公开(公告)号：WO2022140072A1

公开(公告)日：2022-06-30

申请号：PCT/US2021/062697

申请日：2022-01-11

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： RUNGTA, Neha ,  PEEBLES, Daniel George ,  GACEK, Andrew Jude ,  THEIMER, Marvin ,  WEISS, Rebecca Claire ,  JOHNSON, Brigid Ann

IPC: H04L41/0803

Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.

公开(公告)号：WO2022066414A1

公开(公告)日：2022-03-31

申请号：PCT/US2021/049462

申请日：2021-09-08

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： COOK, John Byron ,  RUNGTA, Neha ,  GACEK, Andrew Jude ,  PEEBLES, Daniel George ,  VARMING, Carsten

IPC: G06F21/60

Abstract: Techniques are described for using compositional reasoning techniques to perform role reachability analyses relative to collections of user accounts and roles of a cloud provider network. Delegated role-based resource management generally is a method for controlling access to resources in cloud provider networks and other distributed systems. Many cloud provider networks, for example, implement identity and access management subsystems using this approach, where the concept of "roles" is used to specify which resources can be accessed by people, software, or (recursively) by other roles. An abstraction of the role reachability analysis is provided that can be used as input to a model-checking application to reason about such role reachability questions (e.g., which roles of an organization are reachable from other roles).

公开(公告)号：WO2019005512A1

公开(公告)日：2019-01-03

申请号：PCT/US2018/037948

申请日：2018-06-15

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： COOK, John ,  RUNGTA, Neha ,  DODGE, Catherine ,  PUCHALSKI, Jeff ,  VARMING, Carsten

IPC: H04L29/06 ,  G06F21/60 ,  G06F21/62 ,  G06N5/00

Abstract: Requests of a computing system may be monitored. A request associated with the application of a policy may be identified and a policy verification routine may be invoked. The policy verification routine may detect whether the policy of the request is more permissive than a reference policy and perform a mitigation routine in response to determining that the policy of the request is more permissive than the reference policy. Propositional logics may be utilized in the evaluation of policies.

公开(公告)号：WO2022125760A1

公开(公告)日：2022-06-16

申请号：PCT/US2021/062584

申请日：2021-12-09

Applicant: AMAZON TECHNOLOGIES, INC. [US]/[US]

Inventor： COOK, John Byron ,  RUNGTA, Neha ,  VARMING, Carsten ,  PEEBLES, Daniel George ,  KROENING, Daniel ,  PASTORIZA, Alejandro Naser

IPC: G06F21/62 ,  G06F16/13 ,  G06F16/901

Abstract: Methods, systems, and computer-readable media for analysis of role reachability with transitive tags are disclosed. An access control analyzer determines a graph comprising a plurality of nodes and one or more edges. The nodes represent roles in a provider network hosting resources. The roles are associated with access control policies granting or denying access to individual resources. One or more of the access control policies grant or deny access based (at least in part) on one or more key-value attributes. The access control analyzer determines, based (at least in part) on a role reachability analysis of the graph, whether a first role can assume a second role using one or more role assumption steps for a particular state of the one or more attributes. The one or more attributes may comprise one or more transitive attributes that persist during the one or more role assumption steps.

公开(公告)号：WO2020205619A1

公开(公告)日：2020-10-08

申请号：PCT/US2020/025455

申请日：2020-03-27

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： BOLIGNANO, Pauline, Virginie ,  BRAY, Tyler ,  COOK, John, Byron ,  GACEK, Andrew, Jude ,  LUCKOW, Kasper, Søe ,  NEDIC, Andrea ,  RUNGTA, Neha ,  SCHLESINGER, Cole

IPC: H04L29/06 ,  G06Q10/06

Abstract: Techniques for intent-based governance are described. For example, in some instances a method of receiving an indication of a change involving of one or more of code, a policy, a network configuration, or a governance requirement rule impacting a resource in a provider network for an account that is to be analyzed using one or more governance requirement rules; determining one or more governance requirement rules to evaluate for compliance after the update; evaluating the determined one or more governance requirement rules for compliance using one or more reasoning engines according to one or more policies; and making a result of the evaluating available to a user provides such governance.

