-
公开(公告)号:US12058176B1
公开(公告)日:2024-08-06
申请号:US17161491
申请日:2021-01-28
Applicant: Amazon Technologies, Inc.
Inventor: Gokul Ramanan Subramanian , Sayantan Chakravorty , Dennis Tighe , Carlos Alessandro Chiconato , Damian Wylie
CPC classification number: H04L63/20 , H04L63/0807 , H04L63/0876 , H04L63/1483
Abstract: A connection-based service impersonates request-based security for requests from clients that do not include credentials for the requests (e.g., data plane requests made via a connection-oriented security). A connection between a client and a connection-based service is established based on connection credentials that are based on security credentials from a request-based security service. The credentials are sent by a security component of the service to a local agent of the remote security service to be authenticated by the security service. An impersonation token is returned by the security service and cached by the local agent. Requests from the client to perform operations do not include credentials. For each request, the service passes an identifier for the client and the operation to a local authorization component that calls the agent for authorization of the requested operation. The agent uses the impersonation token to obtain authorization for the requested operation.
-
公开(公告)号:US11914696B1
公开(公告)日:2024-02-27
申请号:US17039864
申请日:2020-09-30
Applicant: Amazon Technologies, Inc.
Inventor: Dean H Saxe , Conor P Cahill , Dennis Tighe , Jonathan Robert Hurd , Brian Mead Tyler , Cristian Marius Ilac , Mark Ryland
CPC classification number: G06F21/40 , G06F9/4843 , G06F21/62 , G06F2221/2137 , G06F2221/2141
Abstract: Quorum-based access control management may be implemented. Quorum controls may be created for determining whether to perform or deny access control operations to perform privileged tasks. When an access control operation is received, approval of the operation may be requested from members for the quorum control. If a policy for the quorum control is satisfied by approval responses, then approval to perform the access control operation may be provided.
-
公开(公告)号:US11481397B1
公开(公告)日:2022-10-25
申请号:US16356335
申请日:2019-03-18
Applicant: Amazon Technologies, Inc.
Inventor: Timothy Michael Galvin , Shawn McCoy , David Charles Wein , Michael Hall , Khaled Sinno , Grant A. McAlister , Tanmoy Dutta , Dennis Tighe
IPC: H04L9/40 , G06F16/2455 , G06F9/54
Abstract: Techniques for aggregating and emitting database activity record batches are described. Database activity records can be written to a shared memory queue and emitted to a destination using a remote procedure call (RPC). Individual database connection server processes can write client activity records to the queue. An activity monitor plugin in the database engine can monitor the audit records and aggregate the audit records into batches. Batches of audit records can be sent via RPC to their final or intermediate destination. Each instance host in a database service can include a client backend process configured to define how to submit audit records to shared memory. The activity monitor plugin can batch audit records in to messages and submit those messages via RPC to a security host manager and relaying response back to each relevant client backend.
-
公开(公告)号:US20240356985A1
公开(公告)日:2024-10-24
申请号:US18762541
申请日:2024-07-02
Applicant: Amazon Technologies, Inc.
Inventor: Gokul Ramanan Subramanian , Sayantan Chakravorty , Dennis Tighe , Carlos Alessandro Chiconato , Damian Wylie
IPC: H04L9/40
CPC classification number: H04L63/20 , H04L63/0807 , H04L63/0876 , H04L63/1483
Abstract: A connection-based service impersonates request-based security for requests from clients that do not include credentials for the requests (e.g., data plane requests made via a connection-oriented security). A connection between a client and a connection-based service is established based on connection credentials that are based on security credentials from a request-based security service. The credentials are sent by a security component of the service to a local agent of the remote security service to be authenticated by the security service. An impersonation token is returned by the security service and cached by the local agent. Requests from the client to perform operations do not include credentials. For each request, the service passes an identifier for the client and the operation to a local authorization component that calls the agent for authorization of the requested operation. The agent uses the impersonation token to obtain authorization for the requested operation.
-
公开(公告)号:US10776174B2
公开(公告)日:2020-09-15
申请号:US15988826
申请日:2018-05-24
Applicant: Amazon Technologies, Inc.
