公开(公告)号：US11102189B2

公开(公告)日：2021-08-24

申请号：US14316675

申请日：2014-06-26

Applicant: Amazon Technologies, Inc.

Inventor： Kevin Ross O'Neill ,  Gregory B. Roth ,  Eric Jason Brandwine ,  Brian Irl Pratt ,  Bradley Jeffery Behm ,  Nathan R. Fitch

IPC: H04L29/06 ,  H04L9/32

Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

公开(公告)号：US20170373840A9

公开(公告)日：2017-12-28

申请号：US14980033

申请日：2015-12-28

Applicant: Amazon Technologies, Inc.

Inventor： Nathan R. Fitch ,  Gregory B. Roth ,  Graeme D. Baer

IPC: H04L9/08

CPC classification number: H04L9/085 ,  H04L9/0825 ,  H04L9/3226 ,  H04L9/3234 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/06 ,  H04L67/02

Abstract: Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process. A client device use a security credential such as a key to sign a request to be sent to a recipient. When the request is received, the recipient determines whether the request was signed using the correct key for the sender. In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request. The sender can store the secret information in a secure location, such as a browser security module, such that the secret information is not exposed to the browser or script executing on the client device.

公开(公告)号：US09756031B1

公开(公告)日：2017-09-05

申请号：US14513147

申请日：2014-10-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Cristian M. Ilac ,  James E. Scharf, Jr. ,  Nathan R. Fitch ,  Graeme D. Baer ,  Brian Irl Pratt ,  Kevin Ross O'Neill

IPC: H04L29/06 ,  G06F21/00 ,  H04L29/08

CPC classification number: H04L63/08 ,  G06F21/123 ,  G06Q20/3821 ,  H04L63/0428 ,  H04L67/22

Abstract: Systems and methods provide a storage media on a portable physical object associated with a set of credentials that enables access to a set of computing resources associated with a set of Web services. In some embodiments, information including a set of credentials is prepackaged onto the storage media of the portable physical object. A pre-activated subscription to the set of Web services in a distributed system is provisioned. Access to the set of Web services is enabled when the portable physical object is coupled with a computing device and the set of credentials is authenticated. In some embodiments, the portable physical object is purchased by a user on a prepaid basis without requiring the user to register an account with the set of Web services, allowing the user to remain anonymous with respect to interaction with the set of Web services.

公开(公告)号：US09686261B2

公开(公告)日：2017-06-20

申请号：US14629332

申请日：2015-02-23

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: G06F7/04 ,  H04L29/06 ,  G06F21/62

CPC classification number: H04L63/08 ,  G06F21/62 ,  G06F2221/2141 ,  H04L63/10

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

公开(公告)号：US09607162B2

公开(公告)日：2017-03-28

申请号：US14714982

申请日：2015-05-18

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Eric D. Crahen ,  Graeme D. Baer ,  Eric J. Brandwine ,  Nathan R. Fitch

IPC: G06F21/00 ,  G06F21/60 ,  G06F9/445 ,  G06F9/455 ,  H04L29/06 ,  G06Q30/06

CPC classification number: G06F21/602 ,  G06F9/44505 ,  G06F9/45558 ,  G06F21/606 ,  G06F2009/45587 ,  G06Q30/06 ,  H04L63/0209 ,  H04L63/0428 ,  H04L63/0471 ,  H04L63/08 ,  H04L63/166

Abstract: A support system negotiates secure connections on behalf of multiple guest systems using a set of credentials associated with the guest systems. The operation of the secure connection may be transparent to the guest system such that guest system may send and receive messages that are encrypted or decrypted by the support system, such as a hypervisor. As the support system is in between the guest system and a destination, the support system may act as a local endpoint to the secure connection. Messages may be altered by the support system to indicate to a guest system which communications were secured. The credentials may be managed by the support system such that the guest system does not require access to the credentials.

公开(公告)号：US20200296108A1

公开(公告)日：2020-09-17

申请号：US16892197

申请日：2020-06-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Nathan R. Fitch ,  Cristian M. Ilac ,  Eric D. Crahen

IPC: H04L29/06 ,  G06F21/33 ,  H04L9/08 ,  H04L9/32

Abstract: A delegation request is submitted to a session-based authentication service, fulfillment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

公开(公告)号：US10110587B2

公开(公告)日：2018-10-23

申请号：US15610295

申请日：2017-05-31

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/62

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

公开(公告)号：US20180205738A1

公开(公告)日：2018-07-19

申请号：US15924038

申请日：2018-03-16

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine ,  Nathan R. Fitch ,  Cristian M. Ilac ,  Eric D. Crahen

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  G06F21/33

CPC classification number: H04L63/102 ,  G06F21/335 ,  G06F2221/2137 ,  H04L9/083 ,  H04L9/0861 ,  H04L9/088 ,  H04L9/32 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/06 ,  H04L63/08 ,  H04L2209/38

Abstract: A delegation request is submitted to a session-based authentication service, fulfilment of which involves granting an entity an access privilege to a computing resource. A session key is received from the session-based authentication service. The session key having been generated based at least in part on a restriction and a secret credential shared with the session-based authentication service and usable at least in part to prove possession of the access privilege to the computing resource. The session key is provided to the entity without providing the shared secret credential.

公开(公告)号：US09898618B1

公开(公告)日：2018-02-20

申请号：US15636466

申请日：2017-06-28

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Bradley Jeffery Behm ,  Patrick J. Ward ,  Graeme Baer ,  Eric Jason Brandwine

IPC: G06F21/62 ,  H04L9/32

CPC classification number: G06F21/6227 ,  G06F17/30389 ,  G06F17/30427 ,  G06F17/30477 ,  G06F21/602 ,  G06F21/6218 ,  H04L9/3247 ,  H04L9/3263

Abstract: A database access system may protect a field by storing the field as one or more underlying fields within a database. The database engine may not have access to keys used to protect the underlying fields within the database, such as by encryption, while the database access system may have access to the keys. Underlying fields may be used to store protected data and aid in the querying of protected data. The database access system may modify queries to use the underlying fields, which may include encrypting query terms and/or modifying query terms to fit the use of the underlying fields. The database access system may modify query results to match the format of the original query, which may include decrypting protected results and/or removing underlying fields.

公开(公告)号：US20150304294A1

公开(公告)日：2015-10-22

申请号：US14629332

申请日：2015-02-23

Applicant: Amazon Technologies, Inc.

Inventor： Gregory B. Roth ,  Nathan R. Fitch ,  Kevin Ross O'Neill ,  Graeme D. Baer ,  Bradley Jeffery Behm ,  Brian Irl Pratt

IPC: H04L29/06

CPC classification number: H04L63/08 ,  G06F21/62 ,  G06F2221/2141 ,  H04L63/10

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

Abstract translation: 描述了授权以启用帐户访问的系统和方法。 系统利用可以在至少一个用户的安全帐户内创建的委托简档。 授权简介包括一个名称，一个确认策略，指定可能在该帐户外部以及被允许承担该授权简档的主体，以及一个授权策略，指示在该帐户内为在 委托简介。 创建授权配置文件后，可以将其提供给外部主体或服务。 这些外部主体或服务可以使用委托简档来获取使用委托简档的凭据在帐户中执行各种操作的凭据。