Using transient processing containers for security authorization

US 9,756,050 B1
Filed: 03/26/2015
Issued: 09/05/2017
Est. Priority Date: 03/26/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

at least one processor; and

memory including instructions that, when executed by the at least one processor, cause the system to;

receive, from a customer, a request for access to a resource in an electronic environment, the electronic environment being provided at least in part by a resource provider, the customer having an account with the resource provider;

determine, based at least in part on information from the request, a policy corresponding to the request;

determine, using the policy, an authorization function to be used in making an authorization decision for the request, the authorization function provided by the customer;

determine an instance of compute capacity, in the electronic environment, to be used in executing the authorization function;

allocate, by the resource provider, the instance of compute capacity on behalf of the customer;

cause the instance of compute capacity to generate the authorization decision using the authorization function and context for the request, the context determined based at least in part upon the information from the request;

receive, from the instance of compute capacity, the authorization decision, the authorization decision indicating that the request for access is authorized;

cause the access to the resource to be provided for the request; and

de-allocate the instance of compute capacity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authorization decisions can be made in a resource environment using authorization functions which can be provided by customers, third parties, or other such entities. The functions can be implemented using virtual machine instances with one or more transient compute containers. This compute capacity can be preconfigured with certain software and provided using existing compute capacity assigned to a customer, or capacity invoked from a warming pool, to execute the appropriate authorization function. The authorization function can be a lambda function that takes in context and generates the appropriate security functionality inline. The utilization of ephemeral compute capacity enables the functionality to be provided on demand, without requiring explicit naming or identification, and can enable cause state information to be maintained for a customer.

Citations

20 Claims

1. A system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the system to;
  
  receive, from a customer, a request for access to a resource in an electronic environment, the electronic environment being provided at least in part by a resource provider, the customer having an account with the resource provider;
  
  determine, based at least in part on information from the request, a policy corresponding to the request;
  
  determine, using the policy, an authorization function to be used in making an authorization decision for the request, the authorization function provided by the customer;
  
  determine an instance of compute capacity, in the electronic environment, to be used in executing the authorization function;
  
  allocate, by the resource provider, the instance of compute capacity on behalf of the customer;
  
  cause the instance of compute capacity to generate the authorization decision using the authorization function and context for the request, the context determined based at least in part upon the information from the request;
  
  receive, from the instance of compute capacity, the authorization decision, the authorization decision indicating that the request for access is authorized;
  
  cause the access to the resource to be provided for the request; and
  
  de-allocate the instance of compute capacity.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the instructions when executed further cause the system to:
    - obtain the instance of compute capacity from one of (a) a first pool of compute capacity actively associated with a user associated with the request or (b) a second pool of compute capacity being unassociated with the user or another user of the electronic environment.
  - 3. The system of claim 2, wherein the instructions when executed further cause the system to:
    - determine, from the second pool of compute capacity, a compute container containing one or more software objects capable of supporting execution of the authorization function.
  - 4. The system of claim 1, wherein the instructions when executed further cause the system to:
    - cause the instance of compute capacity to be allocated for the purpose of generating the authorization decision using the authorization function and de-allocated after generating the authorization decision, without being utilized for any other authorization decision.

5. A computer-implemented method, comprising:
- receiving, from a user, a request requiring access to at least one resource in an electronic environment, the at least one resource being provided by a resource provider;
  
  determining an authorization function corresponding to the request based on a policy corresponding to the request;
  
  invoking, on behalf of the user, a compute instance in the electronic environment, the compute instance configured to execute the authorization function using context information for the request;
  
  receiving, from the compute instance, a decision regarding an authorization of the access to the at least one resource;
  
  enforcing the decision with respect to the access; and
  
  de-allocating the compute instance after enforcing the decision with respect to the access.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 6. The computer-implemented method of claim 5, further comprising:
    - the compute instance being allocated specifically for executing the authorization function.
  - 7. The computer-implemented method of claim 5, wherein the authorization function is received from the user or a third party provider.
  - 8. The computer-implemented method of claim 5, further comprising:
    - analyzing a first pool of active compute instances to determine compute capacity available to execute the authorization function; and
      
      selecting the compute instance from the first pool of active compute instances or a second pool of pre-warmed compute instances based at least in part upon the compute capacity.
  - 9. The computer-implemented method of claim 8, further comprising:
    - pre-warming one or more compute instances in the second pool of pre-warmed compute instances, the pre-warming including determining at least an operating system and software necessary to execute one or more authorization functions on behalf of one or more users of the electronic environment.
  - 10. The computer-implemented method of claim 5, wherein enforcing the decision includes granting access for an authorized decision and denying access for an unauthorized decision.
  - 11. The computer-implemented method of claim 5, wherein enforcing the decision includes granting access but generating a notification regarding the access.
  - 12. The computer-implemented method of claim 5, wherein the compute instance is stateless.
  - 13. The computer-implemented method of claim 12, further comprising:
    - obtaining, from a data store, inbound state information for use in executing the authorization function;
      
      receiving outbound state information from the compute instance after executing the authorization function; and
      
      storing the outbound state information to a data store.
  - 14. The computer-implemented method of claim 5, wherein the request is a call received to an application programming interface (API).
  - 15. The computer-implemented method of claim 5, further comprising:
    - obtaining the authorization function from a third party; and
      
      providing, on behalf of the user, compensation to the third party for use of the authorization function.
  - 16. The computer-implemented method of claim 15, wherein the compensation includes funds from an account of the user with one of the resource provider or the third party.

17. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computer system, cause the computer system to:
- receive, from a user, a request for access to at least one resource in an electronic environment, the electronic environment provided at least in part by a resource provider;
  
  determine an authorization function corresponding to the request based on a policy corresponding to the request;
  
  invoke, on behalf of the user, a compute instance in the electronic environment, the compute instance invoked to execute the authorization function using context information for the request;
  
  receive, from the compute instance, a decision regarding an authorization of the access to the at least one resource;
  
  enforce the decision with respect to the access; and
  
  de-allocate the compute instance after enforcing the decision with respect to the access.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein the instructions when executed further cause the computer system to:
    - determine a transient compute container in a virtual machine to be allocated as the compute instance, the transient compute container configured specifically to execute the authorization function then be de-allocated.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the authorization function is received from the user or a third party provider.
  - 20. The non-transitory computer-readable storage medium of claim 17, wherein the instructions when executed further cause the computer system to:
    - obtain inbound state information for use by the authorization function in generating the decision;
      
      receive outbound state information from the compute instance after generating the decision; and
      
      store the outbound state information to a data store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason
Primary Examiner(s)
Shepperd, Eric W

Application Number

US14/669,636
Time in Patent Office

894 Days
Field of Search
US Class Current
CPC Class Codes

H04L 47/70 Admission control; Resource...

H04L 63/102 Entity profiles

Using transient processing containers for security authorization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Using transient processing containers for security authorization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links