Use of freeform metadata for access control

US 9,530,020 B2
Filed: 01/22/2013
Issued: 12/27/2016
Est. Priority Date: 01/22/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method, comprising:

receiving a request to associate a tag with a computing resource, wherein the tag comprises a key and an associated value;

associating the tag with a computing resource in a multitenant environment operated by a service provider, the tag including a freeform character string specifying the key and the associated value;

determining restrictions for accessing the computing resource based on a combination of the key and the associated value of the tag, the tag being associated with an access control policy;

receiving a request to perform an operation on the computing resource;

determining that the tag is associated with the computing resource;

evaluating the access control policy, the access control policy referencing the tag as a condition for using the computing resource, referencing a user having an account with the service provider, and identifying an operation permitted to be executed by the user if the tag is associated with computing resource;

determining that the user is permitted to authorize the operation based at least in part on evaluating the access control policy; and

resolving the request to perform the operation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment.

38 Citations

View as Search Results

17 Claims

1. A computer implemented method, comprising:
- receiving a request to associate a tag with a computing resource, wherein the tag comprises a key and an associated value;
  
  associating the tag with a computing resource in a multitenant environment operated by a service provider, the tag including a freeform character string specifying the key and the associated value;
  
  determining restrictions for accessing the computing resource based on a combination of the key and the associated value of the tag, the tag being associated with an access control policy;
  
  receiving a request to perform an operation on the computing resource;
  
  determining that the tag is associated with the computing resource;
  
  evaluating the access control policy, the access control policy referencing the tag as a condition for using the computing resource, referencing a user having an account with the service provider, and identifying an operation permitted to be executed by the user if the tag is associated with computing resource;
  
  determining that the user is permitted to authorize the operation based at least in part on evaluating the access control policy; and
  
  resolving the request to perform the operation.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer implemented method of claim 1, wherein the computing resource is:
    - a virtual machine instance, a host computing device, an application, a storage device, a database, a virtual network including a plurality of virtual machines, or an interface.
  - 3. The computer implemented method of claim 1, wherein the access control policy is created using a policy language.
  - 4. The computer implemented method of claim 1, wherein resolving the request is performed by an identity access management service configured to:
    - collect all access control policies that are related to the request to perform the operation; and
      
      evaluate all the access control policies to grant or deny the authorization to perform the operation, wherein evaluating is based at least in part on the tag associated with the computing resource.
  - 5. The computer implemented method of claim 1, further comprising:
    - providing, by a service provider, the computing resource to a customer of the service provider, the computing resource provided in a multitenant shared resource environment; and
      
      enabling the customer to assign the tag to the computing resource by invoking an application programming interface (API).
  - 6. The computer implemented method of claim 1, wherein the access control policy is associated with at least one of:
    - the user, a group of users, or the at least one computing resource.

7. A computing system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the computing system to;
  
  receive a request to associate a tag with at least one computing resource, wherein the tag comprises a key and an associated value;
  
  associate the tag with the at least one computing resource in an environment, the tag including a freeform character string specifying the key and the associated value;
  
  determine restrictions for accessing the at least one computing resource based on a combination of the key and the associated value of the tag, the tag being associated with an access control policy;
  
  receive a request to perform an operation on the at least one computing resource;
  
  determine that the tag is associated with the at least one computing resource;
  
  evaluate the access control policy, the access control policy referencing the tag as at least part of a condition for performing the operation, referencing a user having an account with an operator of the environment, and identifying an operation permitted to be executed by the user if the tag is associated with the at least one computing resource;
  
  determine that the user is permitted to perform the operation based at least in part on evaluating the access control policy; and
  
  resolve the request to perform the operation.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computing system of claim 7, wherein the at least one computing resource further includes one or more of:
    - a virtual machine instance, data stored in a data storage service, an application, a storage device, a database, a virtual network including a plurality of virtual machines, or an interface.
  - 9. The computing system of claim 7, wherein the tag is referenced in the condition by using a policy language that can be used to express the access control policy.
  - 10. The computing system of claim 7, wherein controlling authorization is performed by an identity access management service configured to:
    - collect all access control policies that are related to the request to perform the operation; and
      
      evaluate all the access control policies to grant or deny the authorization to perform the operation, wherein evaluating is based at least in part on the tag associated with the at least one computing resource.
  - 11. The computing system of claim 7, wherein the access control policy is associated with at least one of:
    - the user, a group of users, or the at least one computing resource.
  - 12. The computing system of claim 7, wherein the memory further comprises instructions that, when executed by the at least one processor, causes the computing system to:
    - provide, by a service provider, the at least one computing resource to a customer of the service provider, the at least one computing resource provided in a multitenant shared resource environment; and
      
      enable the customer to assign the tag to the at least one computing resource by invoking an application programming interface (API).

13. A non-transitory computer readable storage medium storing one or more sequences of instructions executable by one or more processors to perform a set of operations comprising:
- receiving a request to associate a tag with at least one computing resource, wherein the tag comprises a key and an associated value;
  
  associating the tag with the at least one computing resource in a multitenant environment operated by a service provider, the tag including a freeform character string specifying the key and the associated value,determining restrictions for accessing the computing resource based on a combination of the key and the associated value of the tag, the tag being associated with an access control policy;
  
  receiving a request to perform an operation on the at least one computing resource;
  
  determining that the tag is associated with the at least one computing resource;
  
  evaluating the access control policy, the access control policy referencing the tag as at least part of a condition for controlling access to the at least one computing resource, referencing a user having an account with the service provider, and identifying an operation permitted to be executed by the user if the tag is associated with the at least one computing resource;
  
  determining that the user is permitted to perform the operation based at least in part on evaluating the access control policy; and
  
  resolve the request to perform the operation.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer readable storage medium of claim 13, wherein the at least one computing resource further includes one or more of:
    - a virtual machine instance, a host computing device, an application, a storage device, a database, a virtual network including a plurality of virtual machines, or an interface.
  - 15. The non-transitory computer readable storage medium of claim 13, wherein the access control policy is created by using a policy language.
  - 16. The non-transitory computer readable storage medium of claim 13, wherein controlling authorization is performed by an identity access management service configured to:
    - collect all access control policies that are related to the request to perform the operation; and
      
      evaluate all the access control policies to grant or deny the authorization to perform the operation, wherein evaluating is based at least in part on context information associated with the request and the tag associated with the at least one computing resource.
  - 17. The non-transitory computer readable storage medium of claim 13, wherein the access control policy is associated with at least one of:
    - the user, a group of users, or the at least one computing resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, DeSantis, Peter Nicholas, Thrane, Lon
Primary Examiner(s)
Tolentino, Roderick

Application Number

US13/747,224
Publication Number

US 20140208414A1
Time in Patent Office

1,435 Days
Field of Search

726 26- 30
US Class Current

1/1
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2149 Restricted operating enviro...

Use of freeform metadata for access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Use of freeform metadata for access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links