Automatic privilege determination

US 9,264,449 B1
Filed: 05/01/2012
Issued: 02/16/2016
Est. Priority Date: 05/01/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for constructing an access control policy, comprising:

receiving, by a processor of a computer system of a policy determination service, a log of one or more requests issued by a customer owned identity during a training period;

determining, by the processor of the computer system, an access control policy based at least in part on an analysis of the log of one or more requests issued by the customer owned identity;

receiving a set of observed requests issued by the customer owned identity; and

generating a revised access control policy for the customer owned identity by at least;

determining a set of related requests that are related to at least one observed request from the set of observed requests; and

adding privileges to the revised access control policy to perform the set of related requests.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control determination service automatically determines and/or revises an access control policy using actions attempted by a client system. A client is observed during operation. A policy system analyzes the actions performed and/or results of the actions performed by a client system. Using the results of the analysis, the access control determination service determines the permissions needed in an access control policy that will be applied to the client.

25 Citations

View as Search Results

28 Claims

1. A computer-implemented method for constructing an access control policy, comprising:
- receiving, by a processor of a computer system of a policy determination service, a log of one or more requests issued by a customer owned identity during a training period;
  
  determining, by the processor of the computer system, an access control policy based at least in part on an analysis of the log of one or more requests issued by the customer owned identity;
  
  receiving a set of observed requests issued by the customer owned identity; and
  
  generating a revised access control policy for the customer owned identity by at least;
  
  determining a set of related requests that are related to at least one observed request from the set of observed requests; and
  
  adding privileges to the revised access control policy to perform the set of related requests.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, wherein said generating the revised access control policy further comprises restricting the customer owned identity to requests allowed by the revised access control policy in at least one manner that the observed requests were performed.
  - 3. The computer-implemented method of claim 2, wherein the manner is selected from time of day, day of week, origin IP address or secure communication.
  - 4. The computer-implemented method of claim 1, wherein the revised access control policy includes at least one privilege that is narrower for authorized sensitive requests than other authorized requests.
  - 5. The computer-implemented method of claim 1, further comprising applying the revised access control policy to the customer owned identity.

6. A computer-implemented method for constructing an access control policy, comprising:
- receiving, by a processor of a computer system, one or more actions performed by a client with respect to resources in a program execution service, at least a portion of the one or more actions included in a log and performed by the client during a training period;
  
  analyzing the one or more actions performed by the client with respect to the resources in the program execution service;
  
  generating, by the processor of the computer system, an access control policy based at least in part on the analyzed actions, the access control policy applicable to at least the client;
  
  identifying one or more other actions related to the analyzed actions; and
  
  adding privileges to the access control policy to perform the one or more other actions.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 7. The computer-implemented method of claim 6, wherein generating the access control policy is also based at least in part on user customizable settings.
  - 8. The computer-implemented method of claim 7, wherein generating the access control policy includes generating proposed restrictions and receiving an indication from a user which of the proposed restrictions to apply to form the user customizable settings.
  - 9. The computer-implemented method of claim 7, wherein generating the access control policy further comprises:
    - examining the access control policy for errors caused by the user customizable settings; and
      
      warning a customer about user customizable settings that caused the one or more errors.
  - 10. The computer-implemented method of claim 9, wherein said examining for errors further comprises applying the access control policy to the analyzed actions to determine which actions would have been denied based on the customizable settings.
  - 11. The computer-implemented method of claim 6, wherein the method further comprises selecting the one or more actions based at least in part on code coverage, the code coverage representing a set of actions capable of being performed by the client.
  - 12. The computer-implemented method of claim 6, wherein the log is received from a logging service, the logging service having recorded evidence of prior performed actions, and wherein analyzing the one or more actions further comprises analyzing the log received from the logging service.
  - 13. The computer-implemented method of claim 6, wherein the method further comprises receiving a request to create the access control policy for the client, the access control policy defining allowable actions with respect to the resources.
  - 14. The computer-implemented method of claim 6, further comprising generating a revised access control policy for the client based at least in part on a set of observed actions, the revised access control policy including at least one privilege that is narrower for authorized sensitive actions than other authorized actions.
  - 15. The computer-implemented method of claim 6, the method further comprising:
    - obtaining a set of actions performed by the client; and
      
      applying the access control policy to the set of actions to determine which actions would have failed the access control policy.

