公告)号：US20220201043A1

公开(公告)日：2022-06-23

申请号：US17567318

申请日：2022-01-03

Applicant: Amazon Technologies, Inc.

Inventor： Ujjwal Rajkumar Pugalia ,  Sean McLaughlin ,  Neha Rungta ,  Andrew Jude Gacek ,  Matthias Schlaipfer ,  John Michael Renner ,  Jihong Chen ,  Alex Li ,  Erin Westfall ,  Daniel George Peebles ,  Himanshu Gupta

IPC: H04L9/40

Abstract: Resource state validation may be performed for access management policies by an identity and access management system. An access management policy associated with an account for network-based services may be received and validated according to resource state obtained for resources associated with the account. A correction for a portion of the access management policy may be identified according to the validation and provided via an interface for the identity and access management system.

公开(公告)号：US20220191206A1

公开(公告)日：2022-06-16

申请号：US17119868

申请日：2020-12-11

Applicant: Amazon Technologies, Inc.

Inventor： John Byron Cook ,  Neha Rungta ,  Carsten Varming ,  Daniel George Peebles ,  Daniel Kroening ,  Alejandro Naser Pastoriza

IPC: H04L29/06 ,  H04L12/24

Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.

公开(公告)号：US20240314134A1

公开(公告)日：2024-09-19

申请号：US18674692

申请日：2024-05-24

Applicant: Amazon Technologies, Inc.

Inventor： John Byron Cook ,  Neha Rungta ,  Carsten Varming ,  Daniel George Peebles ,  Daniel Kroening ,  Alejandro Naser Pastoriza

IPC: H04L9/40 ,  H04L41/0604 ,  H04L41/22

CPC classification number: H04L63/101 ,  H04L41/0627 ,  H04L41/22 ,  H04L63/0435 ,  H04L63/20 ,  H04L63/105

Abstract: Methods, systems, and computer-readable media for analysis of role reachability with transitive tags are disclosed. An access control analyzer determines a graph including nodes and edges. The nodes represent roles in a provider network hosting resources. The roles are associated with access control policies granting or denying access to individual resources. One or more of the access control policies grant or deny access based (at least in part) on key-value attributes. The access control analyzer determines, based (at least in part) on a role reachability analysis of the graph, whether a first role can assume a second role using role assumption steps for a particular state of the attributes. The attributes may include transitive attributes that persist during the role assumption steps.

公开(公告)号：US12034727B2

公开(公告)日：2024-07-09

申请号：US17119855

申请日：2020-12-11

Applicant: Amazon Technologies, Inc.

Inventor： John Byron Cook ,  Neha Rungta ,  Carsten Varming ,  Daniel George Peebles ,  Daniel Kroening ,  Alejandro Naser Pastoriza

IPC: H04L9/40 ,  H04L41/0604 ,  H04L41/22

CPC classification number: H04L63/101 ,  H04L41/0627 ,  H04L41/22 ,  H04L63/0435 ,  H04L63/20 ,  H04L63/105

Abstract: Methods, systems, and computer-readable media for analysis of role reachability with transitive tags are disclosed. An access control analyzer determines a graph including nodes and edges. The nodes represent roles in a provider network hosting resources. The roles are associated with access control policies granting or denying access to individual resources. One or more of the access control policies grant or deny access based (at least in part) on key-value attributes. The access control analyzer determines, based (at least in part) on a role reachability analysis of the graph, whether a first role can assume a second role using role assumption steps for a particular state of the attributes. The attributes may include transitive attributes that persist during the role assumption steps.

公开(公告)号：US11509730B1

公开(公告)日：2022-11-22

申请号：US17119238

申请日：2020-12-11

Applicant: Amazon Technologies, Inc.

Inventor： Daniel George Peebles ,  Carsten Varming ,  Neha Rungta ,  Zhen Zhang

IPC: H04L67/51 ,  H04L9/40 ,  H04L67/133

Abstract: Techniques are described for generating a specification of security-relevant behavior associated with web services of a cloud provider network. Source code or software development artifacts associated with an implementation of a web service is obtained, where the source code of software development artifacts include an implementation of a request handler for an action of the service. The request handler includes a request authorization component, e.g., which may involve interaction with an identity and access management service of the cloud provider network to authenticate and authorize requests and may further rely upon one or more authorization contexts included in the requests received by the request handler. An interprocedural data flow analyzer is used to analyze a model representation of the bytecode to identify and generate specifications of authorization patterns associated with the request handler.

公开(公告)号：US11483353B1

公开(公告)日：2022-10-25

申请号：US17112849

申请日：2020-12-04

Applicant: Amazon Technologies, Inc.

Inventor： Jiasi Shen ,  Homer Strong ,  Daniel George Peebles ,  Neha Rungta

IPC: G06F15/173 ,  H04L9/40

Abstract: Access management policies may be generated from example requests. An access management policy may be received. One or more example requests that have expected results when evaluated with respect to the access management policy may be received. Updates to the access management policy may be determined that cause the expected results to occur when a new version of the access management policy based on the updates is enforced. The new version of the access management policy may be generated based on the updates.