公开(公告)号：US20240179181A1

公开(公告)日：2024-05-30

申请号：US18070321

申请日：2022-11-28

Applicant: Amazon Technologies, Inc.

Inventor： Emina TORLAK ,  Darin MCADAMS ,  Neha RUNGTA ,  Michael W. HICKS ,  Craig Ryan DISSELKOEN ,  Aaron Joseph ELINE ,  John Holman KASTNER ,  Kyle HEADLEY ,  Anwar MAMAT ,  Richard Matthew MCCUTCHEN ,  Andrew Marshall WELLS ,  Kesha Hanne HIETALA ,  Shaobo HE ,  Mark Edward STALZER ,  Julian LOVELOCK

IPC: H04L9/40

CPC classification number: H04L63/20 ,  H04L63/104

Abstract: A system and method for authorization policy evaluation. Authorization policies are authored in a general-purpose authorization language. An evaluation engine is used in a provider network by application developers to manage access within their applications based on fine-grained permissions. The policy language combines elements of role-based and attributed-based access control within an intuitive syntax and efficient evaluation strategy. The policy syntax separates role-based expressions of a policy from attribute-based expressions of the policy.

公开(公告)号：US20220318059A1

公开(公告)日：2022-10-06

申请号：US17218541

申请日：2021-03-31

Applicant: Amazon Technologies, Inc.

Inventor： John Byron COOK ,  Andres Philipp NOETZLI ,  Neha RUNGTA ,  Jingmei HU

IPC: G06F9/50 ,  G06F9/54

Abstract: Techniques are described for efficiently distributing across multiple computing resources satisfiability modulo theories (SMT) queries expressed in propositional logic with string variables. As part of the computing-related services provided by a cloud provider network, many cloud providers also offer identity and access management services, which generally help users to control access and permissions to the services and resources (e.g., compute instances, storage resources, etc.) obtained by users via a cloud provider network. By using resource policies, for example, users can granularly control which identities are able to access specific resources associated with the users' accounts and how those identities can use the resources. The ability to efficiently distribute the analysis of SMT queries expressed in propositional logic with string variables among any number of separate computing resources (e.g., among separate processes, compute instances, containers, etc.) enables the efficient analysis of such policies.

公开(公告)号：US20200314145A1

公开(公告)日：2020-10-01

申请号：US16369215

申请日：2019-03-29

Applicant: Amazon Technologies, Inc.

Inventor： Pauline Virginie BOLIGNANO ,  Tyler BRAY ,  John Byron COOK ,  Andrew Jude GACEK ,  Kasper Søe LUCKOW ,  Andrea NEDIC ,  Neha RUNGTA ,  Cole SCHLESINGER ,  Carsten VARMING

IPC: H04L29/06 ,  G06F9/54 ,  G06F8/41

Abstract: Techniques for intent-based governance are described. For example, in some instances a method of receiving an indication of a change involving of one or more of code, a policy, a network configuration, or a governance requirement rule impacting a resource in a provider network for an account that is to be analyzed using one or more governance requirement rules; determining one or more governance requirement rules to evaluate for compliance after the update; evaluating the determined one or more governance requirement rules for compliance using one or more reasoning engines according to one or more policies; and making a result of the evaluating available to a user provides such governance.

公开(公告)号：US20190278928A1

公开(公告)日：2019-09-12

申请号：US15913741

申请日：2018-03-06

Applicant: Amazon Technologies, Inc.

Inventor： Neha RUNGTA ,  Pauline Virginie BOLIGNANO ,  Catherine DODGE ,  Carsten VARMING ,  John COOK ,  Rajesh VISWANATHAN ,  Daryl Stephen COOKE ,  Santosh KALYANKRISHNAN

IPC: G06F21/62 ,  G06F9/445 ,  G06F9/455

Abstract: A security assessment system of a computing resource service provider performs security analyses of virtual resource instances, such as virtual machine instances and virtual data store instances, to verify that certain invariable security requirements are satisfied by the instances' corresponding configurations; these analyses are performed before the instances are provisioned and deployed. If the security checks, which can be selected by the administrator of the resources, fail, the requested resources are denied deployment. Notifications identifying the faulty configuration(s) may be send to the administrative user. A template for launching virtual resource instances may be transformed into an optimized template for performing the pre-deployment security checks, such as by storing information needed to perform the checks within the optimized template itself.

公开(公告)号：US20240179188A1

公开(公告)日：2024-05-30

申请号：US18070371

申请日：2022-11-28

Applicant: Amazon Technologies, Inc.

