Transparent policies

US 9,854,001 B1
Filed: 03/25/2014
Issued: 12/26/2017
Est. Priority Date: 03/25/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

enforcing a set of policies for an account, the set of policies configured such that fulfillment of requests submitted by an administrator of the account requires compliance with at least a first policy in a first subset of the set of policies and a second policy in a second subset of the set of policies;

receiving, from the administrator associated with the account, a request for information about the set of policies enforced for the account, the set of policies indicating conditions for access to computing resources;

obtaining information responsive to the request, the information responsive to the request comprising information about the first subset of the set of policies and excluding information about the second subset of the set of policies as a result of the administrator lacking authorization for obtaining information about policies in the second subset of the set of policies; and

providing to the administrator, a response to the request that comprises the information responsive to the request, the response lacking any information indicative of existence of the second subset of the set of policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system enforces policies in connection with requests to access resources. Users are provided the ability to obtain information about the policies the system enforces. Some of the users have associated restrictions such that, when those users request information about the policies, the information provided is incomplete. The information provided may lack information about one or more policies that apply to the users.

Citations

22 Claims

1. A computer-implemented method, comprising:
- enforcing a set of policies for an account, the set of policies configured such that fulfillment of requests submitted by an administrator of the account requires compliance with at least a first policy in a first subset of the set of policies and a second policy in a second subset of the set of policies;
  
  receiving, from the administrator associated with the account, a request for information about the set of policies enforced for the account, the set of policies indicating conditions for access to computing resources;
  
  obtaining information responsive to the request, the information responsive to the request comprising information about the first subset of the set of policies and excluding information about the second subset of the set of policies as a result of the administrator lacking authorization for obtaining information about policies in the second subset of the set of policies; and
  
  providing to the administrator, a response to the request that comprises the information responsive to the request, the response lacking any information indicative of existence of the second subset of the set of policies.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein:
    - the one or more systems are hosted by a service provider;
      
      the account is from a plurality of accounts, each corresponding to a different customer of the service provider; and
      
      the set of policies is from a plurality of sets of policies enforced by the service provider, each with a corresponding customer of the service provider.
  - 3. The computer-implemented method of claim 1, wherein:
    - the method further comprises;
      
      receiving an application programming interface request comprising information defining a policy; and
      
      processing the application programming interface request by at least adding the policy to the set of policies; and
      
      after adding the policy to the set of the set of policies, the policy is a member of the second subset of the set of policies.
  - 4. The computer-implemented method of claim 3, wherein the application programming interface request further comprises information that distinguishes one or more users that are authorized for obtaining information about the policy from one or more other users that are unauthorized for obtaining information about the policy.
  - 5. The computer-implemented method of claim 1, wherein:
    - at least one policy of the second subset of the set of policies, when applicable to a request, causes information about the request to be written to an audit log; and
      
      the method further comprises writing to the audit log as a result of the at least one policy applying to a particular request.
  - 6. The computer-implemented method of claim 5, wherein, as a result of the administrator lacking authorization to obtain authorization for obtaining information about policies in the second subset of the set of policies, the administrator lacks authorization for obtaining information about the audit log.

7. A system, comprising at least one computing device configured to implement one or more services, the at least one computing device including microprocessor and a memory, the one or more services:
- for an entity, maintain information about policies enforced for the entity;
  
  provide an interface through which requests are submitted to allow a user to obtain information about the policies, the policies indicating conditions for access to computing resources; and
  
  process requests submitted through the provided interface such that, for at least a first user and a second user requesting the same information about the policies during a time when the policies remain unchanged, the first user is provided first information about the policies that is different than second information about the policies provided to the second user, the first information indicating existence of one or more policies for which the second information lacks an indication of existence of the one or more policies.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The system of claim 7, wherein the one or more services comprise a service configured to receive requests to access computing resources and enforce the policies in connection with the received requests to access the computing resources.
  - 9. The system of claim 8, wherein:
    - the first information indicates existence of a first policy;
      
      the second information lacks an indication of existence of the first policy; and
      
      the service is further configured to respond to requests, whose fulfillment is disallowed by the first policy, without fulfilling the requests and without indicating that the requests are denied.
  - 10. The system of claim 7, wherein the one or more policies comprise at least one policy configured to apply to requests by the second user to access a computing resource.
  - 11. The system of claim 7, wherein the one or more policies comprise at least one policy configured to apply to requests by the second user and, when applicable to the requests, cause the requests by the second user to be logged.
  - 12. The system of claim 7, whereinthe one or more policies comprise at least one policy configured to apply to requests by the second user and, when applicable to the requests, cause the system to probabilistically make a determination whether to perform an action and, when the determination indicates that the action is to be taken, cause the action to be taken.
  - 13. The system of claim 7, wherein the second information comprises false information about the policies.
  - 14. The system of claim 7, wherein the system is further configured to enforce a restriction on an ability of the second user to modify the one or more policies.
  - 15. The system of claim 7, wherein the access to the computing resources is via application programming interface calls.

16. A non-transitory computer-readable storage medium having collectively stored thereon executable instructions that, if executed by one or more processors of a computer system, the computer system including a microprocessor and a memory, cause the computer system to at least:
- receive, from a requestor, a request whose fulfillment involves providing information to the requestor about a set of policies indicating conditions for access to computing resources associated with an entity, the policies applied to requests submitted to a system and enforced such that, fulfillment of the requests is dependent on compliance with the policies;
  
  obtain information responsive to the request, the information responsive to the request comprising information about a first subset of the set of policies and excluding information about a second subset of the set of policies as a result of the requestor lacking authorization for obtaining information about policies in the second subset of the set of policies; and
  
  provide, to the requestor, a response to the request based at least in part on the information responsive to the request.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The non-transitory computer-readable storage medium of claim 16, wherein the response lacks information indicating existence of at least one policy in the second subset of the set of policies.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein at least one policy in the second subset of the set of policies applies to requests made by the requestor.
  - 19. The non-transitory computer-readable storage medium of claim 16, wherein:
    - one or more policies of the second subset of the set of policies has an associated restriction on users able to obtain information about the policy, the associated restriction defined at least in part on an attribute applicable to multiple users; and
      
      the information responsive to the request excludes the information about the second subset of the set of policies as a result of the requestor being associated with the attribute.
  - 20. The non-transitory computer-readable storage medium of claim 16, wherein:
    - the instructions further include instructions that, when executed by the one or more processors, cause the computer system to enforce a policy from the second set of policies by at least allowing fulfillment of a second request from the requestor to which the policy applies and causing at least one operation specified by the policy to be performed; and
      
      the at least one operation is performed without indicating to the requestor that the at least one operation was performed.
  - 21. The non-transitory computer-readable storage medium of claim 16, wherein the at least one operation includes causing data to be stored in a manner inaccessible to the requestor.
  - 22. The non-transitory computer-readable storage medium of claim 16, wherein at least one policy in the second subset of the set of policies applies to requests made by the requestor and, when applicable to the requests, cause the requests by the requestor to be logged.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Brandwine, Eric Jason
Primary Examiner(s)
Vostal, O. C.

Application Number

US14/225,300
Time in Patent Office

1,372 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 63/20 for managing network securi...

Transparent policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links