Template representation of security resources

US 9,350,738 B2
Filed: 02/02/2015
Issued: 05/24/2016
Est. Priority Date: 03/19/2012
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for template representation of security resources, said method, comprising:

under the control of one or more computer systems configured with executable instructions,reading a template that defines a stack of resources and specifies a set of dependencies between the resources, the template referencing at least one security resource including at least one of;

a user identity, a group, or a policy; and

creating a stack of resources based on the template, said creating further including at least the steps of;

causing the policy to be created based at least in part on the template, the policy specifying a set of permissions for performing one or more actions; and

attaching the policy to a user identity based at least in part on the security resource referenced in the template, the user identity being associated with a user access key, wherein being associated includes the template referencing the user access key, and wherein referencing includes referring to an attribute of the user identity;

receiving a request for the user access key from at least one resource, wherein the at least one resource is a resource of the stack of resources defined by the template, a resource of a different stack, or an external resource; and

for resources that are instructed in the template to receive the user access key, providing the at least one resource with the user access key.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for enabling users to model security resources and user access keys as resources in a template language. The template can be used to create and update a stack of resources that will provide a network-accessible service. The security resources and access keys can be referred to in the template during both stack creation process and the stack update process. The security resources can include users, groups and policies. Additionally, users can refer to access keys in the template as dynamic parameters without any need to refer to the access keys in plaintext. The system securely stores access keys within the system and allows for templates to refer to them once defined. These key references can then be passed within a template to resources that need them as well as passing them on securely to resources like server instances through the use of the user-data field.

Citations

14 Claims

1. A computer implemented method for template representation of security resources, said method, comprising:
- under the control of one or more computer systems configured with executable instructions,reading a template that defines a stack of resources and specifies a set of dependencies between the resources, the template referencing at least one security resource including at least one of;
  
  a user identity, a group, or a policy; and
  
  creating a stack of resources based on the template, said creating further including at least the steps of;
  
  causing the policy to be created based at least in part on the template, the policy specifying a set of permissions for performing one or more actions; and
  
  attaching the policy to a user identity based at least in part on the security resource referenced in the template, the user identity being associated with a user access key, wherein being associated includes the template referencing the user access key, and wherein referencing includes referring to an attribute of the user identity;
  
  receiving a request for the user access key from at least one resource, wherein the at least one resource is a resource of the stack of resources defined by the template, a resource of a different stack, or an external resource; and
  
  for resources that are instructed in the template to receive the user access key, providing the at least one resource with the user access key.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer implemented method of claim 1, further comprising:
    - creating a group based on the security resource specified in the template; and
      
      associating the user identity with the group.
  - 3. The computer implemented method of claim 1, further comprising:
    - instantiating a compute node based on the template, the compute node providing the network-accessible service; and
      
      associating the compute node with the user identity.
  - 4. The computer implemented method of claim 3, further comprising:
    - instantiating a database instance that stores data processed by the compute node in providing the network-accessible service.
  - 5. The computer implemented method of claim 3, wherein the compute node is provided with the user access key associated with the user identity.

6. A computing device comprising:
- a storage memory storing a set of instructions for template representation of security resources; and
  
  one or more hardware processors configured by the set of instructions to;
  
  read or receive a template that defines a stack of resources and specifies a set of dependencies between the resources, the template defining one or more of;
  
  a user identity, a group or a policy; and
  
  create a stack of resources based on the template, wherein to create the stack of resources the one or more hardware processors are configured to;
  
  create a user identity based at least in part on the template and associated with the stack of resources, the user identity being associated with a user access key, wherein being associated includes the template referencing the user access key, and wherein referencing includes referring to an attribute of the user identity;
  
  receive the policy from an identity management service, the policy specifying a set of permissions for performing one or more actions; and
  
  attach the policy to the user identity referenced in the template;
  
  receive a request for the user access key from at least one resource, wherein the at least one resource is a resource of the stack of resources defined by the template, a resource of a different stack, or an external resource; and
  
  for resources that are instructed in the template to receive the user access key, provide the at least one resource with the user access key.
- View Dependent Claims (7, 8, 9)
- - 7. The computing device of claim 6, further comprising instructions that configure the one or more processors to:
    - create a group based at least in part on the template; and
      
      associate the user identity with the group.
  - 8. The computing device of claim 6, further comprising instructions that configure the one or more processors to:
    - instantiate a compute node based at least in part on the template, the compute node providing the network-accessible service; and
      
      associate the compute node with the user identity.
  - 9. The computing device of claim 8, further comprising instructions that configure the one or more processors to:
    - instantiate a database instance that stores data processed by the compute node in providing the network-accessible service.

10. A non-transitory computer readable storage medium storing one or more sequences of instructions executable by one or more processors to perform a set of steps for template representation of security resources, the set of steps comprising:
- reading a template that defines a stack of resources and specifies a set of dependencies between the resources, and references at least one security resource, the security resource including at least one of;
  
  a customer identity, a group or a policy; and
  
  creating a stack of resources based on the template, said creating further including at least the steps of;
  
  causing the policy to be created based at least in part on the template, the policy specifying a set of permissions for performing one or more actions; and
  
  attaching the policy to a customer identity based at least in part on the security resource referenced in the template, the customer identity being associated with an access key, and wherein being associated includes the template referencing the access key, referencing including referring to an attribute of the customer identity;
  
  receiving a request for the access key from at least one resource, wherein the at least one resource is a resource of the stack of resources defined by the template, a resource of a different stack, or an external resource; and
  
  for resources that are instructed in the template to receive the user access key, providing the at least one resource with the access key.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The non-transitory computer readable storage medium of claim 10, wherein the policy is created by invoking an identity management service.
  - 12. The non-transitory computer readable storage medium of claim 10, further comprising:
    - creating a group based on the security resource specified in the template; and
      
      associating the customer identity with the group.
  - 13. The non-transitory computer readable storage medium of claim 10, further comprising:
    - instantiating a compute node based on the template, the compute node providing the network-accessible service; and
      
      associating the compute node with the customer identity.
  - 14. The non-transitory computer readable storage medium of claim 13, further comprising:
    - instantiating a database instance that stores data processed by the compute node in providing the network-accessible service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Edwards, Richard Curtis Jr., Jaisinghani, Avinash, Kramer, Reto, Whitaker, Christopher, Balakrishnan, Venkates P., Jayaraman, Prashant
Primary Examiner(s)
Holder, Bradley
Assistant Examiner(s)
MOHAMMADI, FAHIMEH M

Application Number

US14/611,933
Publication Number

US 20150150081A1
Time in Patent Office

477 Days
Field of Search

726 1- 3, 726 16- 17, 726/21, 713/155, 713/159, 713/172, 380/229, 380/250
US Class Current

1/1
CPC Class Codes

H04L 41/0806   for initial configuration o...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Template representation of security resources

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Template representation of security resources

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links