Methods and apparatus for controlling snapshot exports
First Claim
1. A method, comprising:
- performing, by a snapshot export control process implemented on one or more devices on a provider network;
obtaining, from a client of the provider network, a request directed to one or more snapshots stored on a data store on the provider network, wherein a snapshot is a differential backup of a client volume;
determining if the client has rights to export the one or more snapshots, wherein said determining comprises, for each of the one or more snapshots, examining a snapshot manifest file corresponding to the snapshot, wherein the snapshot manifest file maps data blocks of the client data volume to locations of data chunks stored in the snapshot and records account identifiers for creators of the data blocks, wherein each snapshot manifest file includes creator account information for data blocks in the respective snapshot, and wherein said examining compares account information for the client with the creator account information for the data blocks in the respective snapshot;
identifying, via said examining, a snapshot that includes at least one data block created by a different account than the client account, wherein the client does not have rights to export a snapshot that includes data created by the different account; and
generating a response to the request that does not include the identified snapshot.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, apparatus, and computer-accessible storage media for controlling export of snapshots to external networks in service provider environments. Methods are described that may be used to prevent customers of a service provider from downloading snapshots of volumes, such as boot images created by the service provider or provided by third parties, to which the customer does not have the appropriate rights. A request may be received from a user to access one or more snapshots, for example a request to export the snapshot or a request for a listing of snapshots. For each snapshot, the service provider may determine if the user has rights to the snapshot, for example by checking a manifest for the snapshot to see if entries in the snapshot manifest belong to an account other than the customer'"'"'s. If the user has rights to the snapshot, the request is granted; otherwise, the request is not granted.
-
Citations
29 Claims
-
1. A method, comprising:
performing, by a snapshot export control process implemented on one or more devices on a provider network; obtaining, from a client of the provider network, a request directed to one or more snapshots stored on a data store on the provider network, wherein a snapshot is a differential backup of a client volume; determining if the client has rights to export the one or more snapshots, wherein said determining comprises, for each of the one or more snapshots, examining a snapshot manifest file corresponding to the snapshot, wherein the snapshot manifest file maps data blocks of the client data volume to locations of data chunks stored in the snapshot and records account identifiers for creators of the data blocks, wherein each snapshot manifest file includes creator account information for data blocks in the respective snapshot, and wherein said examining compares account information for the client with the creator account information for the data blocks in the respective snapshot; identifying, via said examining, a snapshot that includes at least one data block created by a different account than the client account, wherein the client does not have rights to export a snapshot that includes data created by the different account; and generating a response to the request that does not include the identified snapshot. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A system, comprising:
-
at least one processor; and a memory comprising program instructions, wherein the program instructions are executable by the at least one processor to; obtain a request from a client of a provider network directed to one or more snapshots stored on a data store on the provider network, wherein each snapshot is a differential backup of a client volume; for each of the one or more snapshots; determine, from information related to the snapshot, if the client has rights to export the snapshot to an external network; if the client has rights to export the snapshot to the external network, fulfill the request for the snapshot; and if the client does not have rights to export the snapshot to the external network, not fulfill the request for the snapshot. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A non-transitory computer-accessible storage medium storing program instructions that when executed by one or more computers implement a snapshot export control process and cause the snapshot export control process to:
-
receive information indicating a client of a provider network and a snapshot stored on a data store on the provider network, wherein the snapshot is a differential backup of a client volume on the provider network; determine, from a snapshot manifest for the snapshot, that the client does not have rights to export the snapshot to an external network, wherein the snapshot manifest includes account information for one or more creators of data in the respective snapshot, and wherein the client does not have rights to export a snapshot that includes data created by at least one account that is not the client'"'"'s account; and in response to said determining that the client does not have rights to export the snapshot to the external network, return an indication that the client does not have rights to export the snapshot to the external network. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
-
Specification