Distributed policy enforcement with verification mode

US 9,258,312 B1
Filed: 12/06/2010
Issued: 02/09/2016
Est. Priority Date: 12/06/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for distributed policy enforcement, comprising:

maintaining, by a computer system, a plurality of sets of policies at a plurality of policy enforcement components of a virtual resource provider that is configured to provision a plurality of computer resources;

receiving, via a control plane of the virtual resource provider, a request with respect to at least one action performed by at least one computer resource of the plurality of computer resources provisioned by the virtual resource provider, the request including an indication that the request is to be processed in a verification mode;

selecting, by the computer system, at least one of the plurality of policy enforcement components to evaluate the request with respect to at least one of the plurality of sets of policies and submitting the request to the at least one of the plurality of policy enforcement components;

determining a relevant policy subset of the at least one of the plurality of sets of policies that is relevant with respect to the request;

evaluating, by the at least one selected policy enforcement component, the request with respect to the relevant policy subset;

evaluating, upon determining that the request is to be processed in the verification mode based at least in part on the indication included in the request, performance of the at least one action by the at least one computer resource of the plurality of computer resources provisioned by the virtual resource provider such that performance of the at least one action is inhibited regardless of whether the at least one action is in compliance with the relevant policy subset; and

providing for presentation, to a computing device associated with the request, a report that includes the determined relevant policy subset and a result of the evaluation of the request based at least in part on evaluation of the performance of the at least one action, the report configured to be presented via a user interface of the computing device associated with the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

User-specified policies may be efficiently implemented and enforced with a distributed set of policy enforcement components. User-specified policies may be transformed into a normal form. Sets of normal form policies may be optimized. The optimized policies may be indexed and/or divided and provided to the distributed set of policy enforcement components. The distributed policy enforcement may have a sandbox mode and/or verification mode enabling policy configuration verification. With appropriate authorization, substitute data may be used in verification mode to evaluate requests with respect to policies. Evaluation results, relevant policies, and decision data utilized during request evaluation may be collected, filtered and reported at a variety of levels of detail. Originating user-specified policies may be tracked during the policy normalization process to enable reference to user-specified policies in verification mode reports.

84 Citations

View as Search Results

24 Claims

1. A computer-implemented method for distributed policy enforcement, comprising:
- maintaining, by a computer system, a plurality of sets of policies at a plurality of policy enforcement components of a virtual resource provider that is configured to provision a plurality of computer resources;
  
  receiving, via a control plane of the virtual resource provider, a request with respect to at least one action performed by at least one computer resource of the plurality of computer resources provisioned by the virtual resource provider, the request including an indication that the request is to be processed in a verification mode;
  
  selecting, by the computer system, at least one of the plurality of policy enforcement components to evaluate the request with respect to at least one of the plurality of sets of policies and submitting the request to the at least one of the plurality of policy enforcement components;
  
  determining a relevant policy subset of the at least one of the plurality of sets of policies that is relevant with respect to the request;
  
  evaluating, by the at least one selected policy enforcement component, the request with respect to the relevant policy subset;
  
  evaluating, upon determining that the request is to be processed in the verification mode based at least in part on the indication included in the request, performance of the at least one action by the at least one computer resource of the plurality of computer resources provisioned by the virtual resource provider such that performance of the at least one action is inhibited regardless of whether the at least one action is in compliance with the relevant policy subset; and
  
  providing for presentation, to a computing device associated with the request, a report that includes the determined relevant policy subset and a result of the evaluation of the request based at least in part on evaluation of the performance of the at least one action, the report configured to be presented via a user interface of the computing device associated with the request.
- View Dependent Claims (2, 3, 4, 8)
- - 2. A computer-implemented method according to claim 1, wherein:
    - the method further comprises determining a set of decision data required to evaluate the request based at least in part on the relevant policy subset and collecting the set of decision data;
      
      the evaluation of the request with respect to the relevant policy subset is based at least in part on the set of decision data; and
      
      the report provided for presentation further includes the set of decision data.
  - 3. A computer-implemented method according to claim 1, wherein evaluating performance of the at least one action avoids at least one cost associated with the at least one action.
  - 4. A computer-implemented method according to claim 1, wherein the report further includes a representation of each policy in the determined relevant policy subset that was used to evaluate the request.
  - 8. A computer-implemented method according to claim 4, wherein:
    - the request is with respect to at least one action capable of being performed by the virtual resource provider; and
      
      the method further comprises, responsive to the indication that the request is to be processed in the verification mode, inhibiting said at least one action independent of the at least one policy evaluation result.

