Virtual firewalls for multi-tenant distributed services

US 10,313,346 B1
Filed: 11/25/2014
Issued: 06/04/2019
Est. Priority Date: 08/23/2010
Status: Active Grant

First Claim

Patent Images

1. A computerized system, comprising:

a resource server computer configured to at least;

maintain, in a supervisory layer of a multi-tenant distributed service, an authorization service configured to update a plurality of resource policy sets associated with a plurality of customer accounts of the multi-tenant distributed service; and

maintain, by a service, a plurality of provisioned resources of the multi-tenant distributed service, the plurality of provisioned resources provisioned on behalf of an individual customer account of the multi-tenant distributed service that is enabled to delegate authority to a plurality of users in the individual customer account to establish one or more resource policy sets with respect to the plurality of provisioned resources that are provisioned on behalf of the individual customer account, wherein a decision engine is configured to evaluate access requests for the service;

the decision engine configured to, at least;

receive, from the authorization service, a particular policy of the plurality of resource policy sets;

receive and evaluate requests with respect to the plurality of provisioned resources utilizing a local policy cache, the local policy cache updated utilizing the particular policy;

identify an individual policy in the local policy cache that is associated with a request of the received requests;

determine a decision data set from a decision data cache associated with the decision engine based at least in part on the identified individual policy, the decision data set including at least one of authentication data that indicates an authenticity of a resource policy included in the plurality of resource policy sets, resource name resolution data that maps resource names to a particular multi-tenant distributed service of the multi-tenant distributed service, or geographic location mapping data that indicates mappings of submitted requests to geographic locations referenced by one or more policies in the local policy cache;

evaluate the request with respect to the individual policy and the determined decision data set; and

allow or deny the request based at least in part on evaluating the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

57 Citations

View as Search Results

20 Claims

1. A computerized system, comprising:
- a resource server computer configured to at least;
  
  maintain, in a supervisory layer of a multi-tenant distributed service, an authorization service configured to update a plurality of resource policy sets associated with a plurality of customer accounts of the multi-tenant distributed service; and
  
  maintain, by a service, a plurality of provisioned resources of the multi-tenant distributed service, the plurality of provisioned resources provisioned on behalf of an individual customer account of the multi-tenant distributed service that is enabled to delegate authority to a plurality of users in the individual customer account to establish one or more resource policy sets with respect to the plurality of provisioned resources that are provisioned on behalf of the individual customer account, wherein a decision engine is configured to evaluate access requests for the service;
  
  the decision engine configured to, at least;
  
  receive, from the authorization service, a particular policy of the plurality of resource policy sets;
  
  receive and evaluate requests with respect to the plurality of provisioned resources utilizing a local policy cache, the local policy cache updated utilizing the particular policy;
  
  identify an individual policy in the local policy cache that is associated with a request of the received requests;
  
  determine a decision data set from a decision data cache associated with the decision engine based at least in part on the identified individual policy, the decision data set including at least one of authentication data that indicates an authenticity of a resource policy included in the plurality of resource policy sets, resource name resolution data that maps resource names to a particular multi-tenant distributed service of the multi-tenant distributed service, or geographic location mapping data that indicates mappings of submitted requests to geographic locations referenced by one or more policies in the local policy cache;
  
  evaluate the request with respect to the individual policy and the determined decision data set; and
  
  allow or deny the request based at least in part on evaluating the request.
- View Dependent Claims (2)
- - 2. The computerized system of claim 1, wherein the resource server computer includes at least one Web-based interface server computer, and the requests include requests in accordance with a Web-based protocol.

3. A computer-implemented method, comprising:
- a resource server computer configured to at least;
  
  maintain, in a supervisory layer of a multi-tenant distributed service, an authorization service configured to update a plurality of resource policy sets associated with a plurality of customer accounts of the multi-tenant distributed service; and
  
  maintain, by a service, a plurality of provisioned resources of the multi-tenant distributed service, the plurality of provisioned resources provisioned on behalf of an individual customer account of the multi-tenant distributed service that is enabled to delegate authority to a plurality of users in the individual customer account to establish one or more resource policy sets with respect to the plurality of provisioned resources that are provisioned on behalf of the individual customer account, wherein a decision engine is configured to evaluate access requests for the service;
  
  the decision engine configured to, at least;
  
  receive, from the authorization service, a particular policy of the plurality of resource policy sets;
  
  receive a request with respect to a provisioned resource of the plurality of provisioned resources;
  
  identify an individual policy in a local policy cache, the local policy cache updated utilizing the particular policy and associated with the request;
  
  determine a decision data set from a decision data cache associated with the decision engine based at least in part on the identified individual policy, the decision data set including at least one of authentication data that indicates an authenticity of a resource policy included in the plurality of resource policy sets, resource name resolution data that maps resource names to a particular multi-tenant distributed service of the multi-tenant distributed service, or geographic location mapping data that indicates mappings of submitted requests to geographic locations referenced by one or more policies in the local policy cache;
  
  evaluate the request based at least in part on the individual policy and the determined decision data set, the individual policy identifying conditions to be fulfilled before a set of actions are permitted with respect to the provisioned resource; and
  
  allow or deny the request based at least in part on evaluating the request.
- View Dependent Claims (4, 5)
- - 4. The computer-implemented method of claim 3, wherein:
    - the plurality of provisioned resources includes disjoint sets of provisioned resources corresponding to tenant boundaries, each tenant boundary corresponds to one of the plurality of resource policy sets including the one or more resource policy sets; and
      
      the one or more policy sets including a policy that conditions success of the request based at least in part on whether the request would cause data from the provisioned resource to cross the corresponding tenant boundary.
  - 5. The computer-implemented method of claim 3, wherein:
    - the plurality of provisioned resources includes sets of provisioned resources corresponding to geographic boundaries; and
      
      the one or more resource policy sets including a policy that conditions success of the request based at least in part on whether the request would cause data from the provisioned resource to cross one of the geographic boundaries.

