Use of metadata for computing resource access

US 8,973,108 B1
Filed: 05/31/2011
Issued: 03/03/2015
Est. Priority Date: 05/31/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for controlling access to one or more computing resources, comprising:

receiving, by a computer system of one or more computer systems, the computer system having one or more computing devices, a request for a session credential subsequent to successful completion of an authentication process by a user, the session credential including information enabling the user to delegate access to a specified delegatee, the information having data identifying the specified delegatee;

generating, with the one or more computer systems, a session credential that encodes information identifying a type of the authentication process successfully completed by the user and one or more policies applicable to the specified delegatee;

transmitting the session credential to the specified delegatee, the session credential being opaque to the specified delegatee and provided from the user to the specified delegatee;

receiving the generated session credential in connection with a request from the specified delegatee to access the one or more computing resources, the one or more computing resources being distinct from the one or more computer systems generating the session credential;

determining the type of authentication process successfully completed by the user, whether the user is authorized to delegate access to the specified delegatee and whether the specified delegatee is authorized to access the one or more computing resources based at least in part on the information encoded by the session credential; and

determining, based at least in part on the information identifying the type of authentication process and the one or more policies applicable to the specified delegatee encoded by the session credential, whether to fulfill the request; and

when determined to fulfill the request, providing to the specified delegatee the requested access to the one or more computing resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

Citations

34 Claims

1. A computer-implemented method for controlling access to one or more computing resources, comprising:
- receiving, by a computer system of one or more computer systems, the computer system having one or more computing devices, a request for a session credential subsequent to successful completion of an authentication process by a user, the session credential including information enabling the user to delegate access to a specified delegatee, the information having data identifying the specified delegatee;
  
  generating, with the one or more computer systems, a session credential that encodes information identifying a type of the authentication process successfully completed by the user and one or more policies applicable to the specified delegatee;
  
  transmitting the session credential to the specified delegatee, the session credential being opaque to the specified delegatee and provided from the user to the specified delegatee;
  
  receiving the generated session credential in connection with a request from the specified delegatee to access the one or more computing resources, the one or more computing resources being distinct from the one or more computer systems generating the session credential;
  
  determining the type of authentication process successfully completed by the user, whether the user is authorized to delegate access to the specified delegatee and whether the specified delegatee is authorized to access the one or more computing resources based at least in part on the information encoded by the session credential; and
  
  determining, based at least in part on the information identifying the type of authentication process and the one or more policies applicable to the specified delegatee encoded by the session credential, whether to fulfill the request; and
  
  when determined to fulfill the request, providing to the specified delegatee the requested access to the one or more computing resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer-implemented method of claim 1, wherein the user is authenticated by a first authentication process different from the authentication process, wherein the one or more policies require authentication by the authentication process to fulfill at least the request, and wherein determining whether to fulfill the request includes determining that the authentication process is encoded by the session credential.
  - 3. The computer-implemented method of claim 1, wherein the authentication process is a multifactor authentication process required by one or more policies to fulfill at least the request.
  - 4. The computer-implemented method of claim 1, wherein the session credential further encodes metadata additional to the information identifying the type of authentication process by the user and wherein determining whether to fulfill the request is further based at least in part on the encoded additional metadata.
  - 5. The computer-implemented method of claim 1, wherein the request is received from a second user that is different from the user.
  - 6. The computer-implemented method of claim 1, wherein based on at least the type of authentication process determined to have been successfully completed by the user, the user is not required to complete another authentication process in a second request.
  - 7. The computer-implemented method of claim 6, wherein the second request is a request for additional access.
  - 8. The computer-implemented method of claim 1, wherein the one or more policies are managed by a policy management component configured at least to maintain one or more virtual resource provider policies.
  - 9. The computer-implemented method of claim 8, wherein the policy management component is further configured to, at least:
    - receive user-specified policies;
      
      transform user-specified policies into a normal form, including one or more policy elements of the normal form;
      
      optimize the set of normal form policies based on at least in part on one or more policy elements, including an index; and
      
