ACCESS CONTROL POLICIES ASSOCIATED WITH FREEFORM METADATA

US 20140207861A1
Filed: 01/22/2013
Published: 07/24/2014
Est. Priority Date: 01/22/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for using tags to control access to resources, said method comprising:

under the control of one or more computer systems configured with executable instructions,associating a first access control policy and a second access control policy with a metadata tag, the first access control policy identifying which principals are allowed to assign the metadata tag to at least one computing resource, the second access control policy identifying operations that are allowed or not allowed to be performed on resources associated with the metadata tag;

receiving, from a user using an application programming interface (API), a request to assign the metadata tag to the at least one computing resource;

evaluating the first access control policy and assigning the metadata tag to the computing resource in response to determining that the first access control policy allows the user to assign the metadata tag;

receiving a request to perform an operation on the computing resource;

evaluating the second access control policy associated with the metadata tag; and

authorizing the request to perform the operation on the computing resource based at least in part on evaluation of the second access control policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment.

Citations

23 Claims

1. A computer implemented method for using tags to control access to resources, said method comprising:
- under the control of one or more computer systems configured with executable instructions,associating a first access control policy and a second access control policy with a metadata tag, the first access control policy identifying which principals are allowed to assign the metadata tag to at least one computing resource, the second access control policy identifying operations that are allowed or not allowed to be performed on resources associated with the metadata tag;
  
  receiving, from a user using an application programming interface (API), a request to assign the metadata tag to the at least one computing resource;
  
  evaluating the first access control policy and assigning the metadata tag to the computing resource in response to determining that the first access control policy allows the user to assign the metadata tag;
  
  receiving a request to perform an operation on the computing resource;
  
  evaluating the second access control policy associated with the metadata tag; and
  
  authorizing the request to perform the operation on the computing resource based at least in part on evaluation of the second access control policy.
- View Dependent Claims (2, 3)
- - 2. The computer implemented method of claim 1, further comprising:
    - receiving, using the API, a request to remove the metadata tag from the computing resource; and
      
      evaluating the first access control policy and removing the metadata tag from the computing resource in response to determining that the first access control policy allows the user to remove the metadata tag;
      
      receiving a second request to perform an operation on the computing resource, the second request received after the metadata tag has been removed from the computing resource; and
      
      performing authorization of the second request without evaluating the second access control policy.
  - 3. The computer implemented method of claim 1, wherein evaluating the second access control policy further comprises:
    - causing an identity management service to retrieve the second access control policy in addition to one or more other access control policies that are related to the request to perform the operation on the computing resource.

4. A computer implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, from a user, a request to access a computing resource, the computing resource having freeform metadata associated therewith;
  
  retrieving an access control policy associated with the freeform metadata; and
  
  evaluating the access control policy to control access to the computing resource based at least in part on the freeform metadata associated with the computing resource.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11)
- - 5. The computer implemented method of claim 4, wherein the access control policy identifies one or more operations that are allowed to be performed on the computing resource.
  - 6. The computer implemented method of claim 4, wherein the freeform metadata further includes at least one character string that specifies a key and a value.
  - 7. The computer implemented method of claim 4, wherein the freeform metadata is associated with the computing resource by:
    - receiving, from a user, a request to add the freeform metadata to the computing resource;
      
      evaluating a second access control policy in response to the request to add the freeform metadata, the second access control policy identifying which users are allowed to assign the freeform metadata to the computing resource; and
      
      associating the freeform metadata with the computing resource if the evaluation of the second access control policy permits the user to add the freeform metadata to the computing resource.
  - 8. The computer implemented method of claim 4, wherein in response to receiving the request to perform the operation on the computing resource, an identity management service retrieves the access control policy and at least one additional access control policy associated with the user and evaluates the access control policy and the at least one additional access control policy to grant or deny the request to perform the operation.
  - 9. The computer implemented method of claim 4, further comprising:
    - receiving a request to remove the freeform metadata from the computing resource; and
      
      evaluating a second access control policy and removing the freeform metadata from the computing resource in response to determining that the second access control policy allows the user to remove the freeform metadata;
      
      receiving a second request to perform an operation on the computing resource, the second request received after the freeform metadata has been removed from the computing resource; and
      
      performing authorization of the second request without evaluating the access control policy.
  - 10. The computing resource of claim 4, wherein associating the access control policy with the computing resource is performed at policy evaluation time.
  - 11. The computing resource of claim 4, wherein the computing resource includes at least one of:
    - a virtual machine instance, a host computing device, an application, a storage device, a database, a virtual network including a plurality of virtual machines, or an interface.

