Access control policy simulation and testing

US 10,320,624 B1
Filed: 09/30/2013
Issued: 06/11/2019
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

identifying a computing resource associated with a first access request;

identifying an access control policy associated with the computing resource and the first access request;

generating a second access request that simulates access to the computing resource;

evaluating the second access request to determine whether one or more actions indicated by the first access request are granted per the access control policy;

generating debugging information regarding the evaluation of the second access request; and

providing the debugging information in response to the first access request,wherein the second access request includes an indication that the one or more actions indicated by the first access request are not to be performed.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

40 Citations

View as Search Results

25 Claims

1. A computer-implemented method, comprising:
- identifying a computing resource associated with a first access request;
  
  identifying an access control policy associated with the computing resource and the first access request;
  
  generating a second access request that simulates access to the computing resource;
  
  evaluating the second access request to determine whether one or more actions indicated by the first access request are granted per the access control policy;
  
  generating debugging information regarding the evaluation of the second access request; and
  
  providing the debugging information in response to the first access request,wherein the second access request includes an indication that the one or more actions indicated by the first access request are not to be performed.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the debugging information is encrypted so as to be accessible using a cryptographic key.
  - 3. The computer-implemented method of claim 1, wherein:
    - the second access request is evaluated by an access control enforcement service of a computing resource service provider; and
      
      the access control policy is an active access control policy that specifies actions associated with one or more computing resources that are hosted by the computing resource service provider.
  - 4. The computer-implemented method of claim 1, wherein the method further comprises storing the debugging information in a log file accessible to a customer.
  - 5. The computer-implemented method of claim 1, wherein the access request is implemented using security privileges provided by a substitute user interface.
  - 6. The computer-implemented method of claim 1, wherein:
    - the one or more actions include multiple actions; and
      
      evaluating the second access request includes evaluating each action of the multiple actions irrespective of whether the one or more access control policies prohibit performance of one of the multiple actions.
  - 7. The computer-implemented method of claim 1, further comprising:
    - on a condition that evaluation of the second access request indicates that one or more of the one or more actions indicated by the first access request are denied per the access control policy, providing one or more remediation options for the access control policy that each specify a manner of changing the access control policy to cause fulfillment of the first access request to be in compliance with the access control policy.

8. One or more non-transitory computer-readable storage media having collectively stored thereon instructions that, if executed by one or more processors of a system, cause the system to:
- identify a computing resource associated with a first access request;
  
  identify an access control policy associated with the computing resource and the first access request;
  
  generate a second access request that simulates access to the computing resource;
  
  process a result of the second access request and the access control policy to generate information associated with the access control policy; and
  
  provide the information in response to the first access request,wherein the information associated with the access control policy is debugging information associated with evaluating the request, andwherein the second access request includes an indication that one or more actions indicated by the first access request are not to be performed.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The one or more non-transitory computer-readable storage media of claim 8, wherein:
    - the debugging information is usable for obtaining detailed information regarding the evaluation of the first access request.
  - 10. The one or more non-transitory computer-readable storage media of claim 9, wherein the debugging information is encoded in a token or stored in a log file.
  - 11. The one or more non-transitory computer-readable storage media of claim 8, wherein the instructions further cause the system to receive context information and utilize the received context information in evaluating the second access request.
  - 12. The one or more non-transitory computer-readable storage media of claim 11, wherein the context information indicates that the second access request is to be evaluated in accordance with at least one of:
    - the request being received from a different network address than a network address from which the access determination request was received, or the request being received at a different time than a time when the access determination request was received.
  - 13. The one or more non-transitory computer-readable storage media of claim 11, wherein the received context information conflicts with actual context information associated with the first access request.
  - 14. The one or more non-transitory computer-readable storage media of claim 13, wherein:
    - the second access request is evaluated by a policy testing service of a computing resource service provider; and
      
      the policy testing service provides policy evaluation for policies that do not govern access to computing resources hosted by the computing resource service provider.
  - 15. The one or more non-transitory computer-readable storage media of claim 8, wherein the instructions further cause the system to, on a condition that the first access request is denied per the access control policy, provide remediation options for the access control policy.
  - 16. The one or more non-transitory computer-readable storage media of claim 8, wherein the identified access control policy does not govern access to the computing resource.
  - 17. The one or more non-transitory computer-readable storage media of claim 8, wherein:
    - the second access request is evaluated by an access control enforcement engine.

18. A system, comprising:
- one or more processors; and
  
  memory including instructions that, if executed by the one or more processors, cause the system to;
  
  identify a computing resource associated with a first access request;
  
  identify one or more access control policies associated with the computing resource and the first access request;
  
  generate a second access request that simulates access to the computing resource;
  
  evaluate a result of the second access request and the one or more access control policies; and
  
  generate information usable for debugging the evaluation of the first access request, the information indicating whether the first access request is authorized or denied and on a condition that the access request is denied, the information specifying one or more reasons the first access request is denied per the one or more access control policies,wherein the second access request includes an indication that one or more actions indicated by the first access request are not to be performed.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The system of claim 18, wherein:
    - the system further comprises a policy remediation service configured to generate one or more remediation options for the one or more access control policies; and
      
      the one or more remediation options, when used as an access control policy, cause the first access request to be authorized.
  - 20. The system of claim 18, wherein:
    - the first access request comprises a parameter, the parameter specifying the first access request to be evaluated in a simulation mode.
  - 21. The system of claim 20, wherein the first access request is implemented using security privileges provided by an interface that allows users to access the computing resource with the security privileges of another user.
  - 22. The system of claim 18, wherein the memory further includes instructions that, if executed by the one or more processors, cause the system to receive overriding context information associated with the first access request and utilize the overriding context information in evaluating the second access request in place of actual context information of the first access request.
  - 23. The system of claim 18, wherein:
    - the memory further includes instructions that, if executed by the one or more processors, cause the system to store the information in a log file; and
      
      the log file is accessible by a customer or a policy remediation service.
  - 24. The system of claim 18, wherein:
    - the one or more actions indicated by the first access request are associated with one or more computing resources provisioned by a computing resource service provider.
  - 25. The system of claim 18, wherein:
    - the system is operated by a computing resource service provider;
      
      the information usable for debugging the evaluation of the first access request is provided to a customer of the computing resource service provider; and
      
      one or more reasons that the first access request is denied are specified to the customer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Popick, Daniel Stephen, Lyon, Derek Avery, Morkel, John Michael, Baer, Graeme David, Ranabahu, Ajith Harshana, Sedky, Khaled Salah
Primary Examiner(s)
Nguyen, Dustin

Application Number

US14/042,277
Time in Patent Office

2,080 Days
Field of Search

726 1, 726 3, 726 2, 726 12, 726 30, 703 21, 709217
US Class Current
CPC Class Codes

G06F 16/93   Document management systems

G06F 21/125   by manipulating the program...

G06F 21/31   User authentication

G06F 21/316   by observing the pattern of...

G06F 21/33   using certificates

G06F 21/52   during program execution, e...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 3/0601   Interfaces specially adapte...

H04L 43/55   Testing of service level qu...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/1441   Countermeasures against mal...

H04L 63/164   at the network layer

Access control policy simulation and testing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Access control policy simulation and testing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others