Access control using impersonization
First Claim
1. A system of a virtual computing resource service provider, comprising a plurality of computing devices collectively configured to implement an authentication system, a policy evaluation system and a first and second and third computing resource service, wherein:
- the authentication system processes an authentication request by verifying an electronic signature of a first request and provides an authentication response having information identifying a set of computing resource services being a cause of the authentication request;
the first computing resource service receives the first request and, as a result, submits the authentication request to the authentication system, receives the authentication response and, as part of fulfilling the first request, uses the authentication response to submit a second request to the second computing resource service;
the first request triggered by a single customer request and the second request being triggered by the first request;
the policy evaluation system evaluates, based at least in part on a user profile associated with the single customer request and the information identifying the set of computing resource services that caused the authentication request including the first computing resource service, a set of policies applicable to the second request to determine a policy determination;
the second computing resource service receives the second request from the first computing resource service and processes the second request in accordance with the policy determination;
the third computing resource service receives a third request from the second computing resource service, the third request triggered by the second request, the first request, and the single customer request; and
the third computing resource service processes the third request in accordance with a policy based at least in part on the user profile associated with the single customer request and information identifying a set of computing resource services that triggered the third request, including the first and second computing resource service.
1 Assignment
0 Petitions
Accused Products
Abstract
A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.
-
Citations
27 Claims
-
1. A system of a virtual computing resource service provider, comprising a plurality of computing devices collectively configured to implement an authentication system, a policy evaluation system and a first and second and third computing resource service, wherein:
-
the authentication system processes an authentication request by verifying an electronic signature of a first request and provides an authentication response having information identifying a set of computing resource services being a cause of the authentication request; the first computing resource service receives the first request and, as a result, submits the authentication request to the authentication system, receives the authentication response and, as part of fulfilling the first request, uses the authentication response to submit a second request to the second computing resource service; the first request triggered by a single customer request and the second request being triggered by the first request; the policy evaluation system evaluates, based at least in part on a user profile associated with the single customer request and the information identifying the set of computing resource services that caused the authentication request including the first computing resource service, a set of policies applicable to the second request to determine a policy determination; the second computing resource service receives the second request from the first computing resource service and processes the second request in accordance with the policy determination; the third computing resource service receives a third request from the second computing resource service, the third request triggered by the second request, the first request, and the single customer request; and the third computing resource service processes the third request in accordance with a policy based at least in part on the user profile associated with the single customer request and information identifying a set of computing resource services that triggered the third request, including the first and second computing resource service. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method, comprising:
-
under the control of one or more computer systems configured with executable instructions, receiving a definition of a policy authored by a user of a computing resource service provider account and applicable to a plurality of computing resources of the computing resource service provider account, including a first, second and third computing resource service, the definition of the policy specifying one or more conditions for fulfillability of a second request submitted as part of, and triggered by, fulfillment of a single first request, and a third request submitted as part of fulfillment of, and triggered by, the second request and the single first request, the one or more conditions based at least in part on an entity submitting the second request; receiving, from a first entity on behalf of the service provider account, the first request to perform one or more operations in connection with the one or more computing resources and, as a result, submits an authentication request to an authentication system identifying a set of computing resource services being a cause of the authentication request, including the first computing resource service; based at least in part on the policy, processing the first request to perform one or more operations by the first computing resource and, as part of fulfilling the first request, receives an authentication response based at least in part on the authentication request having information identifying a set of computing resource services being a cause of the authentication request, and uses the authentication response to submit a second request to the second computing resource service; receiving, from the first computing resource, the second request to perform one or more operations in connection with the one or more computing resources; and based at least in part on the policy, processing the second request to perform one or more operations by the second computing resource; receiving, from the second computing resource, the third request to perform one or more operations in connection with the one or more computing resources; and based at least in part on the policy, processing the third request to perform one or more operations by the third computing resource. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to:
-
for a pending second request triggered by a first request, determine a set of one or more intermediate computing resource services, including a first computing resource service, that caused submission of the second request based at least in part on an authentication response associated with the first request and identifying the set of one or more intermediate computing resource services, the first request triggered by submission of a single customer request; determine, based at least in part on the determined set of one or more intermediate computing resource services, whether fulfillment of the second request complies with a set of policies applicable to the second request, the set of policies includes at least a first policy issued by the customer that identifies one or more authorized computing resources including at least a nonempty subset of the set of one or more intermediate computing resource services; and cause the pending second request to be processed by a second computing resource service, based at least in part on whether fulfillment of the second request complies with the set of policies including a determination that each of the set of one or more intermediate computing resource services is an authorized computing resource identified by the first policy; for a pending third request, determine a set of one or more intermediate computing resource services, including the second computing resource service, that caused submission of the third request triggered by second request; determine, based at least in part on the determined set of one or more intermediate computing resource services, whether fulfillment of the third request complies with a set of policies applicable to the third request, the set of policies includes at least the first policy issued by the customer that identifies one or more authorized computing resources including at least a nonempty subset of the set of one or more intermediate computing resource services; and cause the pending third request to be processed by a third computing resource service, based at least in part on whether fulfillment of the third request complies with the set of policies including a determination that each of the set of one or more intermediate computing resource services is an authorized computing resource identified by the first policy. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
Specification