公开(公告)号：US11855757B1

公开(公告)日：2023-12-26

申请号：US17643785

申请日：2021-12-10

Applicant: Amazon Technologies, Inc.

Inventor： Julien Ridoux ,  Joshua Benjamin Levinson ,  Said Bshara ,  Erez Izenberg ,  Robert Klein ,  Alan Michael Judge

IPC: G06F1/10 ,  G06F1/12 ,  H04J3/06

CPC classification number: H04J3/0644 ,  G06F1/10 ,  G06F1/12

Abstract: Systems and methods are provided for highly accurate synchronization of machine instances in a distributed, hosted computing environment to a reference timekeeper. In addition to a general communication network accessible to machine instances, the distributed environment includes a second network dedicated to carrying time information, such as a pulse-per-second (PPS) signal to isolated timing hardware within host computing devices. The isolated timing hardware can use the PPS signal, along with a reference time, to set a hardware clock. The isolated timing hardware can further provide an interface to machine instances that enables the instances to read the time of the hardware clock. This configuration enables many instances can share access to a single reference timekeeper, thus synchronizing those instances to a much higher accuracy than in traditional network-based time protocols.

公开(公告)号：US20240073297A1

公开(公告)日：2024-02-29

申请号：US18462321

申请日：2023-09-06

Applicant: Amazon Technologies, Inc.

Inventor： Said Bshara ,  Alan Michael Judge ,  Erez Izenberg ,  Julien Ridoux ,  Joshua Benjamin Levinson ,  Anthony Nicholas Liguori ,  Nafea Bshara

IPC: H04L67/60 ,  G06F9/50 ,  H04L9/40 ,  H04L67/14

CPC classification number: H04L67/60 ,  G06F9/5038 ,  H04L63/0428 ,  H04L67/14

Abstract: Various embodiments of apparatuses and methods for multi-cast, multiple unicast, and unicast distribution of messages with time synchronized delivery are described. In some embodiments, the disclosed system and methods include a reference timekeeper providing a reference clock to one or more host computing devices. The one or more host computing devices host compute instances, and also contain respective isolated timing hardware outside the control of the compute instances. The isolated timing hardware of the one or more host computing devices then receive respective packets, and obtain the same time to deliver the respective packets. Each isolated timing hardware provides either the packet, or information to access the packet, to its respective destination compute instance subsequent to determining that the same specified time to deliver the packet has occurred. Thus, the respective packets are delivered near simultaneously to the one or more destination compute instances.

公开(公告)号：US12177185B1

公开(公告)日：2024-12-24

申请号：US17958057

申请日：2022-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Mark Ryland ,  Joshua Benjamin Levinson

IPC: H04L9/40

Abstract: Techniques are described for enabling users of a cloud provider network to create policies used to control the use of temporary security credentials by computing resources other than a computing resource to which the credentials were issued. An identity and access management service encodes, into temporary security credentials, information about the virtual private network to which the credentials are issued. When a computing resource subsequently issues requests to perform actions and uses the temporary security credentials to sign the request, the cloud provider network further adds, to the network traffic, information associated with the virtual private network from which the request originates. A user can then create a policy with a statement indicating that request are to be permitted only if, e.g., the identity of the virtual private network as encoded in the temporary security credentials matches the identity of the virtual private network identified by the information included in the request.

公开(公告)号：US20240095338A1

公开(公告)日：2024-03-21

申请号：US17810291

申请日：2022-06-30

Applicant: Amazon Technologies, Inc.

Inventor： Joshua Benjamin Levinson ,  Colm MacCarthaigh ,  Alexander Graf ,  Iulia-Daniela Doras-Prodan ,  Petre Eftime

IPC: G06F21/53 ,  G06F9/455 ,  H04L9/08

CPC classification number: G06F21/53 ,  G06F9/455 ,  H04L9/0891 ,  G06F2221/2149

Abstract: An instance secrets management isolated runtime environment is launched at a virtualization server, and utilizes a subset of memory assigned to a compute instance. The subset of memory is inaccessible from entities external to the runtime environment. A secrets manager of the runtime environment provides a security artifact to an application, running at the compute instance, which has requested access to a resource. The artifact is generated by the secrets manager using a security secret associated with the compute instance; the secret is not accessible to programs external to the runtime environment. In response to a determination that the artifact is valid, the application obtains access to the resource.