公开(公告)号：WO2019005511A1

公开(公告)日：2019-01-03

申请号：PCT/US2018/037947

申请日：2018-06-15

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： COOK, John ,  RUNGTA, Neha ,  DODGE, Catherine ,  PUCHALSKI, Jeff ,  VARMING, Carsten

IPC: H04L29/06 ,  G06F21/60 ,  G06F21/62 ,  G06N5/00

Abstract: Security policies may be utilized to grant or deny permissions related to the access of computing resources. Two or more security policies may be compared to determine whether the policies are equivalent, whether one security is more permissive than another, and more. In some cases, it may be possible to identify whether there exists a security permission that is sufficient to determine two security policies lack equivalency. Propositional logics may be utilized in the evaluation of security policies.

公开(公告)号：WO2022212579A1

公开(公告)日：2022-10-06

申请号：PCT/US2022/022646

申请日：2022-03-30

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： COOK, John Byron ,  NOETZLI, Andres Philipp ,  RUNGTA, Neha ,  HU, Jingmei

IPC: G06F9/50 ,  G06N5/00 ,  G06N5/04 ,  G06F2209/5017 ,  G06F30/33 ,  G06F9/5027 ,  G06F9/5038 ,  G06F9/505 ,  G06F9/5072 ,  G06F9/541 ,  G06N5/006 ,  G06N5/043

Abstract: Techniques are described for efficiently distributing across multiple computing resources satisfiability modulo theories (SMT) queries expressed in propositional logic with string variables. As part of the computing-related services provided by a cloud provider network, many cloud providers also offer identity and access management services, which generally help users to control access and permissions to the services and resources (e.g., compute instances, storage resources, etc.) obtained by users via a cloud provider network. By using resource policies, for example, users can granularly control which identities are able to access specific resources associated with the users' accounts and how those identities can use the resources. The ability to efficiently distribute the analysis of SMT queries expressed in propositional logic with string variables among any number of separate computing resources (e.g., among separate processes, compute instances, containers, etc.) enables the efficient analysis of such policies.

公开(公告)号：WO2020046981A1

公开(公告)日：2020-03-05

申请号：PCT/US2019/048395

申请日：2019-08-27

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： RUNGTA, Neha ,  KAHSAI AZENE, Temesghen ,  BOLIGNANO, Pauline, Virginie ,  LUCKOW, Kasper, Soe ,  McLAUGHLIN, Sean ,  DODGE, Catherine ,  GACEK, Andrew Jude ,  VARMING, Carsten ,  COOK, John Byron ,  SCHWARTZ, Narbonnne ,  HORTALA, Juan Rogriguez ,  TUTTLE, Mark, R. ,  TASIRAN, Serdar ,  TAUTSCHNIG, Michael ,  NEDIC, Andrea

IPC: G06F11/36 ,  G06F9/50

Abstract: A verification service of a computing resource service provider performs formal proofs and other verifications of program instruction sets, such as source code and data security policies, provided by the service provider's users and/or services by deploying a plurality of verification tools, such as constraint solvers, to concurrently evaluate the program instructions. The verification tools can be deployed with different configurations, characteristics and/or capabilities. Tools and validation tasks can be identified from a verification specification associated with the program instructions. The service may control execution of verification tools within virtual computing resources, such as a software container instance. The service receives verification results and delivers them according to a solution strategy such as "first received" to reduce latency or "check for agreement" to validate the solution. An interface allows the user to select and configure tools, issue commands and modifications during execution, select the solution strategy, and receive the solution.

公开(公告)号：WO2019173532A1

公开(公告)日：2019-09-12

申请号：PCT/US2019/021036

申请日：2019-03-06

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： RUNGTA, Neha ,  BOLIGNANO, Pauline, Virginie ,  DODGE, Catherine ,  VARMING, Carsten ,  COOK, John ,  VISWANATHAN, Rajesh ,  COOKE, Daryl, Stephen ,  KALYANKRISHNAN, Santosh

IPC: G06F9/48 ,  G06F9/50

Abstract: A security assessment system of a computing resource service provider performs security analyses of virtual resource instances, such as virtual machine instances and virtual data store instances, to verify that certain invariable security requirements are satisfied by the instances' corresponding configurations; these analyses are performed before the instances are provisioned and deployed. If the security checks, which can be selected by the administrator of the resources, fail, the requested resources are denied deployment. Notifications identifying the faulty configuration(s) may be send to the administrative user. A template for launching virtual resource instances may be transformed into an optimized template for performing the pre-deployment security checks, such as by storing information needed to perform the checks within the optimized template itself.