Inventor： Emina TORLAK ,  Kyle HEADLEY ,  Michael W. HICKS ,  Neha RUNGTA ,  Andrew Marshall WELLS

IPC: H04L9/40

CPC classification number: H04L63/205 ,  H04L63/104

Abstract: A system and method for authorization policy analysis. A policy analyzer answers first-order questions about authorization policies by reducing the policies to Satisfiability modulo theories (SMT). Input to the analyzer includes a policy to be analyzed and a schema for that policy. If the policy passes strict validation against the schema, then the analyzer symbolically evaluates the policy to encode its semantics as an SMT expression. The SMT expression is used for formulate a desired query about policy behavior such as, for example, if there is any input on which two policies both evaluate to true. The reduction to SMT produces a quantifier-free formula in a combination of decidable theories to support large scale deployments. This reduction is achieved by focusing the analysis on policies that pass strict validation, rather than attempting to analyze arbitrary policies.

公开(公告)号：US20240114035A1

公开(公告)日：2024-04-04

申请号：US17957904

申请日：2022-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Neha RUNGTA ,  Chungha SUNG ,  Amit GOEL ,  Zvonimir RAKAMARIC ,  Loris D'ANTONI

IPC: H04L9/40

CPC classification number: H04L63/107 ,  H04L63/102

Abstract: Techniques are described for providing a policy refiner application used to analyze and recommend modifications to identity and access management policies created by users of a cloud provider network (e.g., to move the policies toward least-privilege permissions). A policy refiner application receives as input a policy to analyze, and a log of events related to activity associated with one or more accounts of a cloud provider network. The policy refiner application can identify, from the log of events, actions that were permitted based on particular statements contained in the policy. Based on field values contained in the corresponding events, the policy refiner application generates an abstraction of the field values, where the abstraction of the field values may represent a more restrictive version of the field from a policy perspective. These abstractions can be presented to users as recommendations for modifying their policy to reduce the privileges granted by the policy.

公开(公告)号：US20220191253A1

公开(公告)日：2022-06-16

申请号：US17119663

申请日：2020-12-11

Applicant: Amazon Technologies, Inc.

Inventor： Neha RUNGTA ,  Daniel George PEEBLES ,  Andrew Jude GACEK ,  Marvin THEIMER ,  Rebecca Claire WEISS ,  Brigid Ann JOHNSON

IPC: H04L29/06 ,  H04L12/24

Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.

公开(公告)号：US20250106256A1

公开(公告)日：2025-03-27

申请号：US18371034

申请日：2023-09-21

Applicant: Amazon Technologies, Inc.

Inventor： Amit GOEL ,  Chengpeng LI ,  Chungha SUNG ,  Loris D'ANTONI ,  Neha RUNGTA

IPC: H04L9/40 ,  H04L43/50

Abstract: Techniques for analyzing access control policies across multiple provider networks. These techniques compile various policies into a unified policy language broad enough to include diverse policy features, yet specific enough for automated analysis. An automated differential testing method is employed to confirm the accuracy of this compilation by generating access requests, ensuring both original and translated policies consistently grant or deny access. Moreover, an abstraction technique is used to simplify and correlate the complex details of different policies, enabling easier user inquiries about them. For instance, users can determine if an account has write access in one network but not in another. This abstraction sometimes involves replacing actions in original policies, ensuring their compatibility in the target policy language.

公开(公告)号：US20240179182A1

公开(公告)日：2024-05-30

申请号：US18070349

申请日：2022-11-28

Applicant: Amazon Technologies, Inc.

Inventor： Michael W. HICKS ,  John Holman KASTNER ,  Emina TORLAK ,  Richard Matthew MCCUTCHEN ,  Darin MCADAMS ,  Neha RUNGTA ,  Aaron Joseph ELINE ,  Joseph Wallace CUTLER ,  Eleftherios IOANNIDIS

IPC: H04L9/40

CPC classification number: H04L63/20

Abstract: A system and method for authorization policy validation. A validator takes as input an authorization policy to be analyzed and a schema that specifies entity types and their attributes, types of entity parents in an entity hierarchy, and which entity types can be used with which actions. The validator checks that the policy conforms to the schema. If the check passes, then the policy is guaranteed to be free of both type errors and attribute access errors for any input that conforms to the schema.

公开(公告)号：US20220094643A1

公开(公告)日：2022-03-24

申请号：US17029581

申请日：2020-09-23

Applicant: Amazon Technologies, Inc.

Inventor： John Byron COOK ,  Neha RUNGTA ,  Andrew Jude GACEK ,  Daniel George PEEBLES ,  Carsten VARMING

IPC: H04L12/911 ,  H04L12/923

Abstract: Techniques are described for using compositional reasoning techniques to perform role reachability analyses relative to collections of user accounts and roles of a cloud provider network. Delegated role-based resource management generally is a method for controlling access to resources in cloud provider networks and other distributed systems. Many cloud provider networks, for example, implement identity and access management subsystems using this approach, where the concept of “roles” is used to specify which resources can be accessed by people, software, or (recursively) by other roles. An abstraction of the role reachability analysis is provided that can be used as input to a model-checking application to reason about such role reachability questions (e.g., which roles of an organization are reachable from other roles).