Using transient processing containers for security authorization
First Claim
1. A computer-implemented method, comprising:
- receiving, from a user, a request for access to at least one resource in an electronic environment, the at least one resource being provided by a resource provider;
determining an authorization function corresponding to the request based on a policy corresponding to the request;
invoking, on behalf of the user, a compute instance in the electronic environment, the compute instance configured to execute the authorization function, within an isolated container of the compute instance, using context information for the request, the context information based at least in part on the policy corresponding to the request and the container configured to execute the authorization function based at least in part on information of the request;
executing, on the compute instance, the authorization function;
receiving, from the compute instance, a decision regarding an authorization of the access to the at least one resource; and
enforcing the decision with respect to the access.
0 Assignments
0 Petitions
Accused Products
Abstract
Authorization decisions can be made in a resource environment using authorization functions which can be provided by customers, third parties, or other such entities. The functions can be implemented using virtual machine instances with one or more transient compute containers. This compute capacity can be preconfigured with certain software and provided using existing compute capacity assigned to a customer, or capacity invoked from a warming pool, to execute the appropriate authorization function. The authorization function can be a lambda function that takes in context and generates the appropriate security functionality inline. The utilization of ephemeral compute capacity enables the functionality to be provided on demand, without requiring explicit naming or identification, and can enable cause state information to be maintained for a customer.
28 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
receiving, from a user, a request for access to at least one resource in an electronic environment, the at least one resource being provided by a resource provider; determining an authorization function corresponding to the request based on a policy corresponding to the request; invoking, on behalf of the user, a compute instance in the electronic environment, the compute instance configured to execute the authorization function, within an isolated container of the compute instance, using context information for the request, the context information based at least in part on the policy corresponding to the request and the container configured to execute the authorization function based at least in part on information of the request; executing, on the compute instance, the authorization function; receiving, from the compute instance, a decision regarding an authorization of the access to the at least one resource; and enforcing the decision with respect to the access. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computer system, cause the computer system to:
-
receive, from a user, a request for access to at least one resource in an electronic environment, the at least one resource provided by a resource provider; determine an authorization function corresponding to the request based on a policy associated with the request; invoke an instance of compute capacity in the electronic environment, the compute instance configured to execute the authorization function, within an isolated container of the compute instance, using context information for the request, the context information based at least in part on the policy corresponding to the request and the container configured to execute the authorization function based at least in part on information of the request; execute, on the instance of compute capacity, the authorization function; receive, from the instance of compute capacity, a decision regarding authorization of the access to the at least one resource; and enforce the decision with respect to the access. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to; receive a request for access to a resource in an electronic environment, the resource provided by a resource provider; determine an authorization function corresponding to the request based at least in part on a policy associated with the request; determine a compute instance in the electronic environment to be used in executing the authorization function; execute the authorization function on the compute instance in the electronic environment, within an isolated container of the compute instance, using context information from the request, the context information based at least in part on the policy associated with the request and the container configured to execute the authorization function based at least in part on information of the request; receive, from the compute instance in the electronic environment, an authorization decision regarding the request; and enforce the authorization decision. - View Dependent Claims (18, 19, 20)
-
Specification