Use of freeform metadata for access control
First Claim
Patent Images
1. A computer implemented method, comprising:
- receiving a request to associate a tag with a computing resource, wherein the tag comprises a key and an associated value;
associating the tag with a computing resource in a multitenant environment operated by a service provider, the tag including a freeform character string specifying the key and the associated value;
determining restrictions for accessing the computing resource based on a combination of the key and the associated value of the tag, the tag being associated with an access control policy;
receiving a request to perform an operation on the computing resource;
determining that the tag is associated with the computing resource;
evaluating the access control policy, the access control policy referencing the tag as a condition for using the computing resource, referencing a user having an account with the service provider, and identifying an operation permitted to be executed by the user if the tag is associated with computing resource;
determining that the user is permitted to authorize the operation based at least in part on evaluating the access control policy; and
resolving the request to perform the operation.
1 Assignment
0 Petitions
Accused Products
Abstract
Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment.
38 Citations
17 Claims
-
1. A computer implemented method, comprising:
-
receiving a request to associate a tag with a computing resource, wherein the tag comprises a key and an associated value; associating the tag with a computing resource in a multitenant environment operated by a service provider, the tag including a freeform character string specifying the key and the associated value; determining restrictions for accessing the computing resource based on a combination of the key and the associated value of the tag, the tag being associated with an access control policy; receiving a request to perform an operation on the computing resource; determining that the tag is associated with the computing resource; evaluating the access control policy, the access control policy referencing the tag as a condition for using the computing resource, referencing a user having an account with the service provider, and identifying an operation permitted to be executed by the user if the tag is associated with computing resource; determining that the user is permitted to authorize the operation based at least in part on evaluating the access control policy; and resolving the request to perform the operation. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computing system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the computing system to; receive a request to associate a tag with at least one computing resource, wherein the tag comprises a key and an associated value; associate the tag with the at least one computing resource in an environment, the tag including a freeform character string specifying the key and the associated value; determine restrictions for accessing the at least one computing resource based on a combination of the key and the associated value of the tag, the tag being associated with an access control policy; receive a request to perform an operation on the at least one computing resource; determine that the tag is associated with the at least one computing resource; evaluate the access control policy, the access control policy referencing the tag as at least part of a condition for performing the operation, referencing a user having an account with an operator of the environment, and identifying an operation permitted to be executed by the user if the tag is associated with the at least one computing resource; determine that the user is permitted to perform the operation based at least in part on evaluating the access control policy; and resolve the request to perform the operation. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A non-transitory computer readable storage medium storing one or more sequences of instructions executable by one or more processors to perform a set of operations comprising:
-
receiving a request to associate a tag with at least one computing resource, wherein the tag comprises a key and an associated value; associating the tag with the at least one computing resource in a multitenant environment operated by a service provider, the tag including a freeform character string specifying the key and the associated value, determining restrictions for accessing the computing resource based on a combination of the key and the associated value of the tag, the tag being associated with an access control policy; receiving a request to perform an operation on the at least one computing resource; determining that the tag is associated with the at least one computing resource; evaluating the access control policy, the access control policy referencing the tag as at least part of a condition for controlling access to the at least one computing resource, referencing a user having an account with the service provider, and identifying an operation permitted to be executed by the user if the tag is associated with the at least one computing resource; determining that the user is permitted to perform the operation based at least in part on evaluating the access control policy; and resolve the request to perform the operation. - View Dependent Claims (14, 15, 16, 17)
-
Specification