5. A computer-implemented method for policy enforcement, comprising:
- receiving, by a computer system, a request associated with at least one of a first set of policies, the request including an indication that the request is to be processed in a verification mode;
  
  selecting, by the computer system, at least one of a plurality of policy enforcement components to evaluate the request with respect to the at least one of the first set of policies and submitting the request to the at least one of the plurality of policy enforcement components;
  
  determining, by the computer system, a relevant subset of the first set of policies based at least in part on at least one attribute of the request;
  
  evaluating, by the at least one selected policy enforcement component, the request with respect to the relevant subset of policies at least in part thereby determining at least one policy evaluation result;
  
  responsive to the indication that the request is to be processed in the verification mode, evaluating performance of an action indicated by the request such that performance of the action is inhibited regardless of whether the action is in compliance with the relevant subset of policies; and
  
  providing for presentation, to a computing device associated with the request, a report that includes the determined relevant subset of policies and the at least one policy evaluation result based at least in part on evaluation of the performance of the action, the report configured to be presented via a user interface of the computing device associated with the request.
- View Dependent Claims (6, 7, 9, 10, 11, 12, 13, 14, 15, 16)
- - 6. A computer-implemented method according to claim 5, wherein the verification mode is a policy enforcement verification mode of a virtual resource provider.
  - 7. A computer-implemented method according to claim 6, wherein:
    - the virtual resource provider comprises the plurality of policy enforcement components; and
      
      the method further comprises receiving the first set of policies at one or more of the plurality of policy enforcement components.
  - 9. A computer-implemented method according to claim 5, wherein the request is received at an interface of a virtual resource provider, the interface comprising a plurality of interface elements corresponding to a plurality of actions capable of being performed by the virtual resource provider, and the indication that the request is to be processed in the verification mode corresponds to at least one value of at least one parameter of at least one of the plurality of interface elements.
  - 10. A computer-implemented method according to claim 5, wherein the indication that the request is to be processed in the verification mode corresponds to one or more valid cryptographic credentials.
  - 11. A computer-implemented method according to claim 5, further comprising incorporating a user-specified policy into the first set of policies at least in part by generating a second set of policies corresponding to the user-specified policy, the first set of policies and the second set of policies having policies in a normal form.
  - 12. A computer-implemented method according to claim 11, wherein:
    - the user-specified policy and each of the second set of policies have distinct policy identifiers; and
      
      each of the second set of policies reference the user-specified policy with the policy identifier of the user-specified policy.
  - 13. A computer-implemented method according to claim 12, wherein providing for presentation the report comprises determining a set of user-specified policies based at least in part on the relevant subset of policies.
  - 14. A computer-implemented method according to claim 5, wherein:
    - the evaluation of the request is based at least in part on a set of decision data; and
      
      the method further comprises;
      
      receiving a set of substitute decision data along with the request including the indication that the request is to be processed in the verification mode; and
      
      substituting corresponding portions of the set of decision data with the set of substitute decision data.
  - 15. A computer-implemented method according to claim 14, further comprising receiving at least one cryptographic credential corresponding to an authority to substitute corresponding portions of the set of decision data with the set of substitute decision data, and authenticating said at least one cryptographic credential.
  - 16. A computer-implemented method according to claim 5, wherein:
    - the indication that the request is to be processed in the verification mode is associated with a level of reporting detail; and
      
      the report further includes a summary in accordance with the level of reporting detail.

