Account management services for load balancers

US 9,424,429 B1
Filed: 11/18/2013
Issued: 08/23/2016
Est. Priority Date: 11/18/2013
Status: Active Grant

First Claim

Patent Images

1. A system for managing access to a plurality of resources in a multi-tenant computing environment, comprising:

a plurality of resources, each resource of the plurality of resources capable of being accessed in association with an account of a customer of a provider of the plurality of resources;

a first interface enabling the customer to define one or more pools of accounts of the customer, each account of the one or more pools of accounts being associated with one or more users, each pool of accounts associated with a respective policy indicating one or more criteria for providing access to at least one resource of the plurality of resources;

a second interface enabling a request to be received to the multi-tenant computing environment, the request being initiated by a user; and

a load balancer configured to provide an account management service, the account management service being configured to;

determine that the user, corresponding to the received request, corresponds to a determined pool of the one or more pools of accounts of the customer;

determine whether the received request corresponds to an existing session associated with the user and one or more resources associated with the session; and

provide the request to the one or more resources associated with the session based on determining the received request corresponds to an existing session;

ordetermine that the received request does not correspond to an existing session;

examine the respective policy associated with the determined pool of accounts;

verify that the user, associated with the request, has been authenticated and is authorized, according to the respective policy associated with the determined pool of accounts, to obtain the access to the at least one resource;

determine, using at least one load balancing algorithm, at least one resource of the plurality of resources for processing the request; and

transmit information for the request to the determined at least one resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A configurable load balancer can be utilized in a multi-tenant environment, where the load balancer can incorporate, or utilize, an account management service operable to perform security tasks such as authentication, authorization, and session management. Customers can utilize the load balancer to control access that users have to resources associated with those customers, without having to build and maintain a dedicated user management system. By implementing security functionality at the load balancer level, traffic can be managed before reaching the resources, which can help to reduce traffic and load on the resources, and can also help to prevent attacks and secure sensitive information. Visibility into the traffic through the load balancer also allows for behavior and usage monitoring, which is helpful for tasks such as billing and usage limit enforcement.

Citations

27 Claims

1. A system for managing access to a plurality of resources in a multi-tenant computing environment, comprising:
- a plurality of resources, each resource of the plurality of resources capable of being accessed in association with an account of a customer of a provider of the plurality of resources;
  
  a first interface enabling the customer to define one or more pools of accounts of the customer, each account of the one or more pools of accounts being associated with one or more users, each pool of accounts associated with a respective policy indicating one or more criteria for providing access to at least one resource of the plurality of resources;
  
  a second interface enabling a request to be received to the multi-tenant computing environment, the request being initiated by a user; and
  
  a load balancer configured to provide an account management service, the account management service being configured to;
  
  determine that the user, corresponding to the received request, corresponds to a determined pool of the one or more pools of accounts of the customer;
  
  determine whether the received request corresponds to an existing session associated with the user and one or more resources associated with the session; and
  
  provide the request to the one or more resources associated with the session based on determining the received request corresponds to an existing session;
  
  ordetermine that the received request does not correspond to an existing session;
  
  examine the respective policy associated with the determined pool of accounts;
  
  verify that the user, associated with the request, has been authenticated and is authorized, according to the respective policy associated with the determined pool of accounts, to obtain the access to the at least one resource;
  
  determine, using at least one load balancing algorithm, at least one resource of the plurality of resources for processing the request; and
  
  transmit information for the request to the determined at least one resource.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the first interface is an application programming interface (API) that further enables the customer to manage one or more aspects of the one or more pools of accounts.
  - 3. The system of claim 2, wherein the one or more aspects includes at least one of a type of authentication to be performed, a type of authorization to be performed, a type of registration to be performed, a method or password establishment, a method of password recovery, a type of resource access, or an amount of resource access for at least one pool of the one or more pools of accounts.
  - 4. The system of claim 1, further comprising:
    - a third interface enabling the customer to determine billing data for the user based at least in part upon an amount of usage of the determined resource on behalf of the user and the determined pool of accounts associated with the user.
  - 5. The system of claim 1, further comprising:
    - an application programming interface (API) programmable to instantiate and configure the load balancer.
  - 6. The system of claim 1, wherein the account management service is further configured to:
    - cause the user to authenticate to an account management system, wherein the account management system causes a session to be initiated for the user.

