Data security service
First Claim
Patent Images
1. A computer-implemented method for providing data storage services, comprising:
- obtaining, from a customer device associated with the computing resource service provider, information related to a policy associated with a cryptography service, the policy including a limitation on cryptographic information generated by a cryptography service of the computing resource service provider;
processing the policy to cause the cryptography service to impose the limitation on the cryptographic information;
causing the cryptography service to use, subject to the limitation, the cryptographic information to encrypt or decrypt the data such that the cryptographic information is only accessible to the cryptography service, the encrypting or decrypting the data including enabling the cryptography service, based at least in part on the limitation, to select the cryptographic information from a larger set of cryptographic information stored by the cryptography service; and
providing an outcome of the use of the cryptographic information.
1 Assignment
0 Petitions
Accused Products
Abstract
A distributed computing environment utilizes a cryptography service. The cryptography service manages keys securely on behalf of one or more entities. The cryptography service is configured to receive and respond to requests to perform cryptographic operations, such as encryption and decryption. The requests may originate from entities using the distributed computing environment and/or subsystems of the distributed computing environment.
-
Citations
19 Claims
-
1. A computer-implemented method for providing data storage services, comprising:
-
obtaining, from a customer device associated with the computing resource service provider, information related to a policy associated with a cryptography service, the policy including a limitation on cryptographic information generated by a cryptography service of the computing resource service provider; processing the policy to cause the cryptography service to impose the limitation on the cryptographic information; causing the cryptography service to use, subject to the limitation, the cryptographic information to encrypt or decrypt the data such that the cryptographic information is only accessible to the cryptography service, the encrypting or decrypting the data including enabling the cryptography service, based at least in part on the limitation, to select the cryptographic information from a larger set of cryptographic information stored by the cryptography service; and providing an outcome of the use of the cryptographic information. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer system, comprising:
-
one or more processors; and memory storing instructions executable by the one or more processors to cause the computer system to implement at least; a cryptography service configured to at least; process a policy related to a plurality of keys, the policy including one or more limitations on using the plurality of keys; store the plurality of keys such that the plurality of keys are inaccessible to a service different from the cryptography service; detect a pending request to process data; select, based at least in part on a key identifier provided by the service different from the cryptography service and provided subject to the one or more limitations, a key from the plurality of keys; process the data with the selected key to perform one or more cryptographic operations associated with the pending request; and provide, to a requestor associated with the request, an outcome associated with the use of the selected key. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium comprising instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
process a policy related to operation of a cryptography service, the policy defining one or more limitations on cryptographic operations performed by the cryptography service; obtain a request to utilize a service separate from the cryptography service; cause the cryptography service to use a key to perform, subject to the one or more limitations, one or more cryptographic operations on information that, after the one or more cryptographic operations have been performed, is usable to fulfill the request, the key being inaccessible to the service, the one or more cryptographic operations including providing an identifier of the key to enable the cryptography service to select the key from a plurality of keys stored by the cryptography service, the identifier being provided based at least in part on the one or more limitations; and fulfill the request to utilize the service using the information. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification