Hidden compartments

US 10,516,667 B1
Filed: 06/03/2014
Issued: 12/24/2019
Est. Priority Date: 06/03/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining, at a first service of a computing resource service provider, a first application programming interface request to provision a first computing resource for an account of the first service;

creating a compartment within the account to be utilized by the first service, wherein creating the compartment comprises creating a role such that the role is assumable by the first service and creating a trustee policy within the compartment that limits direct control of an administrator of the account to access the first computing resources provisioned in the compartment;

associating the compartment with a set of permissions that grant access to provision a second computing resource of a second service in the compartment, wherein the administrator of the account lacks an ability to obtain the grant of access to provision the second computing resource in the compartment;

associating the compartment with the role usable to perform at least one operation within the compartment;

associating the first service with the role; and

transmitting, by the first service in association with the role, a second application programming interface request to the second service, thereby causing the second service to provision the second computing resource in the compartment as part of fulfillment of the first application programming interface request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A service of a service provider can cause a compartment to be created in an account of a customer of the service provider. Computing resources are provisioned in the compartment and the service has administrative authority over the computing resources. The customer may have administrative authority over the compartment, but may lack authority over the computing resources inside of the compartment.

57 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- obtaining, at a first service of a computing resource service provider, a first application programming interface request to provision a first computing resource for an account of the first service;
  
  creating a compartment within the account to be utilized by the first service, wherein creating the compartment comprises creating a role such that the role is assumable by the first service and creating a trustee policy within the compartment that limits direct control of an administrator of the account to access the first computing resources provisioned in the compartment;
  
  associating the compartment with a set of permissions that grant access to provision a second computing resource of a second service in the compartment, wherein the administrator of the account lacks an ability to obtain the grant of access to provision the second computing resource in the compartment;
  
  associating the compartment with the role usable to perform at least one operation within the compartment;
  
  associating the first service with the role; and
  
  transmitting, by the first service in association with the role, a second application programming interface request to the second service, thereby causing the second service to provision the second computing resource in the compartment as part of fulfillment of the first application programming interface request.
- View Dependent Claims (2, 3, 20)
- - 2. The computer-implemented method of claim 1, further comprising:
    - obtaining an application programming interface request to delete the first computing resource; and
      
      as a result of obtaining the application programming interface request to delete the first computing resource, transmitting an application programming interface request to delete the compartment, the application programming interface request to delete the compartment being associated with the role.
  - 3. The computer-implemented method of claim 1, wherein determining the compartment of the account comprises transmitting an application programming interface request to create the compartment.
  - 20. The computer-implemented method of claim 1, wherein the trustee policy restricts the administrator from viewing the compartment as existing within the account.

4. A system, comprising one or more non-transitory machine-readable mediums comprising a set of instructions, which as a result of execution by one or more processors, cause the system to at least:
- create a compartment to be utilized by a service of a service provider, wherein the compartment is created within an account of the service provider, further wherein the compartment is created by at least creating a role such that the role is assumable by the service and creating a trustee policy within the compartment that limits direct control of an administrator of the account to access a computing resource provisioned in the compartment, the compartment being associated with an access control policy that indicates a grant of access for the service of the service provider to perform one or more operations on the computing resource, wherein the administrator of the account lacks an ability to obtain the grant of access to perform the operation on the computing resource; and
  
  enforce the trustee policy.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
- - 5. The system of claim 4, wherein the computing resource is hosted by a second service different from the service.
  - 6. The system of claim 4, wherein the instructions, which as a result of execution by the one or more processors, further cause the system to aggregate computing resource usage data based at least in part on usage of the computing resource.
  - 7. The system of claim 4, wherein the instructions, which when performed by the one or more processors, further cause the system to:
    - obtain a request to transfer the compartment to a different account of the service provider; and
      
      as a result of obtainment of the request;
      
      dissociate the compartment from the account; and
      
      associate the compartment with the different account.
  - 8. The system of claim 4, wherein the instructions, which when performed by the one or more processors, further cause the system to associate the compartment with an other compartment, wherein the other compartment is able to obtain the grant of access to perform the operation on the computing resource.
  - 9. The system of claim 4, wherein the operation includes provisioning of a set of computing resources and adding the set of computing resources provisioned to the access control policy to grant the service access to perform the one or more operations.
  - 10. The system of claim 4, wherein:
    - the service is a marketplace service that provides an interface through which multiple compartments are provided for selection for placement into the account; and
      
      the service performs the one or more operations as a result of selection of the compartment of the multiple compartments.
  - 11. The system of claim 4, wherein:
    - the system further comprises the service; and
      
      the service causes provisioning of a set of computing resources by transmitting one or more application programming interface calls to one or more other services that each host at least one of the set of computing resources.
  - 12. The system of claim 4, wherein the instructions, which when performed by the one or more processors, further cause the system to provide, to the account, an inventory of the account specifying one or more individual compartments of a set of compartments within the account, wherein the compartment is excluded from the inventory.

13. One or more non-transitory computer-readable storage media comprising executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least:
- obtain a request to perform an operation in connection with a set of computing resources provisioned to a compartment within an account of a service, wherein metadata associated with the compartment specifies a set of restrictions that allow the operation to be performed under authority of the service but that prohibit the operation to be performed under authority of an administrator of the account, wherein a role is assumable by the service and the metadata comprises a trustee policy that limits direct control of the administrator of the account to access the set of computing resources; and
  
  cause the request to be fulfilled as a result of the request being verified as generated under authority of the service.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The one or more non-transitory computer-readable storage media of claim 13, wherein the operation includes provisioning an additional computing resource in the set of computing resources.
  - 15. The one or more non-transitory computer-readable storage media of claim 13, wherein the set of computing resources comprises multiple computing resources, at least two of which are hosted by different services.
  - 16. The one or more non-transitory computer-readable storage media of claim 13, wherein the instructions further include instructions that cause the computer system to disassociate the compartment from the account and associate the compartment with another account, thereby causing a transfer of the compartment from the account to the other account.
  - 17. The one or more non-transitory computer-readable storage media of claim 13, wherein the instructions further include instructions that cause the computer system to transfer the compartment to the account by associating the compartment with the account.
  - 18. The one or more non-transitory computer-readable storage media of claim 13, wherein the instructions further include instructions that cause the computer system to count at least one computing resource of the compartment against a quota enforced by the computer system for the account.
  - 19. The one or more non-transitory computer-readable storage media of claim 13, wherein the instructions further include instructions that cause the computer system to create the compartment in the account contingent on verification of a pending customer request to the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Samuelsson, Anders, Behm, Bradley Jeffery
Primary Examiner(s)
King, John B
Assistant Examiner(s)
Dhruv, Darshan I

Application Number

US14/295,108
Time in Patent Office

2,030 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

Hidden compartments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

57 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hidden compartments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links