Managing security groups for data instances

US 10,225,262 B2
Filed: 07/10/2017
Issued: 03/05/2019
Est. Priority Date: 03/31/2009
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, via a control plane interface, a request to add or to update a control security group for a data instance in a data storage service that is associated with a native security group for the data instance, wherein the control plane interface provides a management interface for managing the data instance separate from a data plane interface for accessing data of the data instance;

creating or updating the control security group for the data instance with a permission in the control security group that determines an access level of each member of the control security group without modifying the native security group and while allowing client access to the data instance via the data plane interface in accordance with a permission in the native security group for the data instance;

storing the permission in the control security group created or updated according to the request for use in determining subsequent access to the data instance by a member of the control security group; and

controlling access to the data instance via the data plane interface based, at least in part, on the control security group.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access level and security group information can be updated for a data instance without having to take down or recycle the instance. A data instance created in a data environment will have at least one default security group. Permissions can be applied to the default security group to limit access via the data environment. A control security group can be created in a control environment and associated with the default security group. Permissions can be applied and updated with respect to the control security group without modifying the default security group, such that the data instance does not need to be recycled or otherwise made unavailable. Requests to perform actions with respect to the control security groups are made via the control environment, while allowing native access to the data via the data environment.

Citations

20 Claims

1. A method, comprising:
- receiving, via a control plane interface, a request to add or to update a control security group for a data instance in a data storage service that is associated with a native security group for the data instance, wherein the control plane interface provides a management interface for managing the data instance separate from a data plane interface for accessing data of the data instance;
  
  creating or updating the control security group for the data instance with a permission in the control security group that determines an access level of each member of the control security group without modifying the native security group and while allowing client access to the data instance via the data plane interface in accordance with a permission in the native security group for the data instance;
  
  storing the permission in the control security group created or updated according to the request for use in determining subsequent access to the data instance by a member of the control security group; and
  
  controlling access to the data instance via the data plane interface based, at least in part, on the control security group.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein a plurality of control security groups are associated with the data instance, including the control security group, and wherein each of the control security groups have at least one of a different set of permissions and a different set of members.
  - 3. The computer-implemented method of claim 1, wherein updating the control security group includes at least one of deleting the control security group, adding at least one user, deleting at least one user, updating a password for the control security group, or modifying an access level of the control security group to the data instance in the data environment.
  - 4. The method of claim 1, wherein requests affecting the control security group are restricted to being processed by a control environment.
  - 5. The method of claim 1, wherein the control plane interface is for a control environment operable to perform at least one task selected from the control security group comprising authenticating users based on credentials, authorizing users, throttling user requests, or marshalling or unmarshalling requests and responses.
  - 6. The method of claim 1, further comprising:
    - in response to receiving the request, storing information for the request to a job queue; and
      
      in response to detecting the information stored in the job queue, assembling and executing a workflow to manage creating or updating the control security group.
  - 7. The method of claim 1, further comprising communicating information for the created or updated control security group to a host manager for the data instance in the data storage service.

8. A system, comprising:
- a memory to store program instructions which, if performed by at least one processor, cause the at least one processor to perform a method to at least;
  
  receive, via a control plane interface, a request to add or update a control security group for a data instance in a data storage service that is associated with a native security group for the data instance, wherein the control plane interface provides a management interface for managing the data instance separate from a data plane interface for accessing data of the data instance;
  
  create or update the control security group for the data instance with a permission in the control security group that determines an access level of each member of the control security group without modifying the native security group and while allowing client access to the data instance with a permission in the native security group for the data instance;
  
  store the permission in the control security group created or updated according to the request for use in determining subsequent access to the data instance by a member of the control security group; and
  
  control access to the data instance via the data plane interface based, at least in part, on the control security group.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein requests affecting the control security group are restricted to being processed by a control environment.
  - 10. The system of claim 8, wherein to update the control security group includes at least one of deleting the control security group, adding at least one user, deleting at least one user, updating a password for the control security group, or modifying an access level of the control security group to the data instance in the data environment.
  - 11. The system of claim 8, wherein the program instructions further cause the at least one processor to perform the method to:
    - in response to the receipt of the request, store information for the request to a job queue.
  - 12. The system of claim 11, wherein the program instructions further cause the at least one processor to perform the method to:
    - in response to a detection of the information stored in the job queue, assemble and execute a workflow to manage creating or updating the control security group.
  - 13. The system of claim 8, wherein the program instructions further cause the at least one processor to perform the method to:
    - communicate information for the created or updated control security group to a host manager for the data instance in the data storage service.
  - 14. The system of claim 8, wherein a plurality of control security groups, including the control security group, are associated with the data instance, and wherein each of the control security groups has at least one of a different set of permissions and a different set of members.

15. A non-transitory, computer-readable storage medium, storing program instructions that, when executed by at least one computing device, cause the at least one computing device to implement:
- receiving, via a control plane interface, a request to add or update a control security group for a data instance in a data storage service that is associated with a native security group, wherein the control plane interface provides a management interface for managing the data instance separate from a data plane interface for accessing data of the data instance;
  
  creating or updating the control security group for the data instance with a permission in the control security group that determines an access level of each member of the control security group without modifying the native security group and while allowing client access to the data instance via the data plane interface in accordance with a permission in the native security group for the data instance;
  
  storing the permission in the control security group created or updated according to the request for use in determining subsequent access to the data instance by a member of the control security group; and
  
  controlling access to the data instance via the data plane interface based, at least in part, on the control security group.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory, computer-readable storage medium of claim 15, wherein a plurality of control security groups are associated with the data instance, including the control security group, and wherein each of the control security groups have at least one of a different set of permissions and a different set of members.
  - 17. The non-transitory, computer-readable storage medium of claim 15, wherein updating the control security group includes at least one of deleting the control security group, adding at least one user, deleting at least one user, updating a password for the control security group, or modifying an access level of the control security group to the data instance in the data environment.
  - 18. The non-transitory, computer-readable storage medium of claim 15, requests affecting the control security group are restricted to being processed by a control environment.
  - 19. The non-transitory, computer-readable storage medium of claim 15, wherein the control plane interface is for a control environment operable to perform at least one task selected from the control security group comprising authenticating users based on credentials, authorizing users, throttling user requests, or marshalling or unmarshalling requests and responses.
  - 20. The non-transitory, computer-readable storage medium of claim 15, wherein the program instructions cause the one or more computing devices to further implement communicating information for the currently or updated control security group to a host manager for the data instance in the data storage service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
McAlister, Grant Alexander MacDonald
Primary Examiner(s)
Desrosiers, Evans

Application Number

US15/645,886
Publication Number

US 20170318025A1
Time in Patent Office

603 Days
Field of Search

726 6
US Class Current
CPC Class Codes

G06F 21/604 Tools and structures for ma...

H04L 63/104 Grouping of entities

Managing security groups for data instances

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Managing security groups for data instances

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links