16. A computer system, comprising:
- one or more processors; and
  
  memory, including instructions executable by the one or more processors to cause the computer system to at least;
  
  store an access control policy for an identity, the access control policy including a permission authorizing the identity to perform an action, the access control policy generated based at least in part on one or more actions of the identity included in a log and performed by the identity during a training period;
  
  determine that the access control policy does not include a related permission authorizing the identity to perform a related action based at least on a comparison of the access control policy to information that describes relationships between actions performable within a service provider environment; and
  
  cause the access control policy to include at least the related permission authorizing the related action.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The computer system of claim 16, wherein the memory further comprises instructions executable by the one or more processors to cause the computer system to at least:
    - determine the information that describes relationships between actions from at least an indication of the frequency that the related permission and the permission are identified within the same access control policy.
  - 18. The computer system of claim 16, wherein the memory further comprises instructions executable by the one or more processors to cause the computer system to at least:
    - determine the information that describes relationships between actions from at least information associated with a machine image that identifies actions that the machine image can perform upon execution.
  - 19. The computer system of claim 16, wherein the memory further comprises instructions executable by the one or more processors to cause the computer system to at least:
    - determine the information that describes relationships between actions in response to at least analyzing an executable to identify actions that the executable can perform upon execution.
  - 20. The computer system of claim 19, wherein analyzing an executable further comprises:
    - receiving an indication of deployment of new software to the identity; and
      
      in response to receiving the indication, performing an analysis on the new software and a prior software to determine actions taken by the new software that are absent from the prior software.
  - 21. The computer system of claim 16, wherein the memory further comprises instructions executable by the one or more processors to cause the computer system to at least:
    - determine the information that describes relationships between actions from at least network traffic.
  - 22. The computer system of claim 16, wherein the instructions executable to cause the access control policy to include at least the related permission further comprise instructions executable to cause the computer system to at least:
    - cause the access control policy to include at least the related permission in response to authorization from an administrator.

23. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- analyze one or more actions performed by a client with respect to resources in a program execution service, at least a portion of the one or more actions described by log information and performed by the client during a training period;
  
  generate an access control policy based at least in part on the analyzed actions, the access control policy applicable to at least the client;
  
  identify one or more other actions related to the analyzed actions;
  
  add privileges to the access control policy to perform the one or more other actions; and
  
  associate the determined access control policy with an identity within the program execution service.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The non-transitory computer-readable storage media of claim 23, wherein the log information is received from services.
  - 25. The non-transitory computer-readable storage media of claim 23, wherein the instructions further comprise instructions that, when executed, cause the computer system to at least:
    - monitor, as a proxy, requests from the client and responses to the client to determine the one or more actions performed by the client.
  - 26. The non-transitory computer-readable storage media of claim 23, wherein the access control policy is also based at least in part on user customizable settings.
  - 27. The non-transitory computer-readable storage media of claim 26, wherein the instructions that, upon execution generate the access control policy further comprise instructions, that upon execution, cause the computer system to at least:
    - examine the access control policy for one or more errors caused by the user customizable settings; and
      
      send an indication to a customer that at least one of the user customizable settings caused the one or more errors.
  - 28. The non-transitory computer-readable storage media of claim 27, wherein the instructions that, upon execution examine the access control policy further comprise instructions, that upon execution, cause the computer system to at least:
    - applying the access control policy to a second set of actions to determine which actions would have failed the access control policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Brandwine, Eric Jason, Kramer, Reto
Primary Examiner(s)
Brown, Anthony

Application Number

US13/461,542
Time in Patent Office

1,386 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/20 for managing network securi...

Automatic privilege determination

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic privilege determination

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links