CONTRIBUTION SIGNATURES FOR TAGGING

US 20200136834A1
Filed: 12/24/2019
Published: 04/30/2020
Est. Priority Date: 12/22/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, to a computing resource environment, a first signed request comprising signed tagging metadata for tagging a resource that is to be provisioned in the computing resource environment with at least one service;

determining that the first signed request comprises at least one second signed request and at least one second signed metadata that are signed by at least one second entity that is other than a source of the signed request;

validating a first signature for the first signed request and at least one second signature for the at least one second signed request; and

provisioning the resource with access to the at least one service based in part on an association of the at least one service with the at least one second signed metadata.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request to add tags (e.g., labels, key-value pairs, or metadata) to resources can be digitally signed by the entity making the request, such that the source can be verified and an authorization determination made for each tag. For a request involving multiple services (or entities) that can each add tags, any tag added by a service can be included in the request and digitally signed by that service. Each service processing the request can also digitally sign the request before forwarding, so that each service signs a version of the request, which includes elements signed by other services earlier in the request chain. When the request is received to a tagging service, the service ensures that every tag was digitally signed by the appropriate authorized entity or service, and validates the signatures to ensure that no data was modified or omitted, before adding the tags to the designated resource(s).

Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving, to a computing resource environment, a first signed request comprising signed tagging metadata for tagging a resource that is to be provisioned in the computing resource environment with at least one service;
  
  determining that the first signed request comprises at least one second signed request and at least one second signed metadata that are signed by at least one second entity that is other than a source of the signed request;
  
  validating a first signature for the first signed request and at least one second signature for the at least one second signed request; and
  
  provisioning the resource with access to the at least one service based in part on an association of the at least one service with the at least one second signed metadata.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, further comprising:
    - verifying, by a notation service, that the first signed request and the at least one second signed request correspond to a valid request chain for provisioning the resource.
  - 3. The computer-implemented method of claim 1, further comprising:
    - verifying, by a notation service, that authorization exists to have a first key-value pair applied to the resource and that authorization exists for at least one of the entities to have a second key-value pair applied to the resource.
  - 4. The computer-implemented method of claim 1, further comprising:
    - causing the signed tagging metadata to be stored to a metadata repository for the computing resource environment, the metadata repository being searchable using a search key and an associated value, by a notation service, to determine metadata that are currently applied to resources in the computing resource environment.

5. A system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the system to;
  
  receive, to a computing resource environment, a first signed request comprising signed tagging metadata for tagging a resource by a first source;
  
  determining that the first signed request comprises at least one second signed request and at least one second signed metadata that are signed by at least one second source;
  
  validating a first signature for the first signed request and at least one second signature for the at least one second signed request; and
  
  provisioning the resource with access to at least one service of the at least one second source based in part on the at least one second signed metadata.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 6. The system of claim 5, wherein the instructions that, when executed by the at least one processor, further cause the system to:
    - cause at least the first signature to be stored with the signed tagging metadata in the metadata repository, the first signature indicating the first source of the signed tagging metadata for the resource.
  - 7. The system of claim 5, wherein the instructions that, when executed by the at least one processor, further cause the system to:
    - determine that an instance of metadata to be applied to the resource is not signed by a source associated with the signed tagging metadata;
      
      determine that the at least one second request includes a token indicating an authorization to have the instance of metadata applied to the resource on behalf of the source; and
      
      cause the instance of metadata to be applied to the resource.
  - 8. The system of claim 5, wherein the at least one second signed request includes at least an additional request for an additional service to perform tasks associated with the resource, the additional request digitally signed by an additional service.
  - 9. The system of claim 8, wherein the additional service is enabled to include additional metadata to be applied to the resource, each instance of an additional metadata digitally signed by the additional service providing the instance of the additional metadata.
  - 10. The system of claim 5, wherein the instructions that, when executed by the at least one processor, further cause the system to:
    - verify an order of the at least one second request and an additional request contained within a request chain of the first signed request.
  - 11. The system of claim 5, wherein the instructions that, when executed by the at least one processor, further cause the system to:
    - analyze at least one policy for the resource to determine whether the signed tagging metadata is authorized to be applied to the resource.
  - 12. The system of claim 5, wherein the instructions that, when executed by the at least one processor, further cause the system to:
    - verify, by a notation service, that the first signed request and the at least one second signed request correspond to a valid request chain for provisioning the resource.
  - 13. The system of claim 5, wherein the instructions that, when executed by the at least one processor, further cause the system to:
    - verify, by a notation service, that authorization exists to have a first key-value pair applied to the resource and that authorization exists for the at least one second source to have a second key-value pair applied to the resource.
  - 14. The system of claim 5, wherein the instructions that, when executed by the at least one processor, further cause the system to:
    - cause the signed tagging metadata to be stored to a metadata repository for the computing resource environment, the metadata repository being searchable using a search key and an associated value, by a notation service, to determine metadata that are currently applied to resources in the computing resource environment.
  - 15. The system of claim 5, wherein the instructions that, when executed by the at least one processor, further cause the system to:
    - analyze the at least one second request to determine that the at least one second request is signed by the at least one second source, and that the first signed request and the tagging metadata are signed by the first source.

16. A non-transitory computer readable medium comprising instructions that when executed by at least one processor cause the at least one processor to:
- receive, to a computing resource environment, a first signed request comprising signed tagging metadata for tagging a resource by a first source;
  
  determining that the first signed request comprises at least one second signed request and at least one second signed metadata that are signed by at least one second source;
  
  validating a first signature for the first signed request and at least one second signature for the at least one second signed request; and
  
  provisioning the resource with access to at least one service of the at least one second source based in part on the at least one second signed metadata.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer readable medium of claim 16 comprising the instructions that when executed by the at least one processor further cause the at least one processor to:
    - cause at least the first signature to be stored with the signed tagging metadata in the metadata repository, the first signature indicating the first source of the signed tagging metadata for the resource.
  - 18. The non-transitory computer readable medium of claim 16 comprising the instructions that when executed by the at least one processor further cause the at least one processor to:
    - determine that an instance of metadata to be applied to the resource is not signed by a source associated with the signed tagging metadata;
      
      determine that the at least one second request includes a token indicating an authorization to have the instance of metadata applied to the resource on behalf of the source; and
      
      cause the instance of metadata to be applied to the resource.
  - 19. The non-transitory computer readable medium of claim 16, wherein the at least one second signed request includes at least an additional request for an additional service to perform tasks associated with the resource, the additional request digitally signed by an additional service.
  - 20. The non-transitory computer readable medium of claim 19, wherein the additional service is enabled to include additional metadata to be applied to the resource, each instance of an additional metadata digitally signed by the additional service providing the instance of the additional metadata.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Kruse, William Frederick Hingle, Cahill, Conor Patrick, Canton, Jeffrey Cicero, Frenkel, Dmitry, Kulkarni, Harshad Vasant, Watson, Colin, Mikulski, Andrew Paul

Granted Patent

US 10,972,288 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/604   Tools and structures for ma...

G06F 21/64   Protecting data integrity, ...

G06F 2212/402   Encrypted data

H04L 63/061   for key exchange, e.g. in p...

H04L 63/126   the source of the received ...

H04L 9/3247   involving digital signatures

CONTRIBUTION SIGNATURES FOR TAGGING

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CONTRIBUTION SIGNATURES FOR TAGGING

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links