Cross-region requests

US 10,701,071 B2
Filed: 02/07/2018
Issued: 06/30/2020
Est. Priority Date: 12/03/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

making information associated with a first user account of a plurality of user accounts available to a device associated with a second user account of the plurality of accounts, the first user account associated with a first region and the second user account associated with a second region different than the first region, the second user account lacking access to a set of resources associated with the first user account;

obtaining a request from the device associated with the second user account of a plurality of user accounts, the request digitally signed using a long-term key associated with the second user account;

as a result of validating the request, at least;

generating a set of session data, the set of session data at least including a session key and the information;

encrypting the set of session data to generate a session token, the session token encrypted using a session encryption key, the session encryption key maintained as a secret by a security service in the first region; and

providing the session token and the session key to the device associated with the second user accountobtaining a second request from the device associated with the second user account for access to the resources associated with the first user account, the second request including the session token, the second request for resources digitally signed using a digital signature generated from the session key; and

as a result of validating the second request;

extracting the session key from the session token using the session encryption key to produce an extracted session key;

validating the digital signature generated from the session key using the extracted session key; and

satisfying the second request for resources by providing access to the resources associated with the first user account, wherein the second request is validated based at least in part on the information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request is received by a user in a second region. The request, which is digitally signed with credential associated with the user in the second region causes the generation of a session credential that includes a session key. The user in the second region can use the session credentials to access the resources in the first region.

Citations

18 Claims

1. A computer-implemented method, comprising:
- making information associated with a first user account of a plurality of user accounts available to a device associated with a second user account of the plurality of accounts, the first user account associated with a first region and the second user account associated with a second region different than the first region, the second user account lacking access to a set of resources associated with the first user account;
  
  obtaining a request from the device associated with the second user account of a plurality of user accounts, the request digitally signed using a long-term key associated with the second user account;
  
  as a result of validating the request, at least;
  
  generating a set of session data, the set of session data at least including a session key and the information;
  
  encrypting the set of session data to generate a session token, the session token encrypted using a session encryption key, the session encryption key maintained as a secret by a security service in the first region; and
  
  providing the session token and the session key to the device associated with the second user accountobtaining a second request from the device associated with the second user account for access to the resources associated with the first user account, the second request including the session token, the second request for resources digitally signed using a digital signature generated from the session key; and
  
  as a result of validating the second request;
  
  extracting the session key from the session token using the session encryption key to produce an extracted session key;
  
  validating the digital signature generated from the session key using the extracted session key; and
  
  satisfying the second request for resources by providing access to the resources associated with the first user account, wherein the second request is validated based at least in part on the information.
- View Dependent Claims (2, 3)
- - 2. The computer-implemented method of claim 1, wherein:
    - the information is a role identifier of a role associated with the first user account, wherein the role has a corresponding set of policies associated with the role; and
      
      the validating of the second request is based at least in part on the corresponding set of policies associated with the role.
  - 3. The computer-implemented method of claim 2, wherein making the role identifier available to the device associated with the second user account includes at least one of:
    - storing the role identifier in a database, sending the role identifier to the device, or publishing the role identifier in documentation associated with the set of resources.

4. A system, comprising memory to store instructions that, as a result of execution by one or more processors, cause the system to:
- generate a request associated with a first user account in a first region, the request generated by a device associated with a second user account in a second region, the request digitally signed by a credential associated with the second user account;
  
  obtain a session token including a first session key;
  
  use the first session key to generate a second request for access to resources associated with the first user account, the second request generated using the session token, the second request digitally signed with a digital signature generated from a second session key, wherein;
  
  the request is a request to assume a role associated with the first user account, wherein the role has a corresponding set of policies associated with the role, the request including a role identifier associated with the role; and
  
  the session token is encrypted using a session encryption key; and
  
  cause the second user account to assume the role in response to the request, the role providing access to resources not in the second region.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 5. The system of claim 4, wherein the second user account does not exist in the first region.
  - 6. The system of claim 4, wherein the session token includes the role identifier.
  - 7. The system of claim 4, wherein the corresponding set of policies associated with the role define a set of permissions associated with the access to the resources associated with the first user account, the set of permissions specified by a customer associated with the first user account.
  - 8. The system of claim 4, wherein the instructions that, as a result of execution by the one or more processors, further cause the system to:
    - receive obtain the second request;
      
      validate the second request based at least in part on the corresponding set of policies associated with the role;
      
      extract the first session key from the session token using the session encryption key to produce an extracted first session key;
      
      validate the digital signature generated from the second session key using the extracted first session key; and
      
      satisfy the second request by providing access to the resources associated with the first user account.
  - 9. The system of claim 4, wherein the first session key is provided by the device associated with a second user account and the second session key is maintained as a secret within the second user account.
  - 10. The system of claim 4, wherein the first session key is identical to the second session key.
  - 11. The system of claim 4, wherein the first session key is a public key of a public key cryptography key pair and the second session key is a private session key of the public key cryptography key pair.
  - 12. The system of claim 4, wherein the session encryption key is generated from a session key and an account key associated with the first user account, the session key provided to the first region and the second region by a security service, the account key provided to the first region.
  - 13. The system of claim 4, wherein the credential is at least one of:
    - a long-term key associated with the second user account, a password associated with the second user account, a certificate generated by a device associated with the second user account, a short-term credential associated with the second user account, or a private long-term key associated with the second user account, the private long-term key corresponding to a public long-term key obtainable from the second user account.

14. A set of one or more non-transitory computer-readable storage media storing executable instructions that, if executed by one or more processors of a computer system, cause the computer system to at least:
- obtain a request associated with a first user account in a first region, the request generated by a device associated with a second user account in a second region, the request digitally signed by a credential associated with the second user account;
  
  provide a session token including a first session key;
  
  obtain a second request, generated using the first session key, for access to resources associated with the first user account, the second request generated using the session token, the second request digitally signed with a digital signature generated from a second session key, wherein;
  
  the request is a request to assume a role associated with the first user account, wherein the role has a corresponding set of policies associated with the role, the request including a role identifier associated with the role;
  
  the session token is encrypted using a session encryption key; and
  
  assume the role in response to the request, the role providing access to resources not in the second region.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The set of one or more non-transitory computer-readable storage media of claim 14, wherein the first session key is identical to the second session key.
  - 16. The set of one or more non-transitory computer-readable storage media of claim 15, wherein the second user account does not exist in the first region.
  - 17. The set of one or more non-transitory computer-readable storage media of claim 14, wherein the session token includes a role identifier usable to determine the role.
  - 18. The set of one or more non-transitory computer-readable storage media of claim 14, wherein the session encryption key is one of a plurality of session encryption keys, the plurality of session encryption keys maintained in a session keychain, wherein the instructions include further instructions that, if executed, further cause the computer system to delete each session encryption key of the plurality of session encryption keys upon expiration of a corresponding time interval.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Mandadi, Srikanth, Sedky, Khaled Salah, Praus, Slavka, Barbour, Marc R.
Primary Examiner(s)
Vaughan, Michael R

Application Number

US15/890,978
Publication Number

US 20180183793A1
Time in Patent Office

874 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 9/3247   involving digital signatures

Cross-region requests

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Cross-region requests

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links