公开(公告)号：US10944561B1

公开(公告)日：2021-03-09

申请号：US15979248

申请日：2018-05-14

Applicant: Amazon Technologies, Inc.

Inventor： Conor Patrick Cahill ,  Rachit Jain ,  Brigid Ann Johnson ,  Praveen Akinapally ,  Varun Jayant Oswal ,  Jasmeet Chhabra ,  Ritwick Dhar ,  Luke Edward Kennedy ,  Per Mikael Horal

IPC: H04L9/32 ,  H04L29/06 ,  G06F21/62 ,  G06F21/60

Abstract: A security token service receives a request for a token. The request indicates a set of access control policies that define a set of permissions for access to a resource. The security token service generates the token to comprise a set of identifiers of the set of access control policies. The security token service provides the token in response to the request to enable the token to be used to access the resource in accordance with the set of access control policies.

公开(公告)号：US11005853B1

公开(公告)日：2021-05-11

申请号：US15912982

申请日：2018-03-06

Applicant: Amazon Technologies, Inc.

Inventor： Ankur Agarwal ,  Praveen Akinapally ,  Conor Patrick Cahill ,  Dmitry Frenkel ,  Rachit Jain ,  Lennart Christopher Leon Kats ,  Julian Eric Naydichev

IPC: H04L29/00 ,  H04L29/06

Abstract: Transitive restrictions can be applied to requests received on a session. A session token can be issued for an active session, and a transitivity setting specified to indicate the types of requests for which the transitive restriction is to be enforced. This can include enforcing the restriction on requests received from outside a trusted environment, requests within a scope of enforcement, or enforcing the restriction at request authentication. Any request received from an untrusted source that fails to satisfy the transitive restriction will be denied. Requests from inside the trusted environment may not have the transitive restriction enforced, such as where a new token is issued. This enables services within the environment to make calls on behalf of the customer, while ensuring that third parties obtaining the session token cannot successfully initiate such calls.

公开(公告)号：US11546335B2

公开(公告)日：2023-01-03

申请号：US16586742

申请日：2019-09-27

Applicant: Amazon Technologies, Inc.

Inventor： Rachit Jain ,  Sulay Shah ,  Conor Cahill ,  Praveen Akinapally ,  Ian Leung ,  Rohit Raj ,  Brigid Johnson

IPC: H04L29/06 ,  H04L9/40 ,  G06F16/182

Abstract: Techniques for managing permissions to cloud-based resources with session-specific attributes are described. A first request to create a first session to permit access to resources of a provider network is received under an assumed role. The first request is permitted based on an evaluation of a rule associated with the role. Session data including a user-specified attribute included with the first request is generated. A second request to perform an action with a resource hosted by the provider network is received. The user-specified attribute is obtained from the session data based at least in part on the second request. The second request is permitted based on an evaluation of another rule with the user-specified attribute.