Hidden compartments
First Claim
Patent Images
1. A computer-implemented method, comprising:
- obtaining, at a first service of a computing resource service provider, a first application programming interface request to provision a first computing resource for an account of the first service;
creating a compartment within the account to be utilized by the first service, wherein creating the compartment comprises creating a role such that the role is assumable by the first service and creating a trustee policy within the compartment that limits direct control of an administrator of the account to access the first computing resources provisioned in the compartment;
associating the compartment with a set of permissions that grant access to provision a second computing resource of a second service in the compartment, wherein the administrator of the account lacks an ability to obtain the grant of access to provision the second computing resource in the compartment;
associating the compartment with the role usable to perform at least one operation within the compartment;
associating the first service with the role; and
transmitting, by the first service in association with the role, a second application programming interface request to the second service, thereby causing the second service to provision the second computing resource in the compartment as part of fulfillment of the first application programming interface request.
1 Assignment
0 Petitions
Accused Products
Abstract
A service of a service provider can cause a compartment to be created in an account of a customer of the service provider. Computing resources are provisioned in the compartment and the service has administrative authority over the computing resources. The customer may have administrative authority over the compartment, but may lack authority over the computing resources inside of the compartment.
57 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
obtaining, at a first service of a computing resource service provider, a first application programming interface request to provision a first computing resource for an account of the first service; creating a compartment within the account to be utilized by the first service, wherein creating the compartment comprises creating a role such that the role is assumable by the first service and creating a trustee policy within the compartment that limits direct control of an administrator of the account to access the first computing resources provisioned in the compartment; associating the compartment with a set of permissions that grant access to provision a second computing resource of a second service in the compartment, wherein the administrator of the account lacks an ability to obtain the grant of access to provision the second computing resource in the compartment; associating the compartment with the role usable to perform at least one operation within the compartment; associating the first service with the role; and transmitting, by the first service in association with the role, a second application programming interface request to the second service, thereby causing the second service to provision the second computing resource in the compartment as part of fulfillment of the first application programming interface request. - View Dependent Claims (2, 3, 20)
-
-
4. A system, comprising one or more non-transitory machine-readable mediums comprising a set of instructions, which as a result of execution by one or more processors, cause the system to at least:
-
create a compartment to be utilized by a service of a service provider, wherein the compartment is created within an account of the service provider, further wherein the compartment is created by at least creating a role such that the role is assumable by the service and creating a trustee policy within the compartment that limits direct control of an administrator of the account to access a computing resource provisioned in the compartment, the compartment being associated with an access control policy that indicates a grant of access for the service of the service provider to perform one or more operations on the computing resource, wherein the administrator of the account lacks an ability to obtain the grant of access to perform the operation on the computing resource; and enforce the trustee policy. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. One or more non-transitory computer-readable storage media comprising executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least:
-
obtain a request to perform an operation in connection with a set of computing resources provisioned to a compartment within an account of a service, wherein metadata associated with the compartment specifies a set of restrictions that allow the operation to be performed under authority of the service but that prohibit the operation to be performed under authority of an administrator of the account, wherein a role is assumable by the service and the metadata comprises a trustee policy that limits direct control of the administrator of the account to access the set of computing resources; and cause the request to be fulfilled as a result of the request being verified as generated under authority of the service. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification