Using transient processing containers for security authorization
First Claim
1. A system, comprising:
- at least one processor; and
memory including instructions that, when executed by the at least one processor, cause the system to;
receive, from a customer, a request for access to a resource in an electronic environment, the electronic environment being provided at least in part by a resource provider, the customer having an account with the resource provider;
determine, based at least in part on information from the request, a policy corresponding to the request;
determine, using the policy, an authorization function to be used in making an authorization decision for the request, the authorization function provided by the customer;
determine an instance of compute capacity, in the electronic environment, to be used in executing the authorization function;
allocate, by the resource provider, the instance of compute capacity on behalf of the customer;
cause the instance of compute capacity to generate the authorization decision using the authorization function and context for the request, the context determined based at least in part upon the information from the request;
receive, from the instance of compute capacity, the authorization decision, the authorization decision indicating that the request for access is authorized;
cause the access to the resource to be provided for the request; and
de-allocate the instance of compute capacity.
1 Assignment
0 Petitions
Accused Products
Abstract
Authorization decisions can be made in a resource environment using authorization functions which can be provided by customers, third parties, or other such entities. The functions can be implemented using virtual machine instances with one or more transient compute containers. This compute capacity can be preconfigured with certain software and provided using existing compute capacity assigned to a customer, or capacity invoked from a warming pool, to execute the appropriate authorization function. The authorization function can be a lambda function that takes in context and generates the appropriate security functionality inline. The utilization of ephemeral compute capacity enables the functionality to be provided on demand, without requiring explicit naming or identification, and can enable cause state information to be maintained for a customer.
-
Citations
20 Claims
-
1. A system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to; receive, from a customer, a request for access to a resource in an electronic environment, the electronic environment being provided at least in part by a resource provider, the customer having an account with the resource provider; determine, based at least in part on information from the request, a policy corresponding to the request; determine, using the policy, an authorization function to be used in making an authorization decision for the request, the authorization function provided by the customer; determine an instance of compute capacity, in the electronic environment, to be used in executing the authorization function; allocate, by the resource provider, the instance of compute capacity on behalf of the customer; cause the instance of compute capacity to generate the authorization decision using the authorization function and context for the request, the context determined based at least in part upon the information from the request; receive, from the instance of compute capacity, the authorization decision, the authorization decision indicating that the request for access is authorized; cause the access to the resource to be provided for the request; and de-allocate the instance of compute capacity. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method, comprising:
-
receiving, from a user, a request requiring access to at least one resource in an electronic environment, the at least one resource being provided by a resource provider; determining an authorization function corresponding to the request based on a policy corresponding to the request; invoking, on behalf of the user, a compute instance in the electronic environment, the compute instance configured to execute the authorization function using context information for the request; receiving, from the compute instance, a decision regarding an authorization of the access to the at least one resource; enforcing the decision with respect to the access; and de-allocating the compute instance after enforcing the decision with respect to the access. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computer system, cause the computer system to:
-
receive, from a user, a request for access to at least one resource in an electronic environment, the electronic environment provided at least in part by a resource provider; determine an authorization function corresponding to the request based on a policy corresponding to the request; invoke, on behalf of the user, a compute instance in the electronic environment, the compute instance invoked to execute the authorization function using context information for the request; receive, from the compute instance, a decision regarding an authorization of the access to the at least one resource; enforce the decision with respect to the access; and de-allocate the compute instance after enforcing the decision with respect to the access. - View Dependent Claims (18, 19, 20)
-
Specification