17. A computer-implemented method for policy enforcement, comprising:
- receiving, by a computer system, a set of user-specified policies and generating a set of normal form policies corresponding to the set of user-specified policies;
  
  receiving a request associated with one of the set of user-specified policies and receiving a verification mode indication that the request is to be processed in a verification mode capable of enabling verification of a configuration of the one of the set of user-specified policies;
  
  selecting, by the computer system, at least one of a plurality of policy enforcement components to evaluate the request;
  
  determining, by the computer system, a relevant subset of the set of normal form policies based at least in part on at least one attribute of the request and evaluating, by the at least one selected policy enforcement component, the request with respect to the relevant subset;
  
  determining an applied subset of the set of user-specified policies based at least in part on the relevant subset of normal form policies;
  
  responsive to the verification mode indication, evaluating performance of an action indicated by the request such that performance of the action is inhibited regardless of whether the action is in compliance with the relevant subset; and
  
  providing for presentation, to a computing device associated with the request, a report that includes the determined applied subset of user-specified policies and a result of the evaluation of the request based at least in part on evaluation of the performance of the action, the report configured to be presented via a user interface of the computing device associated with the request.
- View Dependent Claims (18, 19, 20)
- - 18. A computer-implemented method according to claim 17, wherein determining the applied subset of user-specified policies comprises mapping each of the relevant subset of normal form policies to at least one user-specified policy.
  - 19. A computer-implemented method according to claim 17, wherein the report further includes the relevant subset of normal form policies distinct from the applied subset of user-specified policies.
  - 20. A computer-implemented method according to claim 17, wherein the set of normal form policies is based at least in part on the set of user-specified policies and the correspondence between the set of normal form policies and the set of user-specified policies is different from a one-to-one correspondence.

21. A computerized system for policy enforcement, comprising:
- at least one interface of the system configured to, at least;
  
  receive a request associated with at least one of a set of policies, the request including an indication that the request is to be processed in a verification mode;
  
  at least one policy enforcement component of a plurality of policy enforcement components that is selected and configured to, at least;
  
  determine a relevant subset of the set of policies based at least in part on at least one attribute of the request; and
  
  evaluate the request with respect to the relevant subset of policies;
  
  a verification mode component configured to, at least;
  
  evaluate performance of an action indicated by the request such that performance of the action is inhibited regardless of whether the action is in compliance with the relevant subset of policies; and
  
  provide for presentation, to a computing device associated with the request, a report that includes the determined relevant subset of policies and a result of the evaluation of the request based at least in part on evaluation of the performance of the action, the report configured to be presented via a user interface of the computing device associated with the request; and
  
  one or more processors collectively facilitating at least said at least one interface, said at least one policy enforcement component, and the verification mode component.
- View Dependent Claims (22)
- - 22. A computerized system according to claim 21, further comprising:
    - a plurality of policy enforcement components each having a distinct location in a network; and
      
      a policy management component configured at least to receive user-specified policies, generate corresponding policies in a normal form, and distribute the normal form policies to the plurality of policy enforcement components.

23. One or more non-transitory computer-readable media having collectively thereon computer-executable instructions that configure one or more computers to collectively, at least:
- receive a request associated with at least one of a set of policies, the request including an indication that the request is to be processed in a verification mode;
  
  select at least one of a plurality of policy enforcement components to evaluate the request with respect to the at least one of the set of policies and submitting the request to the at least one of the plurality of policy enforcement components;
  
  evaluate, by the at least one selected policy enforcement component, the request with respect to a relevant subset of the set of policies;
  
  responsive to the indication that the request is to be processed in the verification mode, evaluate performance of an action indicated by the request such that the performance of the action is inhibited regardless of whether the action is in compliance with the relevant subset of the set policies; and
  
  provide for presentation, to a computing device associated with the request, a report that includes information utilized to evaluate the request including the relevant subset of the set of policies and a result of the evaluation of the request based at least in part on the evaluation of the performance of the action, the report configured to be presented via a user interface of the computing device associated with the request.
- View Dependent Claims (24)
- - 24. One or more computer-readable media according to claim 23, wherein:
    - the evaluation of the request occurs at the plurality of policy enforcement components; and
      
      the information included in the report is collected from the plurality of policy enforcement components.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
O'Neill, Kevin, Cavage, Mark
Primary Examiner(s)
Patel, Nirav B

Application Number

US12/961,182
Time in Patent Office

1,891 Days
Field of Search

726/1, 726 2- 4, 726/15
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

Distributed policy enforcement with verification mode

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

84 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed policy enforcement with verification mode

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links