12. A computing system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the computing system to;
  
  receive, from a user, a request to access a computing resource the computing resource having freeform metadata associated therewith;
  
  retrieve an access control policy associated with the freeform metadata; and
  
  evaluate the access control policy to control access to the computing resource based at least in part on the freeform metadata associated with the computing resource.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computing system of claim 12, wherein the access control policy identifies one or more operations that are allowed to be performed on the computing resource.
  - 14. The computing system of claim 12, wherein the freeform metadata is associated with the computing resource by:
    - receiving, from a user, a request to add the freeform metadata to the computing resource;
      
      evaluating a second access control policy in response to the request to add the freeform metadata, the second access control policy identifying which users are allowed to assign the freeform metadata to the computing resource; and
      
      associating the freeform metadata with the computing resource if the evaluation of the second access control policy permits the user to add the freeform metadata to the computing resource.
  - 15. The computing system of claim 12, wherein the freeform metadata further includes at least one character string that specifies a key and a value.
  - 16. The computing system of claim 12, wherein in response to receiving the request to perform the operation on the computing resource, an identity management service retrieves the access control policy and at least one additional access control policy associated with the user and evaluates the access control policy and the at least one additional access control policy to grant or deny the request to perform the operation.
  - 17. The computing system of claim 12, wherein the memory further includes instructions that cause the computing system to:
    - receive a request to remove the freeform metadata from the computing resource;
      
      evaluate a second access control policy and remove the freeform metadata from the computing resource in response to determining that the second access control policy allows the user to remove the freeform metadata;
      
      receive a second request to perform an operation on the computing resource, the second request received after the freeform metadata has been removed from the computing resource; and
      
      perform authorization of the second request without evaluating the access control policy.

18. A non-transitory computer readable storage medium storing one or more sequences of instructions executable by one or more processors to perform a set of operations comprising:
- receiving, from a user, a request to access a computing resource, the computing resource having freeform metadata associated therewith;
  
  retrieving an access control policy associated with the freeform metadata; and
  
  evaluating the access control policy to control access to the computing resource based at least in part on the freeform metadata associated with the computing resource.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The non-transitory computer readable storage medium of claim 18, wherein the access control policy identifies one or more operations that are allowed to be performed on the computing resource.
  - 20. The non-transitory computer readable storage medium of claim 18, wherein the freeform metadata is associated with the computing resource by:
    - receiving, from a user, a request to add the freeform metadata to the computing resource;
      
      evaluating a second access control policy in response to the request to add the freeform metadata, the second access control policy identifying which users are allowed to assign the freeform metadata to the computing resource; and
      
      associating the freeform metadata with the computing resource if the evaluation of the second access control policy permits the user to add the freeform metadata to the computing resource.
  - 21. The non-transitory computer readable storage medium of claim 18, wherein the freeform metadata further includes at least one character string that specifies a key and a value.
  - 22. The non-transitory computer readable storage medium of claim 20, wherein in response to receiving the request to perform the operation on the computing resource, an identity management service retrieves the access control policy and at least one additional access control policy associated with the user and evaluates the access control policy and the at least one additional access control policy to grant or deny the request to perform the operation.
  - 23. The non-transitory computer readable storage medium of claim 18, further comprising instructions for:
    - receiving a request to remove the freeform metadata from the computing resource; and
      
      evaluating a second access control policy and removing the freeform metadata from the computing resource in response to determining that the second access control policy allows the user to remove the freeform metadata;
      
      receiving a second request to perform an operation on the computing resource, the second request received after the freeform metadata has been removed from the computing resource; and
      
      performing authorization of the second request without evaluating the access control policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, DeSantis, Peter Nicholas, Thrane, Lon

Granted Patent

US 10,341,281 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/204
CPC Class Codes

H04L 51/52 for supporting social netwo...

ACCESS CONTROL POLICIES ASSOCIATED WITH FREEFORM METADATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

ACCESS CONTROL POLICIES ASSOCIATED WITH FREEFORM METADATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links