公开(公告)号：US20250106256A1

公开(公告)日：2025-03-27

申请号：US18371034

申请日：2023-09-21

Applicant: Amazon Technologies, Inc.

Inventor： Amit GOEL ,  Chengpeng LI ,  Chungha SUNG ,  Loris D'ANTONI ,  Neha RUNGTA

IPC: H04L9/40 ,  H04L43/50

Abstract: Techniques for analyzing access control policies across multiple provider networks. These techniques compile various policies into a unified policy language broad enough to include diverse policy features, yet specific enough for automated analysis. An automated differential testing method is employed to confirm the accuracy of this compilation by generating access requests, ensuring both original and translated policies consistently grant or deny access. Moreover, an abstraction technique is used to simplify and correlate the complex details of different policies, enabling easier user inquiries about them. For instance, users can determine if an account has write access in one network but not in another. This abstraction sometimes involves replacing actions in original policies, ensuring their compatibility in the target policy language.

公开(公告)号：US20240114035A1

公开(公告)日：2024-04-04

申请号：US17957904

申请日：2022-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Neha RUNGTA ,  Chungha SUNG ,  Amit GOEL ,  Zvonimir RAKAMARIC ,  Loris D'ANTONI

IPC: H04L9/40

CPC classification number: H04L63/107 ,  H04L63/102

Abstract: Techniques are described for providing a policy refiner application used to analyze and recommend modifications to identity and access management policies created by users of a cloud provider network (e.g., to move the policies toward least-privilege permissions). A policy refiner application receives as input a policy to analyze, and a log of events related to activity associated with one or more accounts of a cloud provider network. The policy refiner application can identify, from the log of events, actions that were permitted based on particular statements contained in the policy. Based on field values contained in the corresponding events, the policy refiner application generates an abstraction of the field values, where the abstraction of the field values may represent a more restrictive version of the field from a policy perspective. These abstractions can be presented to users as recommendations for modifying their policy to reduce the privileges granted by the policy.