Automatic privilege determination
First Claim
Patent Images
1. A computer-implemented method for constructing an access control policy, comprising:
- receiving, by a processor of a computer system of a policy determination service, a log of one or more requests issued by a customer owned identity during a training period;
determining, by the processor of the computer system, an access control policy based at least in part on an analysis of the log of one or more requests issued by the customer owned identity;
receiving a set of observed requests issued by the customer owned identity; and
generating a revised access control policy for the customer owned identity by at least;
determining a set of related requests that are related to at least one observed request from the set of observed requests; and
adding privileges to the revised access control policy to perform the set of related requests.
1 Assignment
0 Petitions
Accused Products
Abstract
An access control determination service automatically determines and/or revises an access control policy using actions attempted by a client system. A client is observed during operation. A policy system analyzes the actions performed and/or results of the actions performed by a client system. Using the results of the analysis, the access control determination service determines the permissions needed in an access control policy that will be applied to the client.
25 Citations
28 Claims
-
1. A computer-implemented method for constructing an access control policy, comprising:
-
receiving, by a processor of a computer system of a policy determination service, a log of one or more requests issued by a customer owned identity during a training period; determining, by the processor of the computer system, an access control policy based at least in part on an analysis of the log of one or more requests issued by the customer owned identity; receiving a set of observed requests issued by the customer owned identity; and generating a revised access control policy for the customer owned identity by at least; determining a set of related requests that are related to at least one observed request from the set of observed requests; and adding privileges to the revised access control policy to perform the set of related requests. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method for constructing an access control policy, comprising:
-
receiving, by a processor of a computer system, one or more actions performed by a client with respect to resources in a program execution service, at least a portion of the one or more actions included in a log and performed by the client during a training period; analyzing the one or more actions performed by the client with respect to the resources in the program execution service; generating, by the processor of the computer system, an access control policy based at least in part on the analyzed actions, the access control policy applicable to at least the client; identifying one or more other actions related to the analyzed actions; and adding privileges to the access control policy to perform the one or more other actions. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer system, comprising:
-
one or more processors; and memory, including instructions executable by the one or more processors to cause the computer system to at least; store an access control policy for an identity, the access control policy including a permission authorizing the identity to perform an action, the access control policy generated based at least in part on one or more actions of the identity included in a log and performed by the identity during a training period; determine that the access control policy does not include a related permission authorizing the identity to perform a related action based at least on a comparison of the access control policy to information that describes relationships between actions performable within a service provider environment; and cause the access control policy to include at least the related permission authorizing the related action. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
analyze one or more actions performed by a client with respect to resources in a program execution service, at least a portion of the one or more actions described by log information and performed by the client during a training period; generate an access control policy based at least in part on the analyzed actions, the access control policy applicable to at least the client; identify one or more other actions related to the analyzed actions; add privileges to the access control policy to perform the one or more other actions; and associate the determined access control policy with an identity within the program execution service. - View Dependent Claims (24, 25, 26, 27, 28)
-
Specification