      distribute the optimized set of normal form policies to a set of policy enforcement components based at least in part on the index.
  - 10. The computer-implemented method of claim 1, wherein the one or more policies are specified by the user to restrict or grant access to one or more specified delegatees.
  - 11. The computer-implemented method of claim 1, wherein the one or more policies grants one or more privileges in addition to the access encoded in the session credential.
  - 12. The computer-implemented method of claim 1, wherein the data identifying the specified delegatee includes a username or email address of the specified delegatee, wherein the session credential is sent to the email address.
  - 13. The computer-implemented method of claim 1, wherein the information includes location information, information about applications used by the user, a time stamp for the session credential, an expiration time after which the session credential is invalid, a starting time before which the session credential is invalid, renewal parameters and/or requirements for renewing the session, credentials or a reference to credentials.
  - 14. The computer-implemented method of claim 1, wherein the session credential transmitted from the user to the specified delegatee is a temporary session credential.

15. A computer-implemented method for controlling access to one or more computing resources, comprising:
- receiving, by one or more computer devices, a session credential generated by one or more computer systems from a specified delegatee in connection with a request from the specified delegatee to access the one or more computing resources, the session credential being opaque to the specified delegatee and provided by the one or more computer systems to a user, the one or more computing resources being distinct from the one or more computer systems, the session credential encoding one or more claims identifying at least one type of at least one authenticating action the user has completed and one or more policies applicable to the specified delegatee, the session credential including information enabling the user to delegate access to the specified delegatee, the information having data identifying the specified delegatee;
  
  determining, with the one or more computer devices, the at least one type of authenticating action the user has completed, whether the user is authorized to delegate access to the specified delegatee and whether the specified delegatee is authorized to access the one or more computing resources based at least in part on the one or more encoded claims;
  
  determining, based at least in part on the one or more claims encoded by the session credential and one or more policies, whether to fulfill the request to access the one or more computing resources, the one or more policies encoded in the session credential; and
  
  when determined to fulfill the request, providing the requested access.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer-implemented method of claim 15, wherein the session credential further encodes one or more attributes about the user.
  - 17. The computer-implemented method of claim 15, wherein the one or more claims include a claim that the user completed an authentication process required by the one or more policies for fulfilling the request.
  - 18. The computer-implemented method of claim 15, wherein the user is authenticated by a first authentication process, wherein the one or more policies require authentication by a second authentication process different from the first authentication process to fulfill at least the request, and wherein the one or more claims indicate whether the user is additionally authenticated by the second authentication process.
  - 19. The computer-implemented method of claim 15, further comprising:
    - determining, based at least in part on the claims encoded by the session credential and the one or more policies, whether to fulfill one or more additional requests; and
      
      for each request of the one or more additional requests, when determined to fulfill the request of the one or more additional requests, fulfilling the requests of the one or more additional requests.
  - 20. The computer-implemented method of claim 15, wherein the one or more claims indicate that the user has successfully authenticated by providing at least two of the set consisting of:
    - password information;
      
      information generated by an integrated circuit;
      
      biometric information; and
      
      information generated by a time-based token generation algorithm.
  - 21. The computer-implemented method of claim 15, further comprising:
    - decrypting the one or more policies for accessing the one or more computing resources in the session credential; and
      
      identifying the one or more policies from the session credential.

22. A computer-implemented method for controlling access to one or more computing resources, comprising:
- receiving, by one or more computing devices, a request to initiate a session;
  
  in response to the request, generating, by the one or more computing devices, a session credential that encodes information that attests to one or more authenticating actions completed by a user that are required by a set of one or more policies for accessing the one or more computing resources and one or more types of the one or more authenticating actions completed by the user, the one or more policies applicable to a specified delegatee, the session credential including information enabling the user to delegate access to the specified delegatee, the information having data identifying the specified delegatee; and
  
  transmitting the generated session credential as opaque to the specified delegatee and provided by the one or more computing devices from the user to enable the specified delegatee to access the one or more computing resources, the one or more computing resources being distinct from the one or more computer systems, by determining the one or more types of the one or more authenticating actions completed by the user based at least in part on the information encoded by the generated session credential and verifying, using the generated session credential, that the one or more authenticating actions have been completed by the user, and whether the user is authorized to delegate access to the specified delegatee and whether the specified delegatee is authorized to access the one or more computing resources.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The computer-implemented method of claim 22, wherein the session credential is usable to successfully access the one or more computing resources multiple times.
  - 24. The computer-implemented method of claim 23, wherein the one or more actions have an associated cost and wherein use of the session credential to access the one or more computing resources multiple times allows amortization of the cost over multiple requests to access the one or more computing resources.
  - 25. The computer-implemented method of claim 22, wherein the session credential encodes a limit on access to the one or more computing resources using the session credential and wherein access to the one or more computing resources is controllable according to the encoded limit.
  - 26. The computer-implemented method of claim 25, wherein the limit is for a number of times the session credential can be used to access the one or more computing resources.
  - 27. The computer-implemented method of claim 25, wherein the one or more computing resources are operated by a multi-tenant computing resource provider and wherein the limit is for an amount of charges that the user can incur on behalf of a tenant of the multi-tenant computing resource provider.

28. A computer system for managing credentials, comprising:
- one or more processors; and
  
  memory, including executable instructions that, when executed by the one or more processors, cause the one or more processors to collectively at least;
  
  receive a session credential generated by the computer system from a specified delegatee in connection with a request from the specified delegatee to access one or more computing resources, the one or more computing resources being distinct from the computer system for managing credentials, the session credential encoding one or more claims identifying a user and one or more verifying actions the user has taken, one or more types of the one or more verifying actions taken by the user and one or more policies, the session credential being opaque to the specified delegatee and provided by the computer system to the user, the one or more verifying actions by which authentication of the user was completed;
  
  determine the one or more types of the one or more verifying actions taken by the user and the one or more policies based at least in part on the one or more claims encoded by the session credential;
  
  determine, based at least in part on the one or more claims encoded by the session credential, the one or more types of the one or more verifying actions taken by the user and one or more policies, whether to fulfill the request for the specified delegatee to access the one or more computing resources based on the session credential; and
  
  when determined to fulfill the request, provide the requested access to the specified delegatee.
- View Dependent Claims (29, 30)
- - 29. The computer system of claim 28, wherein the session credential was generated to encode one or more permissions to be delegated to a specified second user, the session credential including data identifying the specified second user, wherein the request was submitted by the second user, and wherein determining whether to fulfill the request to access the one or more computing resources includes determining whether the request is allowed by the encoded one or more permissions.
  - 30. The computer system of claim 28, wherein the one or more computing resources are operated by a computing resource provider on behalf of a tenant of the computing resource provider and wherein the user represents the tenant.

31. One or more non-transitory computer-readable storage media having collectively stored thereon instructions executable by one or more processors of a computer system that, when executed by the one or more processors, cause the computer system to at least:
- receive a request to initiate a session;
  
  in response to the request, generate a session credential that encodes information that attests to one or more actions taken by a user and one or more types of the one or more actions taken by the user that are required by a set of one or more policies applicable to a specified delegatee for accessing one or more computing resources, the one or more computing resources being distinct from the computer system, the information having data identifying the user;
  
  transmit the generated session credential to the specified delegatee to enable the user to verify one or more facts so that the specified delegatee may access the one or more computing resources by determining the one or more types of the one or more actions taken by the user and the one or more policies based at least in part on the information encoded by the generated session credential and verifying, using the generated session credential, that the one or more actions have been completed by the user, and whether the user is authorized to delegate access to the specified delegatee and whether the specified delegatee is authorized to access the one or more computing resources, the generated session credential being opaque to the specified delegatee and provided by the computer system to the user, the one or more actions by which authentication of the user is completed.
- View Dependent Claims (32, 33, 34)
- - 32. The one or more computer-readable storage media of claim 31, wherein the session credential encodes a limit on access to the one or more computing resources using the session credential and wherein access to the one or more computing resources is controllable according to the encoded limit.
  - 33. The one or more computer-readable storage media of claim 31, wherein the session credential is usable to successfully access the one or more computing resources multiple times.
  - 34. The one or more computer-readable storage media of claim 31, wherein the request is received from a second user different from the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., O'Neill, Kevin Ross, Brandwine, Eric Jason, Pratt, Brian Irl, Behm, Bradley Jeffery, Fitch, Nathan R.
Primary Examiner(s)
LESNIEWSKI, VICTOR D

Application Number

US13/149,619
Time in Patent Office

1,372 Days
Field of Search

726/1, 726/5, 726/10, 726/28
US Class Current

726/5
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/3213   using tickets or tokens, e....

Use of metadata for computing resource access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Use of metadata for computing resource access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links