Inventor: Matthew Walters , Tanmoy Dutta , Barry B. Hunter, Jr. , Grant Alexander Macdonald McAlister , Daniel Myers , Rahul Nambiar , Bharath Subramanian Pichai , Mark Porter , Dennis Tighe
Abstract: Resources hosted in different virtualization platforms may be managed across the different virtualization platform. Requests to perform types of actions with respect to a resource hosted in a type of virtualization platform may be received. Mapping information between types of actions and actions available via interfaces for different types of virtualization platforms may be evaluated to select actions for an interface of the type of virtualization platform that hosts the resource. The selected actions may then be performed via the interface to perform the action with regard to the resource.
-
公开(公告)号:US20190361748A1
公开(公告)日:2019-11-28
申请号:US15988826
申请日:2018-05-24
Applicant: Amazon Technologies, Inc.
Inventor: Matthew Walters , Tanmoy Dutta , Barry B. Hunter, JR. , Grant Alexander MacDonald McAlister , Daniel Myers , Rahul Nambiar , Bharath Subramanian Pichai , Mark Porter , Dennis Tighe
Abstract: Resources hosted in different virtualization platforms may be managed across the different virtualization platform. Requests to perform types of actions with respect to a resource hosted in a type of virtualization platform may be received. Mapping information between types of actions and actions available via interfaces for different types of virtualization platforms may be evaluated to select actions for an interface of the type of virtualization platform that hosts the resource. The selected actions may then be performed via the interface to perform the action with regard to the resource.
-
公开(公告)号:US11500824B1
公开(公告)日:2022-11-15
申请号:US15478017
申请日:2017-04-03
Applicant: Amazon Technologies, Inc.
Inventor: Dennis Tighe , Matthew Walters , Brian Welcker
IPC: G06F16/21 , G06F16/958
Abstract: A proxy server acts as an intermediary between a database client and a database server. The proxy server is configured with a set of user-defined rules. When a request is received from the database client, the proxy server may apply rules that modify, route, reject, log, or pass the request to the database server. Individual rules may be based on attributes of the client computer system, database server, or the request itself. In one embodiment, a rule may be used to translate a request from a format provided by the client into a format preferred by a destination database. In one embodiment, a rule may route a particular request to one of a number of databases based on the nature of the request.
-
公开(公告)号:US11182496B1
公开(公告)日:2021-11-23
申请号:US15478010
申请日:2017-04-03
Applicant: Amazon Technologies, Inc.
Inventor: Matthew Walters , Brian Welcker , Dennis Tighe
IPC: G06F16/24 , G06F21/62 , G06F21/60 , H04L29/06 , H04L29/08 , G06F16/2455 , G06F16/2457
Abstract: A proxy server acts as an intermediary between a database client and a database server. The proxy server establishes and maintains a set of logical connections to the database server. The proxy server receives a request from the database client, and generates a set of database commands that, when performed by the database server, are capable of fulfilling the request. The proxy server selects a particular logical connection from the set of logical connections based at least in part on a characteristic of the request, and submits the set of database commands to the database server via the selected particular logical connection. In various examples, the particular logical connection is selected so that various performance, efficiency, and security objectives are achieved.
-
公开(公告)号:US11106540B1
公开(公告)日:2021-08-31
申请号:US15477989
申请日:2017-04-03
Applicant: Amazon Technologies, Inc.
Inventor: Brian Welcker , Dennis Tighe , Matthew Walters
Abstract: A proxy server receives requests from a client computer system and generates corresponding sets of database commands that are capable of fulfilling the requests when submitted to a database server. The proxy server may repeat processing associated with a particular request more than once under different operational conditions in order to improve future performance. In some examples, the proxy server submits a particular database command sequence to the database server using various operational parameters, and measures the performance of each submission to identify a particular set of operational parameters to be applied to the database server with future submissions. In another example, the proxy server determines a number of alternative command sequences that fulfill a particular request, and measures the performance of each of the alternative command sequences to determine how command sequences are generated for future requests.
-
-
-
-
-
-
-
-