Conditional comptuing resource policies

US 10,454,975 B1
Filed: 06/17/2016
Issued: 10/22/2019
Est. Priority Date: 06/17/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining from a device utilized by a user, a first request to access a first computing resource managed by a first computing resource service;

as a result of the first request being successfully authenticated, determining, based at least in part on a set of parameters of the request and by a policy management service, first computing resource policies associated with the first computing resource and applicable to the request;

determining, by the policy management service, that the first computing resource policies include a conditional computing resource policy, the conditional computing resource policy specifying a dependency condition that conditions access to the first computing resource on authorization to access a second computing resource managed by a second computing resource service, where;

the conditional computing resource policy is generated via a computer interface in response to a second request to impose a set of conditions for enabling the user to access the first computing resource; and

the first computing resource service and the second computing resource service are distinct;

obtaining, by the policy management service, second computing resource policies associated with the second computing resource and applicable to the first request;

determining, based on evaluation of the second computing resource policies by the policy management service, that the user is authorized to access the second computing resource and satisfies the dependency condition;

determining, based on evaluation of other computing resource policies of the first computing resource policies by the policy management service, that the user is authorized to access the first computing resource; and

providing, via the device and to the user, access to the first computing resource in accordance with the first computing resource policies and the other computing resource policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing resource service receives a request from a user to access a first computing resource. In response to the request, the computing resource service obtains policies applicable to the request. If the policies include at least one conditional policy that defines a dependency condition that is based at least part on privileges for accessing a second computing resource, the service determines whether the dependency condition is satisfied. If the dependency condition is satisfied, the service evaluates the obtained policies to determine whether to fulfill the request.

34 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- obtaining from a device utilized by a user, a first request to access a first computing resource managed by a first computing resource service;
  
  as a result of the first request being successfully authenticated, determining, based at least in part on a set of parameters of the request and by a policy management service, first computing resource policies associated with the first computing resource and applicable to the request;
  
  determining, by the policy management service, that the first computing resource policies include a conditional computing resource policy, the conditional computing resource policy specifying a dependency condition that conditions access to the first computing resource on authorization to access a second computing resource managed by a second computing resource service, where;
  
  the conditional computing resource policy is generated via a computer interface in response to a second request to impose a set of conditions for enabling the user to access the first computing resource; and
  
  the first computing resource service and the second computing resource service are distinct;
  
  obtaining, by the policy management service, second computing resource policies associated with the second computing resource and applicable to the first request;
  
  determining, based on evaluation of the second computing resource policies by the policy management service, that the user is authorized to access the second computing resource and satisfies the dependency condition;
  
  determining, based on evaluation of other computing resource policies of the first computing resource policies by the policy management service, that the user is authorized to access the first computing resource; and
  
  providing, via the device and to the user, access to the first computing resource in accordance with the first computing resource policies and the other computing resource policies.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, further comprising:
    - obtaining another request to access the first computing resource;
      
      determining a set of computing resource policies applicable to the other request;
      
      obtaining a mapping of dependencies between the first computing resource and other computing resources managed by other computing resource services;
      
      using the mapping of dependencies to identify one or more dependency conditions;
      
      determining that the other request fulfills the one or more dependency conditions;
      
      as a result of a determination that the other request fulfills the one or more dependency conditions, evaluating the set of computing resource policies;
      
      determining, based on the set of computing resource policies, that the other request to access the first computing resource can be fulfilled; and
      
      causing access to the first computing resource in accordance with the set of computing resource policies.
  - 3. The computer-implemented method of claim 1, wherein further comprising:
    - obtaining another request to access the first computing resource;
      
      obtaining, based on parameters of the other request, a first set of computing resource policies applicable to the other request, the first computing resource policies including the conditional computing resource policy;
      
      determining a second set of computing resource policies associated with the second computing resource and applicable to the other request;
      
      determining, based on the second set of computing resource policies, that the other request does not satisfy the dependency condition of the conditional computing resource policy; and
      
      denying the other request.
  - 4. The computer-implemented method of claim 1, further comprising transmitting a another request to the second computing resource service to obtain the second computing resource policies associated with the second computing resource and applicable to the first request.

