Using transient processing containers for security authorization

US 10,447,613 B2
Filed: 09/01/2017
Issued: 10/15/2019
Est. Priority Date: 03/26/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, from a user, a request for access to at least one resource in an electronic environment, the at least one resource being provided by a resource provider;

determining an authorization function corresponding to the request based on a policy corresponding to the request;

invoking, on behalf of the user, a compute instance in the electronic environment, the compute instance configured to execute the authorization function, within an isolated container of the compute instance, using context information for the request, the context information based at least in part on the policy corresponding to the request and the container configured to execute the authorization function based at least in part on information of the request;

executing, on the compute instance, the authorization function;

receiving, from the compute instance, a decision regarding an authorization of the access to the at least one resource; and

enforcing the decision with respect to the access.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authorization decisions can be made in a resource environment using authorization functions which can be provided by customers, third parties, or other such entities. The functions can be implemented using virtual machine instances with one or more transient compute containers. This compute capacity can be preconfigured with certain software and provided using existing compute capacity assigned to a customer, or capacity invoked from a warming pool, to execute the appropriate authorization function. The authorization function can be a lambda function that takes in context and generates the appropriate security functionality inline. The utilization of ephemeral compute capacity enables the functionality to be provided on demand, without requiring explicit naming or identification, and can enable cause state information to be maintained for a customer.

28 Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving, from a user, a request for access to at least one resource in an electronic environment, the at least one resource being provided by a resource provider;
  
  determining an authorization function corresponding to the request based on a policy corresponding to the request;
  
  invoking, on behalf of the user, a compute instance in the electronic environment, the compute instance configured to execute the authorization function, within an isolated container of the compute instance, using context information for the request, the context information based at least in part on the policy corresponding to the request and the container configured to execute the authorization function based at least in part on information of the request;
  
  executing, on the compute instance, the authorization function;
  
  receiving, from the compute instance, a decision regarding an authorization of the access to the at least one resource; and
  
  enforcing the decision with respect to the access.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprising:
    - analyzing a first pool of active compute instances to determine compute capacity available to execute the authorization function; and
      
      selecting the compute instance from the first pool of active compute instances or a second pool of compute instances based at least in part upon available compute capacity, the second pool of compute instances being unassociated with a user of the electronic environment.
  - 3. The computer-implemented method of claim 2, further comprising:
    - identifying, in the second pool of compute instances, a compute instance capable of supporting execution of the authorization function.
  - 4. The computer-implemented method of claim 2, further comprising:
    - initializing one or more compute instances in the second pool of compute instances, the initializing including at least determining an operating system and software necessary to execute one or more authorization functions on behalf of one or more users in the electronic environment.
  - 5. The computer-implemented method of claim 1, further comprising:
    - receiving the authorization function from the user or a third party.
  - 6. The computer-implemented method of claim 1, wherein enforcing the decision includes granting access for a decision that access is authorized, and denying access for a decision that access is not authorized.
  - 7. The computer-implemented method of claim 1, wherein enforcing the decision includes granting access and generating a notification regarding the access.

8. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computer system, cause the computer system to:
- receive, from a user, a request for access to at least one resource in an electronic environment, the at least one resource provided by a resource provider;
  
  determine an authorization function corresponding to the request based on a policy associated with the request;
  
  invoke an instance of compute capacity in the electronic environment, the compute instance configured to execute the authorization function, within an isolated container of the compute instance, using context information for the request, the context information based at least in part on the policy corresponding to the request and the container configured to execute the authorization function based at least in part on information of the request;
  
  execute, on the instance of compute capacity, the authorization function;
  
  receive, from the instance of compute capacity, a decision regarding authorization of the access to the at least one resource; and
  
  enforce the decision with respect to the access.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein the instructions when executed further cause the computer system to:
    - obtain the instance of compute capacity from a first pool of compute capacity instances associated with the user, or from a second pool of compute capacity instances that are not associated with the user.
  - 10. The non-transitory computer-readable storage medium of claim 9, wherein the instructions when executed further cause the computer system to:
    - initialize one or more instances of compute capacity in the second pool of compute capacity instances, the initializing including at least determining an operating system and software necessary to execute one or more authorization functions on behalf of one or more users of the electronic environment.
  - 11. The non-transitory computer-readable storage medium of claim 8, wherein the instructions when executed further cause the computer system to:
    - determine a transient compute container in a virtual machine to be allocated as the compute instance.
  - 12. The non-transitory computer-readable storage medium of claim 8, wherein the request is a call to an application programming interface (API).
  - 13. The non-transitory computer-readable storage medium of claim 8, wherein the instructions when executed further cause the computer system to:
    - obtain the authorization function from the user or a third party.
  - 14. The non-transitory computer-readable storage medium of claim 8, wherein the instructions when executed further cause the computer system to:
    - grant access when the decision regarding authorization of the access indicates that the request is authorized, and generate a notification indicating the access has been granted.
  - 15. The non-transitory computer-readable storage medium of claim 8, wherein the instance of compute capacity is configured to execute the authorization function.
  - 16. The non-transitory computer-readable storage medium of claim 8, wherein the instructions when executed further cause the computer system to:
    - obtain inbound state information for use in executing the authorization function;
      
      receive outbound state information from the instance of compute capacity after the instance of compute capacity executes the authorization function; and
      
      store the outbound state information to a data store.

17. A system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the system to;
  
  receive a request for access to a resource in an electronic environment, the resource provided by a resource provider;
  
  determine an authorization function corresponding to the request based at least in part on a policy associated with the request;
  
  determine a compute instance in the electronic environment to be used in executing the authorization function;
  
  execute the authorization function on the compute instance in the electronic environment, within an isolated container of the compute instance, using context information from the request, the context information based at least in part on the policy associated with the request and the container configured to execute the authorization function based at least in part on information of the request;
  
  receive, from the compute instance in the electronic environment, an authorization decision regarding the request; and
  
  enforce the authorization decision.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the authorization function is received from a user of the electronic environment or a third party.
  - 19. The system of claim 17, wherein the instructions when executed further cause the system to:
    - obtain inbound state information for use by the compute instance in executing the authorization function;
      
      receive outbound state information from the compute instance after the compute instance executes the authorization function; and
      
      store the outbound state information to a data store.
  - 20. The system of claim 17, wherein the instructions when executed further cause the system to:
    - analyze a first pool of active compute instances to determine compute capacity available to execute the authorization function; and
      
      select the compute instance from the first pool of active compute instances or a second pool of compute instances based at least in part upon available compute capacity, the second pool of compute instances being unassociated with a user of the electronic environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason
Primary Examiner(s)
Shepperd, Eric W

Application Number

US15/694,697
Publication Number

US 20170366551A1
Time in Patent Office

774 Days
Field of Search
US Class Current
CPC Class Codes

H04L 47/70 Admission control; Resource...

H04L 63/102 Entity profiles

Using transient processing containers for security authorization

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Using transient processing containers for security authorization

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links