6. A computer-implemented method for a multi-tenant distributed service, comprising:
- a resource server computer configured to at least;
  
  maintain, in a supervisory layer of a multi-tenant distributed service, an authorization service configured to update a plurality of resource policy sets associated with a plurality of customer accounts of the multi-tenant distributed service; and
  
  maintain, by a service, a resource policy set of the plurality of resource policy sets comprising at least a policy that identifies a condition to be fulfilled before an action is permitted with respect to a plurality of provisioned resources maintained by the multi-tenant distributed service and provisioned on behalf of an individual customer account of the multi-tenant distributed service, the resource policy set being associated with the plurality of provisioned resources and established by a user authorized by the individual customer account, wherein a decision engine is configured to evaluate access requests for the service;
  
  the decision engine configured to, at least;
  
  receive, from the authorization service, a particular policy of the plurality of resource policy sets;
  
  receive a request for a provisioned resource of the plurality of provisioned resources;
  
  update a local policy cache utilizing the particular policy, the local policy cache associated with the request;
  
  determine a decision data set from a decision data cache associated with the decision engine based at least in part on the particular policy, the decision data set including at least one of authentication data that indicates an authenticity of a resource policy included in the plurality of resource policy sets, resource name resolution data that maps resource names to a particular multi-tenant distributed service of the multi-tenant distributed service, or geographic location mapping data that indicates mappings of submitted requests to geographic locations referenced by one or more policies in the local policy cache;
  
  evaluate the request based at least in part on identifying an individual policy in the updated local policy cache and the determined decision data set, the individual policy indicating one or more conditions associated required to be fulfilled to permit one or more actions associated with the request; and
  
  allow or deny the request based at least in part on evaluating the request.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 7. The computer-implemented method of claim 6, wherein the individual policy conditions success of the request based at least in part on at least one of:
    - a physical layer communication parameter associated with the request, a data link layer communication parameter associated with the request, a network layer communication parameter associated with the request, a transport layer communication parameter associated with the request, a session layer communication parameter associated with the request, a presentation layer communication parameter associated with the request, or an application layer communication parameter associated with the request.
  - 8. The computer-implemented method of claim 6, wherein the individual policy conditions success of the request based at least in part on a geographical location associated with the request.
  - 9. The computer-implemented method of claim 6, wherein:
    - the plurality of provisioned resources of the multi-tenant distributed service includes a plurality of provisioned resource types; and
      
      the individual policy conditioning success of the request based at least in part on a set of the provisioned resource types associated with the request.
  - 10. The computer-implemented method of claim 6, wherein:
    - each customer account of the multi-tenant distributed service corresponds to a set of the plurality of provisioned resources; and
      
      the individual policy conditioning success of the request based at least in part on at least the individual customer account associated with the request.
  - 11. The computer-implemented method of claim 6, wherein the individual policy conditions success of the request based at least in part on an operating environment parameter.
  - 12. The computer-implemented method of claim 6, further comprising obtaining resource policies in the resource policy set from a plurality of network locations within the multi-tenant distributed service including at least one remote network location with respect to a resource policy management component.
  - 13. The computer-implemented method of claim 12, wherein the resource polices obtained from the at least one remote network location are cached locally with respect to the resource policy management component.
  - 14. The computer-implemented method of claim 12, wherein the resource policies in the resource policy set are selected based at least in part on the request.
  - 15. The computer-implemented method of claim 12, wherein obtaining the resource policies in the resource policy set comprises obtaining at least one resource policy from the request and cryptographically authenticating the at least one resource policy.
  - 16. The computer-implemented method of claim 6, wherein the resource policy set includes a policy set with respect to provisioning at least one of the plurality of provisioned resources of the multi-tenant distributed service.
  - 17. The computer-implemented method of claim 6 further comprising checking whether an update of the resource policy set is required based at least in part on information associated with the request, the information including a network protocol utilized with the request, time information associated with the request, an identity of an entity associated with the request, geographic location information associated with the request, authentication data utilized to authenticate the entity, or tenant-defined security boundaries.
  - 18. The computer-implemented method of claim 17 further comprising submitting a subsequent request targeting the provisioned resource, in the supervisory layer of the multi-tenant distributed service, to a resource policy management component to obtain enforcement of the resource policy set, the subsequent request based at least in part on the request.
  - 19. The computer-implemented method of claim 6, wherein the plurality of provisioned resources being maintained by the multi-tenant distributed service are maintained within the multi-tenant distributed service and the request targeting the provisioned resource originates from outside the multi-tenant distributed service.
  - 20. The computer-implemented method of claim 6, wherein the plurality of provisioned resources includes a plurality of types of provisioned computing resources, access to each type of provisioned resource is provided with a corresponding user interface maintained by a set of interface server computers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
O'Neill, Kevin Ross, Cavage, Mark Joseph, Fitch, Nathan R., Samuelsson, Anders, Pratt, Brian Irl, Xiao, Yunong Jeff, Behm, Bradley Jeffery, Scharf, Jr., James E.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Pan, Peiliang

Application Number

US14/553,915
Time in Patent Office

1,652 Days
Field of Search

726 1, 726 3, 726 11, 709225
US Class Current
CPC Class Codes

H04L 41/28   Restricting access to netwo...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/00   Network arrangements or pro...

Virtual firewalls for multi-tenant distributed services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

57 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual firewalls for multi-tenant distributed services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links