Conditional comptuing resource policies
First Claim
Patent Images
1. A computer-implemented method, comprising:
- obtaining from a device utilized by a user, a first request to access a first computing resource managed by a first computing resource service;
as a result of the first request being successfully authenticated, determining, based at least in part on a set of parameters of the request and by a policy management service, first computing resource policies associated with the first computing resource and applicable to the request;
determining, by the policy management service, that the first computing resource policies include a conditional computing resource policy, the conditional computing resource policy specifying a dependency condition that conditions access to the first computing resource on authorization to access a second computing resource managed by a second computing resource service, where;
the conditional computing resource policy is generated via a computer interface in response to a second request to impose a set of conditions for enabling the user to access the first computing resource; and
the first computing resource service and the second computing resource service are distinct;
obtaining, by the policy management service, second computing resource policies associated with the second computing resource and applicable to the first request;
determining, based on evaluation of the second computing resource policies by the policy management service, that the user is authorized to access the second computing resource and satisfies the dependency condition;
determining, based on evaluation of other computing resource policies of the first computing resource policies by the policy management service, that the user is authorized to access the first computing resource; and
providing, via the device and to the user, access to the first computing resource in accordance with the first computing resource policies and the other computing resource policies.
1 Assignment
0 Petitions
Accused Products
Abstract
A computing resource service receives a request from a user to access a first computing resource. In response to the request, the computing resource service obtains policies applicable to the request. If the policies include at least one conditional policy that defines a dependency condition that is based at least part on privileges for accessing a second computing resource, the service determines whether the dependency condition is satisfied. If the dependency condition is satisfied, the service evaluates the obtained policies to determine whether to fulfill the request.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
obtaining from a device utilized by a user, a first request to access a first computing resource managed by a first computing resource service; as a result of the first request being successfully authenticated, determining, based at least in part on a set of parameters of the request and by a policy management service, first computing resource policies associated with the first computing resource and applicable to the request; determining, by the policy management service, that the first computing resource policies include a conditional computing resource policy, the conditional computing resource policy specifying a dependency condition that conditions access to the first computing resource on authorization to access a second computing resource managed by a second computing resource service, where; the conditional computing resource policy is generated via a computer interface in response to a second request to impose a set of conditions for enabling the user to access the first computing resource; and the first computing resource service and the second computing resource service are distinct; obtaining, by the policy management service, second computing resource policies associated with the second computing resource and applicable to the first request; determining, based on evaluation of the second computing resource policies by the policy management service, that the user is authorized to access the second computing resource and satisfies the dependency condition; determining, based on evaluation of other computing resource policies of the first computing resource policies by the policy management service, that the user is authorized to access the first computing resource; and providing, via the device and to the user, access to the first computing resource in accordance with the first computing resource policies and the other computing resource policies. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
-
one or more processors; and memory including instructions that, as a result of being executed by the one or more processors, cause the system to; obtain a first request to access a first computing resource managed by a first computing resource service; as a result of the first request being successfully authenticated, obtain, based at least in part on parameters of the first request, a first set of policies applicable to the first request; obtain, from the first set of policies, a conditional policy that specifies a dependency condition that is based at least in part on privileges for accessing a second computing resource managed by a second computing resource service, where; the conditional policy is generated via a computer interface for defining a set of conditions to determine whether access to the first computing resource is to be granted; and the first computing resource service and the second computing resource service are distinct; transmit a second request to the second computing resource service to determine, based on a second set of policies associated with the second computing resource and applicable to the first request, whether the dependency condition is satisfied; obtain a policy decision, the policy decision indicating whether the dependency condition is satisfied; and determine, based on an evaluation of the policy decision and the first set of policies, whether to fulfill the first request. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium that stores executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
obtain, in response to a request to access a first computing resource managed by a first computing resource service and as a result of the request being successfully authenticated, a first set of computing resource policies applicable to the request; determine, based on a first evaluation of the first set of computing resource policies, that the set of computing resource policies include a conditional policy that defines a dependency condition that is based at least in part on privileges for accessing a second computing resource managed by a second computing resource service, where; the conditional policy is generated via a computer interface utilized to define the dependency condition usable to determine whether access to the first computing resource is to be granted; and the first computing resource service and the second computing resource service are distinct; determine, based at least in part on the privileges for accessing the second computing resource, whether the dependency condition is satisfied; and determine whether to fulfill the request based at least in part on an evaluation as to whether the dependency condition is satisfied and on other privileges defined through the set of computing resource policies. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification