Access control using impersonization

US 9,699,219 B2
Filed: 08/15/2016
Issued: 07/04/2017
Est. Priority Date: 12/04/2013
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an authentication computer system that processes an authentication request by verifying an electronic signature of a first request and provides an authentication response having information identifying a set of computer resources being a cause of the authentication request;

a first computer resource that receives the first request and, as a result, submits the authentication request to the authentication computer system, receives the authentication response and, as part of fulfilling the first request, uses the authentication response to submit a second request;

a policy evaluation computer system that evaluates, based at least in part on the information identifying the set of computer resources, a set of policies applicable to the second request to determine a policy determination;

a second computer resource that receives the second request and processes the second request in accordance with the policy determination; and

a third computer resource that processes a third request originating from the second computer resource and triggered by the second request, by the first request, and by the authentication request, the processing in accordance with a policy based at least in part on a user profile associated with the authentication request and information identifying a set of computer resources that triggered the third request, including the first and second computer resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

233 Citations

24 Claims

1. A system comprising:
- an authentication computer system that processes an authentication request by verifying an electronic signature of a first request and provides an authentication response having information identifying a set of computer resources being a cause of the authentication request;
  
  a first computer resource that receives the first request and, as a result, submits the authentication request to the authentication computer system, receives the authentication response and, as part of fulfilling the first request, uses the authentication response to submit a second request;
  
  a policy evaluation computer system that evaluates, based at least in part on the information identifying the set of computer resources, a set of policies applicable to the second request to determine a policy determination;
  
  a second computer resource that receives the second request and processes the second request in accordance with the policy determination; and
  
  a third computer resource that processes a third request originating from the second computer resource and triggered by the second request, by the first request, and by the authentication request, the processing in accordance with a policy based at least in part on a user profile associated with the authentication request and information identifying a set of computer resources that triggered the third request, including the first and second computer resource.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein:
    - fulfillment of the second request includes use of a first cryptographic key specified in the second request to perform one or more cryptographic operations;
      
      fulfillment of the third request includes use of a second cryptographic key specified in the third request to perform one or more cryptographic operations; and
      
      the set of policies specify one or more conditions required to be satisfied before the first and second cryptographic keys are usable for request fulfillment.
  - 3. The system of claim 1, wherein:
    - the first request is submitted on behalf of a customer of a computing resource service provider of the first, second and third computer resources; and
      
      the set of policies are configured such that the policy determination is different than the policy determination would be if the first request was received from an entity that is not a customer.
  - 4. The system of claim 1, wherein the one or more of the first, second and third computer resources further implement an application programming interface through which application programming interface requests are submitable, by a customer of a computing resource service provider of the first, second and third computer resources, to define one or more conditions for fulfillment of requests submitted by the first, second and third computer resources on behalf of the customer.
  - 5. The system of claim 1, wherein the second computer resource comprises an application programming interface through which customers of a computing resource service provider of the first, second and third computer resources are able to submit requests to be fulfilled by the first, second and third computer resources.

6. A computer-implemented method, comprising:
- receiving, from a first entity on behalf of a service provider account, a first request to perform one or more operations in connection with one or more computer resources and, as a result, submitting an authentication request to an authentication system identifying a set of computer resource services being a cause of the authentication request, including a first computer resource service;
  
  fulfilling the first request by receiving an authentication response based at least in part on the authentication request having information identifying a set of computer resource services being a cause of the authentication request;
  
  using the authentication response to submit a second request to a second computer resource service, the fulfilling the first request further based at least in part on a policy specifying one or more conditions for fulfillability of the second request submitted as part of fulfillment of the first request, the one or more conditions based at least in part on an entity submitting the second request;
  
  based at least in part on the policy, processing the second request from the first computer resource service to perform one or more operations by the second computer resource service; and
  
  based at least in part on the policy, processing the third request from the second computer resource service to perform one or more operations by a third computer resource service.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 7. The computer-implemented method of claim 6, wherein:
    - the one or more computer resources include a cryptographic key; and
      
      fulfillment of the first request, second request and third request involves performance of one or more cryptographic operations using the cryptographic key.
  - 8. The computer-implemented method of claim 7, wherein the first request, second request and third request include an identifier of the cryptographic key.
  - 9. The computer-implemented method of claim 6, wherein respective processing the first request, second request and third request is based at least in part on the policy comprises:
    - respectively determining, based at least in part on information respectively provided with the first request, second request and third request, one or more services that each submitted a corresponding request thereby becoming a respective cause of the first request, second request and third request; and
      
      respectively determining, based at least in part on the respectively determined one or more services that respective fulfillment of the first request, second request and third request is in compliance with the policy.
  - 10. The computer-implemented method of claim 9, wherein the information respectively provided with the first request, second request and third requests is encoded in a token generated by an authentication service.
  - 11. The computer-implemented method of claim 6, wherein:
    - the first entity is a first service of a service provider for the service provider account; and
      
      the first request is triggered by a customer request submitted to the first service, the customer request corresponding to the service provider account.
  - 12. The computer-implemented method of claim 6, wherein the policy requires the first request to be submitted from a user associated with the service provider account, and if not, the first request will be denied.
  - 13. The computer-implemented method of claim 6, further comprising, as a result of receiving the first request, second request and third request, writing a set of one or more intermediate services that caused the first request, second request and third request to be identified to an audit log in association with the first request, second request and third request respectively.
  - 14. The computer-implemented method of claim 6, wherein:
    - the first entity is a subsystem of a service provider for the service provider account; and
      
      a set of policies are configured such that a policy determination is different than the policy determination would be if the first request was received from a user of the service provider account compared to if the first request was not received from a user of the service provider account.
  - 15. The computer-implemented method of claim 6, wherein:
    - the policy specifies a cryptographic key; and
      
      respectively processing the first request, second request and third request based at least in part on the policy is performed as a result of use of the cryptographic key required for fulfillment of the first request, second request and third request.
  - 16. The computer-implemented method of claim 6, wherein:
    - the policy specifies a tag value; and
      
      respectively processing the first request, second request and third request based at least in part on the policy is performed as a result of the first request, second request and third request being applicable to a set of compute resources associated with the tag value.

17. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to:
- for a pending second request triggered by a first request, determine a first set of one or more intermediate services, including a first service, that caused submission of the second request by submission of the first request;
  
  determine, based at least in part on the determined first set of one or more intermediate services, whether fulfillment of the second request complies with a set of policies applicable to the second request, the set of policies applicable to the second request including at least a policy that identifies at least a subset of the first set of one or more intermediate services;
  
  cause the second request to be processed based at least in part on whether fulfillment of the second request complies with the set of policies applicable to the second request;
  
  for a pending third request, determine a second set of one or more intermediate services, including a second service, that caused submission of the third request triggered by the second request;
  
  determine, based at least in part on the determined second set of one or more intermediate services, whether fulfillment of the third request complies with a set of policies applicable to the third request, the set of policies applicable to the third request including at least a policy that identifies one or more authorized computer resources including at least a subset of the second set of one or more intermediate services; and
  
  cause the pending third request to be processed by a third service, based at least in part on whether fulfillment of the third request complies with the set of policies applicable to the third request including a determination that each of the second set of one or more intermediate services is an authorized computer resource identified by the policy.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein determining the first set of one or more intermediate services and determining the second set of one or more intermediate services includes analyzing a first and second token provided respectively with the second request and third request and generated by an authentication service.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the pending second request is to access, in plaintext form, data persistently stored in encrypted form.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein the set of policies applicable to the second request includes at least one policy determinable based at least in part on the data persistently stored in encrypted form.
  - 21. The non-transitory computer-readable storage medium of claim 19, wherein the set of policies applicable to the second request includes at least one policy determinable based at least in part on one or more keys necessary for decrypting the data persistently stored in encrypted form.
  - 22. The non-transitory computer-readable storage medium of claim 17, wherein:
    - the computer system is operated by a service provider; and
      
      the first request is submitted on behalf of a customer of the service provider by an entity different than the customer.
  - 23. The non-transitory computer-readable storage medium of claim 17, wherein the instructions further comprise instructions that, when executed by the one or more processors of the computer system, cause the computer system to:
    - determine a respective first and second a set of computer resources affected by fulfillment of the second and third request; and
      
      determine, based at least in part on the determined first and second set of computer resources, the respective sets of policies applicable to the second and third request.
  - 24. The non-transitory computer-readable storage medium of claim 17, wherein the instructions further comprise instructions that, when executed by the one or more processors of the computer system, cause the computer system to receive at least a subset of the respective sets of policies applicable to the second and third request from a customer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Wren, Matthew James, Pratt, Brian Irl
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/237,505
Publication Number

US 20160359924A1
Time in Patent Office

323 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

H04L 2463/062   applying encryption of the ...

H04L 63/126   the source of the received ...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 9/3247   involving digital signatures

Access control using impersonization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

233 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Access control using impersonization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

233 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links