Providing fine-grained access remote command execution for virtual machine instances in a distributed computing environment

US 10,609,080 B2
Filed: 10/16/2017
Issued: 03/31/2020
Est. Priority Date: 10/26/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

processing a command document associated with a first entity, the command document identifying a resource and commands executable by the resource, to identify a policy associated with the first entity and limiting access, by a second entity, to a subset of the commands; and

processing a request to access the resource by;

identifying, based on information in the request, the resource, the command document, the policy, and the second entity associated with the request;

authorizing the request as a result of determining that the request is associated with the second entity; and

causing, based at least in part on the policy and the command document, execution of the subset of the commands by the resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A selection of a document that includes a command and a parameter is received, and a user is caused to be associated with a policy that grants permission to execute the document. A request is received, from a requestor, to execute the document, the request including a parameter value, and the requestor is determined to be the user associated with the policy. The user is validated to have access to a resource indicated by the parameter value, and the command is caused to be executed against the resource.

Citations

20 Claims

1. A computer-implemented method, comprising:
- processing a command document associated with a first entity, the command document identifying a resource and commands executable by the resource, to identify a policy associated with the first entity and limiting access, by a second entity, to a subset of the commands; and
  
  processing a request to access the resource by;
  
  identifying, based on information in the request, the resource, the command document, the policy, and the second entity associated with the request;
  
  authorizing the request as a result of determining that the request is associated with the second entity; and
  
  causing, based at least in part on the policy and the command document, execution of the subset of the commands by the resource.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, further comprising verifying that the resource is capable of executing the subset of the commands.
  - 3. The computer-implemented method of claim 2, wherein verifying that the resource is capable of executing the subset of the commands further comprises:
    - verifying that the second entity is authorized to access the resource; and
      
      verifying that the resource is responsive.
  - 4. The computer-implemented method of claim 1, wherein the resource is a virtual machine instance.

5. A system, comprising:
- one or more processors; and
  
  memory including instructions that, as a result of execution by the one or more processors, cause the system to;
  
  obtain a command document associated with a first entity, the command document identifying a resource and commands executable by the resource;
  
  identify a policy associated with the first entity and limiting access, by a second entity, to a subset of the commands; and
  
  as a result of a request to access the resource;
  
  process the request to identify the resource, the command document, the policy, and the second entity associated with the request;
  
  authorize the request as a result of determining that the request is associated with the second entity; and
  
  cause, based at least in part on the policy and the command document, execution of the subset of the commands by the resource.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The system of claim 5, wherein the first entity is an administrator associated with the resource.
  - 7. The system of claim 5, wherein the request is obtained by the system via a programmatic interface.
  - 8. The system of claim 5, wherein the request includes a set of parameters usable to identify the command document.
  - 9. The system of claim 5, wherein the request includes a set of parameters usable to identify the resource.
  - 10. The system of claim 5, wherein the instructions, as a result of execution, further cause the system to:
    - determine that the request is associated with a different subset of the commands outside of the subset of the commands identified in the policy; and
      
      deny the request with respect to the different subset of the commands.
  - 11. The system of claim 5, wherein the policy further limits access by the second entity to the resource, andthe instructions, as a result of execution, further cause the system to:
    - determine that the request is associated with a different resource than the resource identified in the policy; and
      
      deny the request with respect to the different resource.
  - 12. The system of claim 5, wherein the policy is defined, at least in part, by the first entity.
  - 13. The system of claim 12, wherein the resource is a virtual machine accessible to the system.

14. A non-transitory computer-readable storage medium storing executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- obtain a document associated with a first entity, the document identifying a resource and commands executable by the resource;
  
  identify a policy associated with the first entity and limiting access to a subset of the commands; and
  
  as a result of a request to access the resource;
  
  process the request to identify the resource, the document, the policy, and a second entity associated with the request;
  
  authorize the request as a result of determining that the request is associated with the second entity; and
  
  cause, based at least in part on the policy and the document, execution of the subset of the commands by the resource.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the executable instructions that cause the subset of the commands to be executed on the resource further cause the computer system to provide the subset of the commands to a software agent executing on the resource.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the executable instructions further cause the computer system to provide an execution status for the subset of the commands.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the executable instructions further cause the computer system to, if the resource is unavailable, add the subset of the commands to a queue.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the executable instructions further cause the computer system to cancel the subset of the commands as a result of the subset of the commands being queued for a predetermined length of time.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the executable instructions further cause the computer system to cancel the subset of the commands as a result of a size of the queue exceeding a predetermined threshold.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein the predetermined threshold is selected by the computer system as a result of a characteristic of the first entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Hussain, Amjad, Sundaram, Manivannan, Padisetty, Sivaprasad Venkata, Pamboukas, Nikolaos, Goodman, Alan Hadley
Primary Examiner(s)
Le, Chau

Application Number

US15/785,314
Publication Number

US 20180103066A1
Time in Patent Office

897 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/62   Protecting access to data v...

H04L 41/22   comprising specially adapte...

H04L 41/28   Restricting access to netwo...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Providing fine-grained access remote command execution for virtual machine instances in a distributed computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Providing fine-grained access remote command execution for virtual machine instances in a distributed computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links