Managing restricted access resources

US 9,313,208 B1
Filed: 03/19/2014
Issued: 04/12/2016
Est. Priority Date: 03/19/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

at least one processor; and

memory including instructions that, when executed by the at least one processor, cause the system to;

determine an action to be performed using at least one resource of a resource provider environment, the at least one resource of the resource provider environment being associated with a restricted zone in the resource provider environment, the restricted zone in the resource provider environment provided for a customer and directly accessible only to people granted at least one corresponding credential on behalf of the customer;

create a primitive corresponding to the action, the primitive capable of being executed in the restricted zone in the resource provider environment to cause the action to be performed using the at least one resource of the resource provider environment;

store the primitive to a primitive repository, the primitive repository storing a plurality of primitives and a plurality of workflows, each workflow comprising two or more primitives;

receive a selection of the primitive from the primitive repository;

cause a ticket to be generated by a ticket manager component of a control plane, the control plane comprising a virtual layer of hardware and software components for performing control and management actions, and submitted to the restricted zone in the resource provider environment, the ticket including information for the selected primitive and capable of being approved and executed within the restricted zone in the resource provider environment;

receive, by the ticket manager component, result information regarding at least one of an approval of the primitive, a denial of the primitive, or information resulting from performance of the action in the restricted zone, the information resulting from performance capable of having information redacted before passing from the restricted zone in the resource provider environment, and the information being made available to the components of the control plane; and

store at least a portion of the result information in a repository outside the restricted zone in the resource provider environment, wherein the approval of the primitive indicates that the primitive is capable of being executed in the restricted zone in the resource provider environment without requiring another approval.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Entities such as resource and service providers can utilize a ticketing system to define operational actions as primitives that can be stored, combined into more complex workflows, and executed in a restricted zone wherein a portion of the resources or services are not directly accessible to those providers. These primitives can be stored in the provider environment and shared with the restricted zone, in order to provide a structured approach to the sharing of operational knowledge. When a primitive is first received to the restricted zone, a person vetted by the customer associated with the restricted zone can review and approve the primitive, and can cause the primitive to be executed in the restricted zone. When that same primitive is subsequently received to the restricted zone, a lookup can be performed to determine that an approval exists, whereby the primitive can be executed in the restricted zone without another review.

Citations

20 Claims

1. A system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the system to;
  
  determine an action to be performed using at least one resource of a resource provider environment, the at least one resource of the resource provider environment being associated with a restricted zone in the resource provider environment, the restricted zone in the resource provider environment provided for a customer and directly accessible only to people granted at least one corresponding credential on behalf of the customer;
  
  create a primitive corresponding to the action, the primitive capable of being executed in the restricted zone in the resource provider environment to cause the action to be performed using the at least one resource of the resource provider environment;
  
  store the primitive to a primitive repository, the primitive repository storing a plurality of primitives and a plurality of workflows, each workflow comprising two or more primitives;
  
  receive a selection of the primitive from the primitive repository;
  
  cause a ticket to be generated by a ticket manager component of a control plane, the control plane comprising a virtual layer of hardware and software components for performing control and management actions, and submitted to the restricted zone in the resource provider environment, the ticket including information for the selected primitive and capable of being approved and executed within the restricted zone in the resource provider environment;
  
  receive, by the ticket manager component, result information regarding at least one of an approval of the primitive, a denial of the primitive, or information resulting from performance of the action in the restricted zone, the information resulting from performance capable of having information redacted before passing from the restricted zone in the resource provider environment, and the information being made available to the components of the control plane; and
  
  store at least a portion of the result information in a repository outside the restricted zone in the resource provider environment, wherein the approval of the primitive indicates that the primitive is capable of being executed in the restricted zone in the resource provider environment without requiring another approval.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the instructions when executed further cause the system to:
    - determine at least one additional primitive to be executed;
      
      combine the primitive and the at least one additional primitive into a workflow; and
      
      enable selection of the workflow for insertion into a ticket and execution in the restricted zone in the resource provider environment.
  - 3. The system of claim 1, wherein the instructions when executed further cause the system to:
    - determine at least one policy for the action and the restricted zone in the resource provider environment; and
      
      generate the primitive according to the at least one policy.
  - 4. The system of claim 1, wherein the instructions when executed further cause the system to:
    - determine a piece of data prevented from being extracted from the restricted zone in the resource provider environment, the piece of data needed for inclusion in the primitive for execution in the restricted zone in the resource provider environment; and
      
      insert, into the primitive, a placeholder for the piece of data, a value for the piece of data capable of being inserted in place of a respective placeholder when the primitive is inside the restricted zone in the resource provider environment.

5. A computer-implemented method, comprising:
- determining an action to be performed using a resource of a resource provider environment;
  
  creating a primitive corresponding to the action, the primitive capable of being processed to cause the action to be performed using the resource of the resource provider environment;
  
  receiving, on behalf of an authorized user, a request for the primitive;
  
  providing the primitive in response to the request, the primitive capable of being included in a ticket to be generated by a ticket manager component of a control plane, the control plane comprising a virtual layer of hardware and software components for performing control and management actions, and submitted to cause the action associated with the primitive to be performed using the resource of the resource provider environment,wherein the resource of the resource provider environment is capable of being one of a set of restricted resources preventing the action from being directly submitted to the resource of the resource provider environment for performance; and
  
  receiving result information related to the primitive b the ticket manager component, the information being made available to the components of the control plane.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The computer-implemented method of claim 5, further comprising:
    - receiving result information regarding at least one of an approval of the primitive, a denial of the primitive, or information resulting from the performance of the action associated with the primitive; and
      
      storing at least a portion of the result information, wherein the approval of the primitive indicates that the primitive is capable of being processed by the set of restricted resources without another approval.
  - 7. The computer-implemented method of claim 5, further comprising:
    - determining at least one piece of restricted information for the primitive that is restricted from being obtained from the set of restricted resources; and
      
      causing a placeholder to be inserted in the primitive for each piece of restricted information.
  - 8. The computer-implemented method of claim 5, further comprising:
    - determining at least one additional primitive to be processed with the primitive; and
      
      generating a workflow including the primitive and the at least one additional primitive, the workflow capable of being included in the ticket to be generated and submitted to the set of restricted resources.
  - 9. The computer-implemented method of claim 5, further comprising:
    - determining that the set of restricted resources is part of a restricted zone associated with a customer; and
      
      maintaining a mirrored set of resources outside the restricted zone, wherein the primitive is capable of being tested against the mirrored set of resources.
  - 10. The computer-implemented method of claim 5, further comprising:
    - determining a type of the resource of the resource provider environment for use in performing the action, wherein the type of the resource of the resource provider environment is at least one of a server, a networking component, firmware, operating system software, middleware, application software, a security service, or a third party service.
  - 11. The computer-implemented method of claim 5, further comprising:
    - generating a rollback primitive, the rollback primitive capable of being included in a ticket to be generated and submitted to enable the action associated with the primitive to be undone using the resource of the resource provider environment.
  - 12. The computer-implemented method of claim 5, further comprising:
    - analyzing at least one policy associated with the set of restricted resources; and
      
      associating information with the primitive indicating whether the primitive is capable of being submitted to the set of restricted resources according to the at least one policy.
  - 13. The computer-implemented method of claim 5, wherein the action includes at least one of a configuration operation or a management operation for at least a subset of the set of restricted resources.

14. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computer system, cause the computer system to:
- receive a ticket generated by a ticket manager component of a control plane, the control plane comprising a virtual layer of hardware and software components for performing control and management actions, the ticket including a primitive, the primitive specifying an action to be performed using a resource in a restricted zone, the restricted zone being a portion of a resource environment managed by a resource provider, the resource provider being restricted from directly accessing the resource in the restricted zone;
  
  enable the action to be performed using the resource when an approval exists for the primitive in the restricted zone;
  
  cause the primitive to be reviewed when no approval or denial exists for the primitive in the restricted zone, wherein a person having a credential enabling access to resources of the restricted zone is enabled to review the primitive and cause an approval or denial to be generated for the primitive, generation of an approval causing the action to be performed using the resource; and
  
  return information to the ticket manager component about at least one of the approval, the denial, or information about performance of the action by the resource, the information being made available to the components of the control plane.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the instructions when executed further cause the computer system to:
    - determine at least one additional primitive included in the ticket; and
      
      cause the primitive and the at least one additional primitive to be processed in the restricted zone only when a respective approval exists for each of the primitive and the at least one additional primitive.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the instructions when executed further cause the computer system to:
    - redact, from the information returned in response to receiving the ticket, any data restricted from being sent outside the restricted zone.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the instructions when executed further cause the computer system to:
    - analyze at least one policy for the restricted zone to determine whether to provide an approval for the primitive.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein the instructions when executed further cause the computer system to:
    - enable the person having the credential enabling access to resources of the restricted zone to filter primitives by whether an approval exists for each of the primitives.
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein the action relates to management of the resource in the restricted zone.
  - 20. The non-transitory computer-readable storage medium of claim 14, wherein the instructions when executed further cause the computer system to:
    - determine a placeholder in the primitive included in the received ticket;
      
      determine restricted information stored in the restricted zone corresponding to the placeholder; and
      
      replace the placeholder with the restricted information before causing the primitive to be processed using the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Letz, Stefan, Engers, Ross Bevan, Bauman, Daniel, Buys, Willem Jacob, Sjoberg, Timothy Ralph, Agranat, Ronen Dov, Musnitzky, Aidan, Mentz, Joshua, Mulder, Brian Frederick
Primary Examiner(s)
Gee, Jason K.
Assistant Examiner(s)
Bucknor, Olanrewaju

Application Number

US14/219,930
Time in Patent Office

755 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/33   using certificates

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

G06F 2221/2149   Restricted operating enviro...

G06Q 10/0631   Resource planning, allocati...

H04L 41/5074   Handling of user complaints...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

Managing restricted access resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Managing restricted access resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links