Policy enforcement delays
First Claim
Patent Images
1. A computer-implemented method, comprising:
- under the control of one or more computer systems that execute instructions to provide one or more services to a customer of a computing resource service provider,storing a set of one or more policies that include a policy addition policy that specifies one or more conditions that are conditions precedent to changing a set of policies, wherein the one or more conditions include a requirement for a delay of enforcement for proposed policies;
receiving a request to add a proposed policy, the policy addition policy being applicable to the proposed policy;
determining, based at least in part on information, including a time indicating when the proposed policy is to become effective, the time included with the request, whether the proposed policy complies with the requirement;
wherein, as a result of determining that the proposed policy complies with the requirement, causing the proposed policy to become effective in accordance with the time indicated; and
wherein, as a result of determining that the proposed policy fails to comply with the requirement, causing the request to be denied.
1 Assignment
0 Petitions
Accused Products
Abstract
Policies are used to control access to resources. Requests to change a set of policies may be fulfillable, at least in some circumstances, only if the requests are submitted such that the requested changes would become effective at a time in the future that is in compliance with a requirement for delayed enforcement. The requirement for delayed enforcement may be encoded in a policy in the set of policies.
30 Citations
26 Claims
-
1. A computer-implemented method, comprising:
under the control of one or more computer systems that execute instructions to provide one or more services to a customer of a computing resource service provider, storing a set of one or more policies that include a policy addition policy that specifies one or more conditions that are conditions precedent to changing a set of policies, wherein the one or more conditions include a requirement for a delay of enforcement for proposed policies; receiving a request to add a proposed policy, the policy addition policy being applicable to the proposed policy; determining, based at least in part on information, including a time indicating when the proposed policy is to become effective, the time included with the request, whether the proposed policy complies with the requirement; wherein, as a result of determining that the proposed policy complies with the requirement, causing the proposed policy to become effective in accordance with the time indicated; and wherein, as a result of determining that the proposed policy fails to comply with the requirement, causing the request to be denied. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A computer-implemented method, comprising:
-
under the control of one or more computer systems that execute instructions to provide one or more services to a customer of a computing resource service provider, receiving a request for a change to a set of one or more policies; determining, based at least in part on the request, whether the change requested satisfies one or more requirements of a policy that specifies conditions precedent for policy changes to become effective, at least one of the one or more requirements being that an effective time, included with the request, complies with a requirement for delay for the change; as a result of determining that the change requested satisfies the one or more requirements, enabling the change to become effective in accordance with the requirement for delay; and as a result of determining that the change requested fails to satisfy the one or more requirements, causing the request to be denied. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A system that provides a service to a customer of a computing resource service provider, comprising:
-
a frontend subsystem of the service of the computing resource service provider that receives requests to change policy; and a policy management subsystem of the service of the computing resource service provider that, upon receipt of a request for a change to policy by the frontend subsystem; receives information from the frontend subsystem based at least in part on the request; determines, based at least in part on the information received, whether the change requested, including an effective time included with the information, is in compliance with one or more delay requirements of an existing policy that specifies conditions precedent for policy changes to become effective; as a result of determining that the change requested is in compliance with the one or more requirements, enables the change to become effective; and as a result of determining that the change requested is out of compliance with the one or more requirements, disallows the change from becoming effective. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. One or more non-transitory computer-readable storage media having collectively stored thereon instructions that, as a result of execution by one or more processors of a system that provides computing resources of a computing resource service provider as a service to an entity, cause the system to:
-
manage a set of policies for access to the computing resources of the computing resource service provider on behalf of the entity; receive a first request for a proposed change to the set of policies; based at least in part on the first request including information that indicates an amount of time in accordance with one or more requirements for delayed effectiveness, specified by a policy on policy changes, of the proposed change, process the first request so that the proposed change is cancellable, before becoming effective, at least for the amount of time; and on a condition that a second request to cancel the proposed change is received by the system before the proposed change becomes effective, cause the proposed change to be cancelled. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification