Distributed policy enforcement with verification mode
First Claim
1. A computer-implemented method for distributed policy enforcement, comprising:
- maintaining, by a computer system, a plurality of sets of policies at a plurality of policy enforcement components of a virtual resource provider that is configured to provision a plurality of computer resources;
receiving, via a control plane of the virtual resource provider, a request with respect to at least one action performed by at least one computer resource of the plurality of computer resources provisioned by the virtual resource provider, the request including an indication that the request is to be processed in a verification mode;
selecting, by the computer system, at least one of the plurality of policy enforcement components to evaluate the request with respect to at least one of the plurality of sets of policies and submitting the request to the at least one of the plurality of policy enforcement components;
determining a relevant policy subset of the at least one of the plurality of sets of policies that is relevant with respect to the request;
evaluating, by the at least one selected policy enforcement component, the request with respect to the relevant policy subset;
evaluating, upon determining that the request is to be processed in the verification mode based at least in part on the indication included in the request, performance of the at least one action by the at least one computer resource of the plurality of computer resources provisioned by the virtual resource provider such that performance of the at least one action is inhibited regardless of whether the at least one action is in compliance with the relevant policy subset; and
providing for presentation, to a computing device associated with the request, a report that includes the determined relevant policy subset and a result of the evaluation of the request based at least in part on evaluation of the performance of the at least one action, the report configured to be presented via a user interface of the computing device associated with the request.
1 Assignment
0 Petitions
Accused Products
Abstract
User-specified policies may be efficiently implemented and enforced with a distributed set of policy enforcement components. User-specified policies may be transformed into a normal form. Sets of normal form policies may be optimized. The optimized policies may be indexed and/or divided and provided to the distributed set of policy enforcement components. The distributed policy enforcement may have a sandbox mode and/or verification mode enabling policy configuration verification. With appropriate authorization, substitute data may be used in verification mode to evaluate requests with respect to policies. Evaluation results, relevant policies, and decision data utilized during request evaluation may be collected, filtered and reported at a variety of levels of detail. Originating user-specified policies may be tracked during the policy normalization process to enable reference to user-specified policies in verification mode reports.
84 Citations
24 Claims
-
1. A computer-implemented method for distributed policy enforcement, comprising:
-
maintaining, by a computer system, a plurality of sets of policies at a plurality of policy enforcement components of a virtual resource provider that is configured to provision a plurality of computer resources; receiving, via a control plane of the virtual resource provider, a request with respect to at least one action performed by at least one computer resource of the plurality of computer resources provisioned by the virtual resource provider, the request including an indication that the request is to be processed in a verification mode; selecting, by the computer system, at least one of the plurality of policy enforcement components to evaluate the request with respect to at least one of the plurality of sets of policies and submitting the request to the at least one of the plurality of policy enforcement components; determining a relevant policy subset of the at least one of the plurality of sets of policies that is relevant with respect to the request; evaluating, by the at least one selected policy enforcement component, the request with respect to the relevant policy subset; evaluating, upon determining that the request is to be processed in the verification mode based at least in part on the indication included in the request, performance of the at least one action by the at least one computer resource of the plurality of computer resources provisioned by the virtual resource provider such that performance of the at least one action is inhibited regardless of whether the at least one action is in compliance with the relevant policy subset; and providing for presentation, to a computing device associated with the request, a report that includes the determined relevant policy subset and a result of the evaluation of the request based at least in part on evaluation of the performance of the at least one action, the report configured to be presented via a user interface of the computing device associated with the request. - View Dependent Claims (2, 3, 4, 8)
-
-
5. A computer-implemented method for policy enforcement, comprising:
-
receiving, by a computer system, a request associated with at least one of a first set of policies, the request including an indication that the request is to be processed in a verification mode; selecting, by the computer system, at least one of a plurality of policy enforcement components to evaluate the request with respect to the at least one of the first set of policies and submitting the request to the at least one of the plurality of policy enforcement components; determining, by the computer system, a relevant subset of the first set of policies based at least in part on at least one attribute of the request; evaluating, by the at least one selected policy enforcement component, the request with respect to the relevant subset of policies at least in part thereby determining at least one policy evaluation result; responsive to the indication that the request is to be processed in the verification mode, evaluating performance of an action indicated by the request such that performance of the action is inhibited regardless of whether the action is in compliance with the relevant subset of policies; and providing for presentation, to a computing device associated with the request, a report that includes the determined relevant subset of policies and the at least one policy evaluation result based at least in part on evaluation of the performance of the action, the report configured to be presented via a user interface of the computing device associated with the request. - View Dependent Claims (6, 7, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-implemented method for policy enforcement, comprising:
-
receiving, by a computer system, a set of user-specified policies and generating a set of normal form policies corresponding to the set of user-specified policies; receiving a request associated with one of the set of user-specified policies and receiving a verification mode indication that the request is to be processed in a verification mode capable of enabling verification of a configuration of the one of the set of user-specified policies; selecting, by the computer system, at least one of a plurality of policy enforcement components to evaluate the request; determining, by the computer system, a relevant subset of the set of normal form policies based at least in part on at least one attribute of the request and evaluating, by the at least one selected policy enforcement component, the request with respect to the relevant subset; determining an applied subset of the set of user-specified policies based at least in part on the relevant subset of normal form policies; responsive to the verification mode indication, evaluating performance of an action indicated by the request such that performance of the action is inhibited regardless of whether the action is in compliance with the relevant subset; and providing for presentation, to a computing device associated with the request, a report that includes the determined applied subset of user-specified policies and a result of the evaluation of the request based at least in part on evaluation of the performance of the action, the report configured to be presented via a user interface of the computing device associated with the request. - View Dependent Claims (18, 19, 20)
-
-
21. A computerized system for policy enforcement, comprising:
-
at least one interface of the system configured to, at least; receive a request associated with at least one of a set of policies, the request including an indication that the request is to be processed in a verification mode; at least one policy enforcement component of a plurality of policy enforcement components that is selected and configured to, at least; determine a relevant subset of the set of policies based at least in part on at least one attribute of the request; and evaluate the request with respect to the relevant subset of policies; a verification mode component configured to, at least; evaluate performance of an action indicated by the request such that performance of the action is inhibited regardless of whether the action is in compliance with the relevant subset of policies; and provide for presentation, to a computing device associated with the request, a report that includes the determined relevant subset of policies and a result of the evaluation of the request based at least in part on evaluation of the performance of the action, the report configured to be presented via a user interface of the computing device associated with the request; and one or more processors collectively facilitating at least said at least one interface, said at least one policy enforcement component, and the verification mode component. - View Dependent Claims (22)
-
-
23. One or more non-transitory computer-readable media having collectively thereon computer-executable instructions that configure one or more computers to collectively, at least:
-
receive a request associated with at least one of a set of policies, the request including an indication that the request is to be processed in a verification mode; select at least one of a plurality of policy enforcement components to evaluate the request with respect to the at least one of the set of policies and submitting the request to the at least one of the plurality of policy enforcement components; evaluate, by the at least one selected policy enforcement component, the request with respect to a relevant subset of the set of policies; responsive to the indication that the request is to be processed in the verification mode, evaluate performance of an action indicated by the request such that the performance of the action is inhibited regardless of whether the action is in compliance with the relevant subset of the set policies; and provide for presentation, to a computing device associated with the request, a report that includes information utilized to evaluate the request including the relevant subset of the set of policies and a result of the evaluation of the request based at least in part on the evaluation of the performance of the action, the report configured to be presented via a user interface of the computing device associated with the request. - View Dependent Claims (24)
-
Specification