5. A system, comprising:
- one or more processors; and
  
  memory including instructions that, as a result of being executed by the one or more processors, cause the system to;
  
  obtain a first request to access a first computing resource managed by a first computing resource service;
  
  as a result of the first request being successfully authenticated, obtain, based at least in part on parameters of the first request, a first set of policies applicable to the first request;
  
  obtain, from the first set of policies, a conditional policy that specifies a dependency condition that is based at least in part on privileges for accessing a second computing resource managed by a second computing resource service, where;
  
  the conditional policy is generated via a computer interface for defining a set of conditions to determine whether access to the first computing resource is to be granted; and
  
  the first computing resource service and the second computing resource service are distinct;
  
  transmit a second request to the second computing resource service to determine, based on a second set of policies associated with the second computing resource and applicable to the first request, whether the dependency condition is satisfied;
  
  obtain a policy decision, the policy decision indicating whether the dependency condition is satisfied; and
  
  determine, based on an evaluation of the policy decision and the first set of policies, whether to fulfill the first request.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein:
    - the policy decision specifies that the dependency condition has been satisfied; and
      
      the instructions further cause the system to fulfill the first request according to the first set of policies.
  - 7. The system of claim 5, wherein:
    - the policy decision specifies that the dependency condition has not been satisfied; and
      
      the instructions further cause the system to deny the first request.
  - 8. The system of claim 5, wherein the instructions further cause the computer system to deny the first request if at least one of the first set of policies do not provide privileges necessary for fulfillment of the first request.
  - 9. The system of claim 5, wherein the instructions further cause the system to:
    - obtain, in response to the first request, a mapping of dependencies between the first computing resource and other computing resources;
      
      identify, based at least in part on the mapping of dependencies, a dependency condition for a third computing resource; and
      
      determine whether the dependency condition for the third computing resource is satisfied to determine whether to fulfill the first request.
  - 10. The system of claim 5, wherein:
    - the second computing resource service is maintained through a remote service provider external to the system; and
      
      the instructions further cause the system to access the remote service provider to transmit the second request to the second computing resource service.
  - 11. The system of claim 5, wherein:
    - the policy decision specifies the second set of policies; and
      
      the instructions further cause the system to;
      
      obtain the second set of policies; and
      
      evaluate the second set of policies to determine whether the dependency condition is satisfied.
  - 12. The system of claim 5, wherein:
    - the second request to the second computing resource service identifies a principal that submitted the first request to access the first computing resource; and
      
      the second computing resource service determines whether the principal has been whitelisted to access the second computing resource to generate the policy decision.

13. A non-transitory computer-readable storage medium that stores executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- obtain, in response to a request to access a first computing resource managed by a first computing resource service and as a result of the request being successfully authenticated, a first set of computing resource policies applicable to the request;
  
  determine, based on a first evaluation of the first set of computing resource policies, that the set of computing resource policies include a conditional policy that defines a dependency condition that is based at least in part on privileges for accessing a second computing resource managed by a second computing resource service, where;
  
  the conditional policy is generated via a computer interface utilized to define the dependency condition usable to determine whether access to the first computing resource is to be granted; and
  
  the first computing resource service and the second computing resource service are distinct;
  
  determine, based at least in part on the privileges for accessing the second computing resource, whether the dependency condition is satisfied; and
  
  determine whether to fulfill the request based at least in part on an evaluation as to whether the dependency condition is satisfied and on other privileges defined through the set of computing resource policies.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further cause the computer system to transmit a request to the second computing resource service to obtain a policy decision that can be used to determine whether the dependency condition is satisfied.
  - 15. The non-transitory computer-readable storage medium of claim 14, wherein:
    - the policy decision specifies a set of policies usable to determine whether a principal that submitted the request to access the first computing resource is authorized, based on the privileges, to access the second computing resource; and
      
      the instructions further cause the computer system to evaluate the set of policies to determine whether the dependency condition is satisfied.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the request to the second computing resource service causes the second computing resource service to evaluate one or more computing resource policies applicable to the second computing resource to generate the policy decision.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further cause the computer system to fulfill the request according to the set computing resource policies as a result of the dependency condition being satisfied.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further cause the computer system to:
    - obtain, in response to the request, a mapping of dependencies between the first computing resource and other computing resources, the mapping of dependencies defining a dependency condition for a third computing resource; and
      
      determine whether the dependency condition for the third computing resource is satisfied to determine whether to fulfill the request.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further cause the computer system to:
    - obtain a third request to generate a conditional policy for the first computing resource, the third request specifying a dependency condition that is based at least in part on privileges for accessing a third computing resource;
      
      generate the conditional policy; and
      
      associate the conditional policy with the first computing resource such that, in response to requests to access the first computing resource, the conditional policy is used to determine whether to allow access to the first computing resource.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further cause the computer system to determine that the dependency condition is satisfied as a result of a determination that a principal that submitted the request to access the first computing resource has been whitelisted for accessing the second computing resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Sharifi Mehr, Nima
Primary Examiner(s)
Zhao, Don G

Application Number

US15/186,310
Time in Patent Office

1,222 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Conditional comptuing resource policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Conditional comptuing resource policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links