公开(公告)号：US11290336B1

公开(公告)日：2022-03-29

申请号：US16989583

申请日：2020-08-10

Applicant: Amazon Technologies, Inc.

Inventor： Munindra N. Das ,  Patrick McFalls ,  Amjad Hussain ,  Anantharam Vaidyanathan

IPC: H04L41/0893 ,  H04L41/50 ,  H04L29/06 ,  G06F9/455 ,  H04L47/70

Abstract: This disclosure describes techniques for defining a set of permissions, or privileges, for users who manage resources of a network-based service provisioned in a network-based service platform managed by a service provider. The techniques may include mapping cloud identities of the users to operating system (OS) user groups defined local to the resources that specify the set of permissions for user group members. Systems-manager agents that execute locally on the resources may determine to which OS user group the user belongs based on their cloud identity, and launch shells that are restricted by the set of permissions. Using these shells, a network-based service platform may allow users to remotely manage resources of the network-based service in various ways, such as through batch run commands and/or remote user sessions, while ensuring that the users are unable to execute commands on the resources that are outside the set of permissions.

公开(公告)号：US11038847B1

公开(公告)日：2021-06-15

申请号：US16000070

申请日：2018-06-05

Applicant: Amazon Technologies, Inc.

Inventor： Munindra N. Das ,  Amjad Hussain ,  Sivaprasad Venkata Padisetty ,  Anantharam Vaidyanathan

IPC: H04L29/06

Abstract: This disclosure is directed to one or more computing services that provide users with secure access to a computing instance, which is auditable and accessible via a cross-platform browser-based shell or command-line interface (CLI). The computing service(s) forego any need to open up inbound ports, thereby improving security. The computing service(s) employ centralized authentication and auditing to ensure compliance with policies and to log activities for auditing, forensics, or other purposes. A message gateway service creates secure channels with a client device and the computing instance to establish a secure communication tunnel between the client device and computing instance. Once the tunnel is established, a user can send a command via the client device to the computing instance, via the message gateway service. The command output is uploaded to this tunnel and is sent back to the client device, via the message gateway service.

公开(公告)号：US10771337B1

公开(公告)日：2020-09-08

申请号：US15989836

申请日：2018-05-25

Applicant: Amazon Technologies, Inc.

Inventor： Munindra N. Das ,  Patrick McFalls ,  Amjad Hussain ,  Anantharam Vaidyanathan

IPC: G06F15/173 ,  H04L12/24 ,  H04L12/911 ,  H04L29/06 ,  G06F9/455

Abstract: This disclosure describes techniques for defining a set of permissions, or privileges, for users who manage resources of a network-based service provisioned in a network-based service platform managed by a service provider. The techniques may include mapping cloud identities of the users to operating system (OS) user groups defined local to the resources that specify the set of permissions for user group members. Systems-manager agents that execute locally on the resources may determine to which OS user group the user belongs based on their cloud identity, and launch shells that are restricted by the set of permissions. Using these shells, a network-based service platform may allow users to remotely manage resources of the network-based service in various ways, such as through batch run commands and/or remote user sessions, while ensuring that the users are unable to execute commands on the resources that are outside the set of permissions.