公开(公告)号：US11853114B1

公开(公告)日：2023-12-26

申请号：US17643796

申请日：2021-12-10

Applicant: Amazon Technologies, Inc.

Inventor： Julien Ridoux ,  Joshua Benjamin Levinson ,  Alan Michael Judge ,  Colin Whittaker ,  James Paul Rivers

IPC: G06F1/10 ,  G06F1/08 ,  G06F1/12 ,  G06F1/14

CPC classification number: G06F1/12 ,  G06F1/10 ,  G06F1/14

Abstract: Systems and methods are provided for highly accurate synchronization of machine instances in a distributed, hosted computing environment to a reference timekeeper. In addition to a general communication network accessible to machine instances, the distributed environment includes a second network dedicated to carrying time information, such as a pulse-per-second (PPS) signal to isolated timing hardware within host computing devices. The isolated timing hardware can use the PPS signal, along with a reference time, to set a hardware clock. The isolated timing hardware can further provide an interface to machine instances that enables the instances to read the time of the hardware clock. This configuration enables many instances can share access to a single reference timekeeper, thus synchronizing those instances to a much higher accuracy than in traditional network-based time protocols.

公开(公告)号：US11792299B1

公开(公告)日：2023-10-17

申请号：US17806231

申请日：2022-06-09

Applicant: Amazon Technologies, Inc.

Inventor： Said Bshara ,  Alan Michael Judge ,  Erez Izenberg ,  Julien Ridoux ,  Joshua Benjamin Levinson ,  Anthony Nicholas Liguori ,  Nafea Bshara

IPC: H04L9/40 ,  H04L67/60 ,  H04L67/14 ,  G06F9/50

CPC classification number: H04L67/60 ,  G06F9/5038 ,  H04L63/0428 ,  H04L67/14

Abstract: Various embodiments of apparatuses and methods for multi-cast, multiple unicast, and unicast distribution of messages with time synchronized delivery are described. In some embodiments, the disclosed system and methods include a reference timekeeper providing a reference clock to one or more host computing devices. The one or more host computing devices host compute instances, and also contain respective isolated timing hardware outside the control of the compute instances. The isolated timing hardware of the one or more host computing devices then receive respective packets, and obtain the same time to deliver the respective packets. Each isolated timing hardware provides either the packet, or information to access the packet, to its respective destination compute instance subsequent to determining that the same specified time to deliver the packet has occurred. Thus, the respective packets are delivered near simultaneously to the one or more destination compute instances.

公开(公告)号：US20230308378A1

公开(公告)日：2023-09-28

申请号：US17705157

申请日：2022-03-25

Applicant: Amazon Technologies, Inc.

Inventor： Alan Michael Judge ,  Said Bshara ,  Julien Ridoux ,  Joshua Benjamin Levinson ,  David James Goodell ,  Erez Izenberg ,  Anthony Nicholas Liguori

IPC: H04L43/106 ,  H04L43/0852

CPC classification number: H04L43/106 ,  H04L43/0852 ,  H04L2212/00

Abstract: Various embodiments of apparatuses and methods for trusted and/or attested packet timestamping are described. In some embodiments, the disclosed system and methods include a reference timekeeper providing a reference clock to host computing devices. The host computing devices host compute instances using a first set of computing resources, and also contain isolated timing hardware utilizing a different set of computing resources. The isolated timing hardware sets a hardware clock based on a signal corresponding to the reference clock from the reference timekeeper. The isolated timing hardware then receives a packet from a particular compute instance, creates a timestamp for the packet based at least in part on the hardware clock, where the timestamp is outside the control of the compute instances, and sends the packet and the timestamp through a data network to transmit to a packet destination.