Managing security groups for data instances
First Claim
1. A method, comprising:
- receiving, via a control plane interface, a request to add or to update a control security group for a data instance in a data storage service that is associated with a native security group for the data instance, wherein the control plane interface provides a management interface for managing the data instance separate from a data plane interface for accessing data of the data instance;
creating or updating the control security group for the data instance with a permission in the control security group that determines an access level of each member of the control security group without modifying the native security group and while allowing client access to the data instance via the data plane interface in accordance with a permission in the native security group for the data instance;
storing the permission in the control security group created or updated according to the request for use in determining subsequent access to the data instance by a member of the control security group; and
controlling access to the data instance via the data plane interface based, at least in part, on the control security group.
0 Assignments
0 Petitions
Accused Products
Abstract
Access level and security group information can be updated for a data instance without having to take down or recycle the instance. A data instance created in a data environment will have at least one default security group. Permissions can be applied to the default security group to limit access via the data environment. A control security group can be created in a control environment and associated with the default security group. Permissions can be applied and updated with respect to the control security group without modifying the default security group, such that the data instance does not need to be recycled or otherwise made unavailable. Requests to perform actions with respect to the control security groups are made via the control environment, while allowing native access to the data via the data environment.
-
Citations
20 Claims
-
1. A method, comprising:
-
receiving, via a control plane interface, a request to add or to update a control security group for a data instance in a data storage service that is associated with a native security group for the data instance, wherein the control plane interface provides a management interface for managing the data instance separate from a data plane interface for accessing data of the data instance; creating or updating the control security group for the data instance with a permission in the control security group that determines an access level of each member of the control security group without modifying the native security group and while allowing client access to the data instance via the data plane interface in accordance with a permission in the native security group for the data instance; storing the permission in the control security group created or updated according to the request for use in determining subsequent access to the data instance by a member of the control security group; and controlling access to the data instance via the data plane interface based, at least in part, on the control security group. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system, comprising:
a memory to store program instructions which, if performed by at least one processor, cause the at least one processor to perform a method to at least; receive, via a control plane interface, a request to add or update a control security group for a data instance in a data storage service that is associated with a native security group for the data instance, wherein the control plane interface provides a management interface for managing the data instance separate from a data plane interface for accessing data of the data instance; create or update the control security group for the data instance with a permission in the control security group that determines an access level of each member of the control security group without modifying the native security group and while allowing client access to the data instance with a permission in the native security group for the data instance; store the permission in the control security group created or updated according to the request for use in determining subsequent access to the data instance by a member of the control security group; and control access to the data instance via the data plane interface based, at least in part, on the control security group. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A non-transitory, computer-readable storage medium, storing program instructions that, when executed by at least one computing device, cause the at least one computing device to implement:
-
receiving, via a control plane interface, a request to add or update a control security group for a data instance in a data storage service that is associated with a native security group, wherein the control plane interface provides a management interface for managing the data instance separate from a data plane interface for accessing data of the data instance; creating or updating the control security group for the data instance with a permission in the control security group that determines an access level of each member of the control security group without modifying the native security group and while allowing client access to the data instance via the data plane interface in accordance with a permission in the native security group for the data instance; storing the permission in the control security group created or updated according to the request for use in determining subsequent access to the data instance by a member of the control security group; and controlling access to the data instance via the data plane interface based, at least in part, on the control security group. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification