Distributed policy enforcement with optimizing policy transformations

US 9,237,155 B1
Filed: 12/06/2010
Issued: 01/12/2016
Est. Priority Date: 12/06/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for distributed policy enforcement, comprising:

under control of one or more computer systems configured with executable instructions,receiving, at a policy management component of a virtual resource provider, a user-specified policy with respect to at least one action capable of being performed by the virtual resource provider;

incorporating the user-specified policy into a first set of normal form policies at least in part by determining whether the user-specified policy is redundant with respect to the first set of normal form policies by generating a second set of normal form policies having a common form that correspond to the user-specified policy, each of the first set of normal form policies having the common form;

generating an index of the first set of normal form policies based at least in part on a common set of policy elements of the common form;

identifying, based at least in part on the index, at least one subset of the first set of normal form policies that is relevant to at least one of a plurality of policy enforcement components;

providing said at least one subset of the first set of normal form policies to at least one of the plurality of policy enforcement components of the virtual resource provider identified as relevant;

receiving a request to perform said at least one action at a user interface of the virtual resource provider; and

enforcing the user-specified policy received at the policy management component at least in part by evaluating the request with respect to said at least one subset of the first set of normal form policies at said at least one of the plurality of policy enforcement components.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

User-specified policies may be efficiently implemented and enforced with a distributed set of policy enforcement components. User-specified policies may be transformed into a normal form. Sets of normal form policies may be optimized. The optimized policies may be indexed and/or divided and provided to the distributed set of policy enforcement components. The distributed policy enforcement may have a sandbox mode and/or verification mode enabling policy configuration verification. With appropriate authorization, substitute data may be used in verification mode to evaluate requests with respect to policies. Evaluation results, relevant policies, and decision data utilized during request evaluation may be collected, filtered and reported at a variety of levels of detail. Originating user-specified policies may be tracked during the policy normalization process to enable reference to user-specified policies in verification mode reports.

42 Citations

View as Search Results

21 Claims

1. A computer-implemented method for distributed policy enforcement, comprising:
- under control of one or more computer systems configured with executable instructions,receiving, at a policy management component of a virtual resource provider, a user-specified policy with respect to at least one action capable of being performed by the virtual resource provider;
  
  incorporating the user-specified policy into a first set of normal form policies at least in part by determining whether the user-specified policy is redundant with respect to the first set of normal form policies by generating a second set of normal form policies having a common form that correspond to the user-specified policy, each of the first set of normal form policies having the common form;
  
  generating an index of the first set of normal form policies based at least in part on a common set of policy elements of the common form;
  
  identifying, based at least in part on the index, at least one subset of the first set of normal form policies that is relevant to at least one of a plurality of policy enforcement components;
  
  providing said at least one subset of the first set of normal form policies to at least one of the plurality of policy enforcement components of the virtual resource provider identified as relevant;
  
  receiving a request to perform said at least one action at a user interface of the virtual resource provider; and
  
  enforcing the user-specified policy received at the policy management component at least in part by evaluating the request with respect to said at least one subset of the first set of normal form policies at said at least one of the plurality of policy enforcement components.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A computer-implemented method according to claim 1, wherein the common set of policy elements comprises at least one of:
    - an actor, an action, a subject of action, and a set of action conditions.
  - 3. A computer-implemented method according to claim 2, wherein the actor corresponds to a set of users associated with a set of customers of the virtual resource provider.
  - 4. A computer-implemented method according to claim 2, wherein the subject of action corresponds to a set of virtual resources provided by the virtual resource provider.
  - 5. A computer-implemented method according to claim 2, wherein each of said identified at least one subset of the first set of normal form policies corresponds to a set of values associated with one of the common set of policy elements.
  - 6. A computer-implemented method according to claim 2, wherein each of the plurality of policy enforcement components corresponds to a set of values associated with one of the common set of policy elements.
  - 7. A computer-implemented method according to claim 2, wherein each of the plurality of policy enforcement components corresponds to one of a plurality of types of virtual resource provided by the virtual resource provider.
  - 8. A computer-implemented method according to claim 1, wherein comparing the user-specified policy to said at least one of the first set of normal form policies further comprises determining whether at least one of the second set of normal form policies is contained by said at least one of the first set of normal form policies.
  - 9. A computer-implemented method according to claim 1, wherein comparing the user-specified policy to said at least one of the first set of normal form policies further comprises transforming the user-specified policy so that the user-specified policy has at least one of the set of policy elements.
  - 10. A computer-implemented method according to claim 1, wherein:
    - the user-specified policy includes the set of policy elements; and
      
      generating the second set of normal form policies comprises identifying, in the user-specified policy, at least one of the set of policy elements having a compound value, and generating a plurality of normal form policies collectively equivalent to the user-specified policy such that each of the plurality of normal form policies includes said at least one of the set of policy elements with a non-compound value.
  - 11. A computer-implemented method according to claim 1, wherein generating the second set of normal form policies comprises generating a reference to the user-specified policy from each of the second set of normal form policies.
  - 12. A computer-implemented method according to claim 1, wherein at least one of the set of policy elements has a wildcard value.
  - 13. A computer-implemented method according to claim 12, wherein a set of values of said at least one of the set of policy elements matching the wildcard value is determined based at least in part on a context associated with the request.
  - 14. A computer-implemented method according to claim 1, further comprising reducing a size of the first set of normal form policies at least in part by generating a compound value for at least one of the set of policy elements associated with at least one of the first set of normal form policies such that at least one other of the first set of normal form policies is made redundant.
  - 15. A computer-implemented method according to claim 1, wherein policies in the normal form are specified with a set of policy elements including said at least one policy element.
  - 16. A computer-implemented method according to claim 15, wherein sets of policy element values correspond to policy enforcement domains.

17. A computerized system for policy enforcement, comprising:
- a plurality of policy enforcement components each configured to, at least;
  
  maintain a local set of policies;
  
  receive, at a user interface of a virtual resource provider, a request to perform at least one action capable of being performed by the virtual resource provider; and
  
  enforce the set of policies with respect to received requests;
  
  at least one policy management component configured to, at least;
  
  maintain a global set of policies having policies in a normal form corresponding to a set of policy elements;
  
  receive at least one new policy with respect to the at least one action;
  
  incorporate the at least one new policy into the global set of policies at least in part by generating a normal set of policies corresponding to said at least one new policy, each of the normal set of policies being in the normal form;
  
  identify a plurality of subsets of the global set of policies that are relevant to a subset of a plurality of policy enforcement components, wherein each of the subset of the plurality of policy enforcement components is further configured at least to update the local set of policies of the policy enforcement component with one of the plurality of subsets of the global set of policies provided by said at least one policy management component; and
  
  provide the plurality of subsets of the global set of policies to at least the subset of the plurality of policy enforcement components identified as relevant; and
  
  one or more processors collectively facilitating at least the plurality of policy enforcement components and said at least one policy management component.
- View Dependent Claims (18, 19)
- - 18. A computerized system according to claim 17, wherein the plurality of policy enforcement components are each further configured to:
    - generate an index of the normal set of policies based at least in part on a plurality of sets of values of at least one of the set of policy elements; and
      
      the plurality of subsets of the global set of policies are identified as relevant based at least in part on the index.
  - 19. A computerized system according to claim 17, wherein:
    - the system further comprises a plurality of sets of virtual resource servers maintaining a plurality of types of virtual resource; and
      
      each of the plurality of policy enforcement components is dedicated to enforcing policies for one of the plurality of set of virtual resource servers.

20. One or more non-transitory computer-readable media having collectively thereon computer-executable instructions that configure one or more computers to collectively, at least:
- receive, at a policy management component of a virtual resource provider, a user-specified policy with respect to at least one action capable of being performed by the virtual resource provider;
  
  incorporate the user-specified policy into a first set of normal form policies at least in part by determining whether the user-specified policy is redundant with respect to the first set of normal form policies by generating a second set of normal form policies having a common form that correspond to the user-specified policy, each of the first set of normal form policies having the common form;
  
  generate an index of the first set of normal form policies based at least in part on a common set of policy elements of the common form;
  
  identify, based at least in part on the index, at least one subset of the first set of normal form policies that is relevant to at least one of a plurality of policy enforcement components;
  
  provide said at least one subset of the first set of normal form policies to at least one of the plurality of policy enforcement components of the virtual resource provider identified as relevant;
  
  receive a request to perform said at least one action at a user interface of the virtual resource provider; and
  
  enforce the user-specified policy received at the policy management component at least in part by evaluating the request with respect to said at least one subset of the first set of normal form policies at said at least one of the plurality of policy enforcement components.
- View Dependent Claims (21)
- - 21. One or more non-transitory computer-readable media according to claim 20, wherein the computer-executable instructions further configure the one or more computers to collectively, at least, receive the policy at a Web-based interface from an authorized user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Cavage, Mark, Xiao, Yunong, Behm, Bradley Jeffery
Primary Examiner(s)
Rashid, Harunur

Application Number

US12/961,104
Time in Patent Office

1,863 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 16/22   Indexing; Data structures t...

G06F 9/5077   Logical partitioning of res...

H04L 47/822   Collecting or measuring res...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/108   when the policy decisions a...

Distributed policy enforcement with optimizing policy transformations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

42 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed policy enforcement with optimizing policy transformations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links