Access control policy evaluation and remediation
First Claim
Patent Images
1. One or more non-transitory computer-readable storage media having collectively stored thereon instructions that, when executed by one or more processors of a system, cause the system to:
- receive, from a requestor, a request to provide remediation guidance for a policy, the request indicating an access request;
evaluate a set of statements of the policy based at least in part on the access request, the set of statements being at least in part responsible for causing the access request to be unfulfillable;
generate one or more remediation sets of statements, each of the remediation sets of statements being based at least in part on the set of statements of the policy, the one or more remediation sets of statements being usable to cause the access request to be authorized by modifying or broadening a statement of the set of statements that is at least in part responsible for causing the access request to be unfulfillable;
determine a value of a complexity metric associated with the one or more remediation sets of statements, the value of the complexity metric;
being based at least in part on a mapping between the policy and the one or more remediation sets of statements; and
comprising at least one of;
a difference in bits, Bytes or characters between the policy and the one or more remediation sets of statements, ora difference between a number of actions permitted by the one or more remediation sets of statements and a number of actions permitted by the policy; and
provide the one or more remediation sets of statements to the requestor.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for the evaluation and remediation of an access control policy is disclosed. In the method and apparatus, an intermediary service may make access request, on behalf of a customer, to one or more computing resources and the access control policy is evaluation to determine whether the request is authorized. Further, remediation options for the access control policy are offered for the request to be authorized.
-
Citations
12 Claims
-
1. One or more non-transitory computer-readable storage media having collectively stored thereon instructions that, when executed by one or more processors of a system, cause the system to:
-
receive, from a requestor, a request to provide remediation guidance for a policy, the request indicating an access request; evaluate a set of statements of the policy based at least in part on the access request, the set of statements being at least in part responsible for causing the access request to be unfulfillable; generate one or more remediation sets of statements, each of the remediation sets of statements being based at least in part on the set of statements of the policy, the one or more remediation sets of statements being usable to cause the access request to be authorized by modifying or broadening a statement of the set of statements that is at least in part responsible for causing the access request to be unfulfillable; determine a value of a complexity metric associated with the one or more remediation sets of statements, the value of the complexity metric; being based at least in part on a mapping between the policy and the one or more remediation sets of statements; and comprising at least one of; a difference in bits, Bytes or characters between the policy and the one or more remediation sets of statements, or a difference between a number of actions permitted by the one or more remediation sets of statements and a number of actions permitted by the policy; and provide the one or more remediation sets of statements to the requestor.
-
-
2. A system, comprising:
-
one or more processors; and memory including instructions that, when executed by the one or more processors, cause the system to implement at least; an intermediary service configured to make one or more access requests on behalf of a customer; an access control enforcement engine configured to receive the one or more access requests and determine whether the one or more access requests are permitted according to an access control policy; and a remediation service configured to offer one or more remediation options for modifying the access control policy, the one or more remediation options being usable to cause the one or more access requests to be permitted by adding a new policy statement to the access control policy or modifying an existing policy statement of the access control policy, to yield a changed access control policy that will allow the one or more access requests to be permitted. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to:
-
provide a user interface that causes one or more policies to be displayed to a user, the one or more policies including a policy remediation option that is usable for causing an access request to be granted by adding a new policy statement to the one or more policies or modifying an existing policy statement of the one or more policies, to yield one or more changed policies that will allow the access request to be granted, detect user interaction with the user interface that indicates selection of the policy remediation option, and as a result of detecting the user interaction, cause the policy remediation option to be used for access control for one or more computing resources. - View Dependent Claims (11, 12)
-
Specification