Creating custom policies in a remote-computing environment

US 8,918,834 B1
Filed: 12/17/2010
Issued: 12/23/2014
Est. Priority Date: 12/17/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

under control of one or more computer systems configured with specific executable instructions,authenticating an entity that requests to interact with resources of a remote-computing service, the entity comprising one of multiple entities that request to interact with resources of the remote-computing service, a first portion of the multiple entities being associated with a first mode indicating that interactions are to be tracked for crafting an access policy, and a second portion of the multiple entities associated with a second, different mode, the second mode indicating that interactions are not to be tracked for crafting the access policy;

determining, based at least in part on the authenticating, that the entity is associated with the first mode;

determining a training procedure that provides the entity with access to predetermined resources of the remote-computing service for a predetermined interval;

in response to the determining that the entity is associated with the first mode, tracking interactions between the entity and the predetermined resources of the remote-computing service during the training procedure;

in response to expiration of the predetermined interval, crafting the access policy for the entity based at least in part on the tracked interactions between the entity and the predetermined resources of the remote-computing service that occurred during the training procedure; and

associating the access policy with the entity and associating the entity with the second mode.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for crafting custom policies for entities (e.g., users, applications, etc.) based on past behavior of the entities are described herein. In one example, the techniques are implemented in a network-based environment. In this environment, a remote-computing service may include multiple different resources that provide different services to customers of the remote-computing service. For instance, the remote-computing service may provide a network-based storage service, a network-based compute service, a network-based payment service, or any other network-based resource. Users and/or applications of a particular customer may then access these resources via an interface provided by the remote-computing service. After tracking a user or application'"'"'s access to these resources for a certain period of time, the remote-computing service may recommend or create a custom policy for the user or application based on the requests made by the user or application.

Citations

23 Claims

1. A method comprising:
- under control of one or more computer systems configured with specific executable instructions,authenticating an entity that requests to interact with resources of a remote-computing service, the entity comprising one of multiple entities that request to interact with resources of the remote-computing service, a first portion of the multiple entities being associated with a first mode indicating that interactions are to be tracked for crafting an access policy, and a second portion of the multiple entities associated with a second, different mode, the second mode indicating that interactions are not to be tracked for crafting the access policy;
  
  determining, based at least in part on the authenticating, that the entity is associated with the first mode;
  
  determining a training procedure that provides the entity with access to predetermined resources of the remote-computing service for a predetermined interval;
  
  in response to the determining that the entity is associated with the first mode, tracking interactions between the entity and the predetermined resources of the remote-computing service during the training procedure;
  
  in response to expiration of the predetermined interval, crafting the access policy for the entity based at least in part on the tracked interactions between the entity and the predetermined resources of the remote-computing service that occurred during the training procedure; and
  
  associating the access policy with the entity and associating the entity with the second mode.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as recited in claim 1, further comprising, prior to the associating the entity to the access policy:
    - receiving one or more modifications to the access policy at least partly in response to the tracked interactions and the expiration of the predetermined interval; and
      
      modifying the access policy based at least in part on the one or more modifications.
  - 3. The method as recited in claim 1, wherein the entity is associated with a customer of the remote-computing service, and further comprising, after the authenticating and prior to the tracking:
    - determining that the entity is associated with an access policy that grants the entity access to individual resources of the remote-computing service that is associated with the customer; and
      
      granting the entity access to the individual resources of the remote-computing service that are associated with the customer at least partly in response to the determining.
  - 4. The method as recited in claim 1, wherein the crafted access policy limits the entity access to those resources that the entity accessed during the interactions between the entity and the remote-computing resource.
  - 5. The method as recited in claim 1, wherein the resources of the remote-computing service include a network-based storage resource and a network-based compute resource.
  - 6. The method as recited in claim 1, wherein the entity comprises a user or an application associated with a customer of the remote-computing service.
  - 7. The method as recited in claim 1, wherein the predetermined interval comprises at least one of a predetermined period of time or a predetermined number of access requests.
  - 8. The method as recited in claim 1, wherein the access policy granted during the training procedure provides access to substantially all resources of the remote-computing service.
  - 9. The method as recited in claim 1, wherein the access policy provides the entity with access to resources of the remote-computing service during one or more predetermined times of the day.
  - 10. The method as recited in claim 1, wherein the access policy includes access to fewer resources of the remote-computing service, in comparison to the predetermined resources granted during the training procedure.