7. A computer-implemented method, comprising:
- receiving a request to a load balancing component of a multi-tenant resource environment, the request being initiated by a user, the multi-tenant resource environment including a plurality of resources associated with two or more customers of the multi-tenant resource environment;
  
  determining an account pool associated with the user, the account pool being determined from a set of account pools established by at least one customer of the multi-tenant resource environment, each account of the set of account pools being associated with one or more users;
  
  determining whether the request corresponds to an existing session in the multi-tenant resource environment;
  
  providing the request to a resource associated with the session based at least in part on determining the request corresponds to an existing session;
  
  ordetermining the request does not correspond to an existing session;
  
  determining, via the load balancing component, a policy specified for the account pool, the policy indicating one or more criteria for processing the request using at least one resource of the plurality of resources;
  
  causing, by the load balancing component, the policy to be evaluated in order to determine that the request satisfies the one or more criteria;
  
  selecting at least one resource of the plurality of resources to process the request; and
  
  transmitting information for the request to the selected resource.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 8. The computer-implemented method of claim 7, further comprising:
    - selecting at least one resource of the plurality of resources to process the request using a load balancing algorithm.
  - 9. The computer-implemented method of claim 7, further comprising:
    - receiving a request from the customer to modify the set of account pools, the request specifying at least one task corresponding to at least one of adding a new account pool, deleting an existing account pool, modifying a type of user associated with the existing account pool, modifying a type of authentication to be used for the existing account pool, or modifying a type of resource access granted for the existing account pool.
  - 10. The computer-implemented method of claim 7, wherein the one or more criteria includes the request being associated with a user having been authenticated to the load balancing component or having permission to access a resource type of the selected resource.
  - 11. The computer-implemented method of claim 7, further comprising:
    - causing a new session to be initiated when the request does not correspond to an existing session in the multi-tenant resource environment.
  - 12. The computer-implemented method of claim 11, wherein the new session is further initiated in response to an authentication of the user.
  - 13. The computer-implemented method of claim 7, wherein the resources include at least one of data servers, application servers, data stores, or virtual machines.
  - 14. The computer-implemented method of claim 7, further comprising:
    - denying the request at the load balancing component in response to determining that the request is not authorized to access the at least one resource.
  - 15. The computer-implemented method of claim 7, further comprising:
    - causing sensitive information for the user to be stored in a data store separate from the plurality of resources and accessible by the load balancing component, wherein a party gaining unauthorized access to a subset of the plurality of resources is unable to access to the sensitive information.
  - 16. The computer-implemented method of claim 7, whereinthe load balancing component is further configured to perform a task for the request, the task being determined based at least in part upon the determined pool of accounts associated with the user, the task including at least one of session creation, user account creation, multi-factor authentication (MFA), password establishment and recovery, protection against denial of service (DoS) attacks, federation integration, mobile integration, sign-out across a resource cluster, single sign-in across applications, automatic bot mitigation, support for multiple sign-in technologies and password alternatives, business analytics, or advertising.
  - 17. The computer-implemented method of claim 7, wherein information from the request, received to the load balancing component, is used by the load balancing component to form other related requests in the multi-tenant resource environment.

18. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a load balancer, cause the load balancer to:
- receive a request associated with a user and at least one of a plurality of resources, the at least one resource being allocated to a customer of the multi-tenant environment, wherein the plurality of resources of the multi-tenant environment are associated with two or more customers of the multi-tenant environment;
  
  determine a pool of accounts associated with the user, the pool of accounts being configured by the customer, each account of the pool of accounts being associated with one or more users;
  
  determine whether the request corresponds to an existing session in the multi-tenant resource environment;
  
  forward the request to a resource associated with the existing session based at least in part on determining the request corresponds to an existing session;
  
  ordetermine the resource does not correspond to an existing session;
  
  determine at least one policy associated with the determined pool of accounts, the at least one policy indicating one or more criteria for processing the request using the at least one resource, at least one of the one or more criteria being specified by at least one of the customer or a provider of the multi-tenant environment;
  
  evaluate the at least one policy to determine that the request satisfies the one or more criteria;
  
  select at least one resource of the plurality of resources to process the request; and
  
  transmit information for the request to the selected resource.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The non-transitory computer-readable storage medium of claim 18, wherein the instructions when executed further enable the load balancer to:
    - determine an identifier associated with the multi-tenant resource environment and encode the identifier in the request; and
      
      select at least one resource of the plurality of resources using a load balancing process.
  - 20. The non-transitory computer-readable storage medium of claim 18, wherein the instructions when executed further enable the load balancer to:
    - receive a request from the customer to modify a set of account pools including the pool of accounts, the request specifying at least one task corresponding to at least one of adding a new account pool, deleting an existing account pool, modifying a type of user associated with a account pool, modifying a type of authentication to be used for the account pool, or modifying a type of resource access granted for the account pool.
  - 21. The non-transitory computer-readable storage medium of claim 18, wherein the instructions when executed further enable the load balancer to:
    - provide billing data for the user based at least in part upon an amount of usage of the determined resource, on behalf of the user, and the determined pool of accounts associated with the user.
  - 22. The non-transitory computer-readable storage medium of claim 18, wherein the instructions when executed further enable the load balancer to:
    - determine whether the request is authorized; and
      
      cause similar requests to be filtered when the request is determined to be unauthorized.
  - 23. The non-transitory computer-readable storage medium of claim 18, wherein the instructions when executed further enable the load balancer to:
    - cause the user to be authenticated before evaluating the policy.
  - 24. The non-transitory computer-readable storage medium of claim 18, wherein the instructions when executed further enable the load balancer to:
    - monitor user requests received by the load balancer; and
      
      generate usage statistics for each of a plurality of users associated with a respective user request.
  - 25. The non-transitory computer-readable storage medium of claim 18, wherein the instructions when executed further enable the load balancer to:
    - determine security state information including at least one of whether the user is authenticated, whether the user is authorized to access the at least one resource, or whether the user has an account with at least one of the customer or a provider of the multi-tenant environment before forwarding the information for the request to the determined resource; and
      
      include at least a portion of the security state information in the information forwarded to the determined resource.
  - 26. The non-transitory computer-readable storage medium of claim 18, wherein the instructions when executed further enable the load balancer to:
    - store usage data for the request, the usage data capable of being used for at least one of billing or metering traffic received to the load balancer.
  - 27. The non-transitory computer-readable storage medium of claim 26, wherein billing includes at least one of generating accounting records or causing charges to be accrued for the traffic received to the load balancer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Nguyen, Quynh Khac, Roth, Gregory Branchek
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US14/083,227
Time in Patent Office

1,009 Days
Field of Search

726/1, 726/4, 726/8, 726/23, 726/26
US Class Current

1/1
CPC Class Codes

G06F 21/45   Structures or tools for the...

G06F 21/604   Tools and structures for ma...

G06F 3/011   Arrangements for interactio...

G06F 3/017   Gesture based interaction, ...

G06F 3/0304   Detection arrangements usin...

G06F 3/0346   with detection of the devic...

G06F 3/04812   Interaction techniques base...

G06F 3/0484   for the control of specific...

G06F 3/04886   by partitioning the display...

H04L 63/083   using passwords cryptograph...

H04L 63/205   involving negotiation or de...

H04L 67/1001   for accessing one among a p...

Account management services for load balancers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Account management services for load balancers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links