11. A method comprising:
- under control of one or more computer systems configured with specific executable instructions,providing, by a user of a customer of a remote-computing service, credentials for authenticating with the remote-computing service, the credentials indicating to the remote-computing service that interactions between the user and the remote-computing service are to be tracked for crafting an access policy for the user, wherein credentials of other users of customers of the remote-computing service indicate to the remote-computing service that interactions between the other users and the remote-computing service are not to be tracked for creating access policies for the other users;
  
  after authentication, receiving access to at least a portion of resources of the remote-computing service for a predetermined interval according to a first access policy associated with the user;
  
  interacting with multiple resources of the at least a portion of the resources of the remote-computing service based at least in part on the received access;
  
  in response to expiration of the predetermined interval, providing, by the user, the credentials for authenticating with the remote-computing service after interacting with the multiple resources;
  
  determining a second access policy to be associated with the user based at least in part on the interacting, wherein the second access policy indicates to the remote-computing service that interactions between the user and the remote computing service are not to be tracked for crafting the access policy; and
  
  receiving access to the resources of the remote-computing service according to the second access policy associated with the user.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method as recited in claim 11, wherein the first access policy grants the user access to individual resources of the remote-computing service associated with the customer.
  - 13. The method as recited in claim 11, wherein the second access policy grants the user access to those resources of the remote-computing service that the user interacted with during the interacting.
  - 14. The method as recited in claim 11, wherein the second access policy grants the user access to fewer resources of the remote-computing service than does the first access policy.
  - 15. The method as recited in claim 11, wherein the authenticating comprises associating the user with a particular access policy of the customer by associating the user with at least one of a customer account or access policy table that associates the user with the customer.

16. A method comprising:
- under control of one or more computer systems configured with specific executable instructions,determining that an entity is associated with a first mode or a second, different mode, the first mode indicating that interactions between the entity and resources of a computing system are to be tracked for crafting an access policy for the entity, the entity comprising one of multiple entities that interact with the resources of the computing system, a first portion of the multiple entities being associated with the first mode, and a second portion of the multiple entities being associated with the second, different mode, the second mode indicating that interactions are not to be tracked for crafting the access policy;
  
  determining a training procedure that provides the entity with access to predetermined resources of the computing system for a predetermined interval;
  
  in response to the determining that the entity is associated with the first mode, tracking interactions between the entity and the predetermined resources of the computing system during the training procedure;
  
  in response to expiration of the predetermined interval, crafting the access policy for the entity based at least in part on the tracked interactions between the entity and the predetermined resources of the computing system that occurred during the training procedure; and
  
  associating the access policy with the entity and associating the entity with the second mode.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The method as recited in claim 16, wherein the entity comprises a user and the computing system comprises a personal computing device that the user is operating.
  - 18. The method as recited in claim 16, wherein the entity comprises a user or application and the computing system comprises a remote-computing service that the user or application is accessing over a network.
  - 19. The method as recited in claim 16, wherein the crafting an access policy for the entity occurs in response to expiration of the predetermined interval.
  - 20. The method as recited in claim 16, wherein the predetermined interval comprises at least one of a predetermined period of time or a predetermined number of access requests.
  - 21. The method as recited in claim 16, wherein the access policy includes access to fewer resources of the computer system, in comparison to the predetermined resources granted during the training procedure.
  - 22. The method as recited in claim 16, wherein the access granted during the training procedure provides access to substantially all resources of the remote-computing service.
  - 23. The method as recited in claim 16, wherein the predetermined interval comprises at least one of a predetermined period of time or a predetermined number of access requests.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Samuelsson, Anders
Primary Examiner(s)
Vaughan, Michael R

Application Number

US12/972,196
Time in Patent Office

1,467 Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/535   Tracking the activity of th...

Creating custom policies in a remote-computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Creating custom policies in a remote-computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links