Cross-region roles

US 9,894,067 B1
Filed: 12/03/2015
Issued: 02/13/2018
Est. Priority Date: 12/03/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

creating a role associated with a first user account of a plurality of user accounts, the role having a corresponding set of policies associated with the role, the role including a role identifier, the first user account associated with a first region, the role corresponding to access to a set of resources associated with the first user account;

making the role identifier available to a device associated with a second user account of the plurality of user accounts, the second user account associated with a second region different than the first region, the second user account not having access to the set of resources associated with the first user account;

receiving a first request from the device associated with the second user account to assume the role, the request digitally signed using a long-term key associated with the second user account, the first request including the role identifier;

in response to the first request, at least providing a session token and a session key to the device associated with the second user account;

receiving a second request from the device for access to at least a subset of the set of resources, the second request including the session token and digitally signed using a digital signature generated from the session key; and

extracting the session key from the session token;

validating the digital signature generated from the session key using the extracted session key; and

satisfying the second request by providing access to a set of resources associated with the first user account.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for using short-term credentials with access roles across regions are described herein. A request to assume a role associated with resources in a first region is received by a user in a second region. The request, which is digitally signed with credential associated with the user in the second region causes the generation of a short-term session credential that includes a session key and that can be used to assume the role. The user in the second region then assumes the role and, accordingly, can use the short-term session credentials to access the resources in the first region.

48 Citations

View as Search Results

24 Claims

1. A computer-implemented method comprising:
- creating a role associated with a first user account of a plurality of user accounts, the role having a corresponding set of policies associated with the role, the role including a role identifier, the first user account associated with a first region, the role corresponding to access to a set of resources associated with the first user account;
  
  making the role identifier available to a device associated with a second user account of the plurality of user accounts, the second user account associated with a second region different than the first region, the second user account not having access to the set of resources associated with the first user account;
  
  receiving a first request from the device associated with the second user account to assume the role, the request digitally signed using a long-term key associated with the second user account, the first request including the role identifier;
  
  in response to the first request, at least providing a session token and a session key to the device associated with the second user account;
  
  receiving a second request from the device for access to at least a subset of the set of resources, the second request including the session token and digitally signed using a digital signature generated from the session key; and
  
  extracting the session key from the session token;
  
  validating the digital signature generated from the session key using the extracted session key; and
  
  satisfying the second request by providing access to a set of resources associated with the first user account.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the corresponding set of policies associated with the role specify a set of permissions for access to the resources associated with the first user account.
  - 3. The computer-implemented method of claim 1, wherein the corresponding set of policies associated with the role specify one or more user accounts of the plurality of user accounts that can assume the role.
  - 4. The computer-implemented method of claim 1, wherein making the role identifier available to the device associated with the second user account includes at least one of:
    - storing the role identifier in a database, sending the role identifier to the device, or publishing the role identifier in documentation associated with the set of resources.

5. A system, comprising:
- one or more processors; and
  
  memory storing executable instructions that, if executed by the one or more processors, cause the system to;
  
  create a role associated with a first user account of a plurality of user accounts, the role having a corresponding set of policies associated with the role, the role including a role identifier, the first user account associated with a first region, the role corresponding to access to a set of resources associated with the first user account;
  
  make the role identifier available to a device associated with a second user account of the plurality of user accounts, the second user account associated with a second region different than the first region, the second user account not having access to the set of resources associated with the first user account;
  
  receive a first request from the device associated with the second user account to assume the role, the request digitally signed using a long-term key associated with the second user account, the first request including the role identifier;
  
  in response to the first request, at least provide a session token and a session key to the device associated with the second user account;
  
  receive a second request from the device for access to at least a subset of the set of resources, the second request including the session token and digitally signed using a digital signature generated from the session key; and
  
  extract the session key from the session token;
  
  validate the digital signature generated from the session key using the extracted session key; and
  
  satisfy the second request by providing access to a set of resources associated with the first user account.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 6. The system of claim 5, wherein the role is assumable to obtain access to resources not in the second region.
  - 7. The system of claim 5, wherein the second user account does not exist in the first region.
  - 8. The system of claim 5, wherein the session token includes the role identifier.
  - 9. The system of claim 5, wherein the corresponding set of policies associated of the role define a set of permissions associated with the access to the resources associated with the first user account, the set of permissions specified by a customer associated with the first user account.
  - 10. The system of claim 5, wherein the instructions, if executed by the one or more processors, further cause the system to:
    - in response to the first request, generate session data to be included in the session token.
  - 11. The system of claim 5, wherein the session data is encrypted in the session token using the session key.
  - 12. The system of claim 5, wherein the session key is encrypted in the session token.
  - 13. The system of claim 5, wherein the session key is a symmetric cryptographic key.
  - 14. The system of claim 5, wherein the session key is generated from a global session key and an account key associated with the first user account, the global session key provided to the first region and the second region by a security service of the one or more services, the account key provided to the first region.
  - 15. The system of claim 5, wherein the long-term key is a private key of a public-private key pair.

16. A set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- create a role associated with a first user account of a plurality of user accounts, the role having a corresponding set of policies associated with the role, the role including a role identifier, the first user account associated with a first region, the role corresponding to access to a set of resources associated with the first user account;
  
  make the role identifier available to a device associated with a second user account of the plurality of user accounts, the second user account associated with a second region different than the first region, the second user account not having access to the set of resources associated with the first user account;
  
  receive a first request from the device associated with the second user account to assume the role, the request digitally signed using a long-term key associated with the second user account, the first request including the role identifier;
  
  in response to the first request, at least provide a session token and a session key to the device associated with the second user account;
  
  receive a second request from the device for access to at least a subset of the set of resources, the second request including the session token and digitally signed using a digital signature generated from the session key; and
  
  extract the session key from the session token;
  
  validate the digital signature generated from the session key using the extracted session key; and
  
  satisfy the second request by providing access to a set of resources associated with the first user account.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The set of one or more non-transitory computer-readable storage media of claim 16, wherein the session key is a symmetric key.
  - 18. The set of one or more non-transitory computer-readable storage media of claim 16, wherein the second user account does not exist in the first region.
  - 19. The set of one or more non-transitory computer-readable storage media of claim 16, wherein the session token includes the role identifier.
  - 20. The set of one or more non-transitory computer-readable storage media of claim 16, wherein the session key is one of a plurality of session keys, the plurality of session keys maintained in a session keychain, the session keychain configured to delete each session encryption key of the plurality of session keys upon expiration of a corresponding time interval.
  - 21. The set of one or more non-transitory computer-readable storage media of claim 16, wherein the session key is generated using elliptic curve cryptography.
  - 22. The set of one or more non-transitory computer-readable storage media of claim 16, wherein the instructions that cause the computer system to validate the first request based at least in part on the corresponding set of policies further include instructions that, as a result of being executed by the one or more processors, cause the computer system to determine whether the requester is a user associated with a user account specified in the corresponding set of policies as authorized to assume the role.
  - 23. The set of one or more non-transitory computer-readable storage media of claim 16, wherein the instructions, as a result of execution by the one or more processors, further cause the computer system to validate the second request based at least in part on the corresponding set of policies to determine whether the second request specifies one or more resources of the resources in the second region specified in the corresponding set of policies as authorized for the role.
  - 24. The set of one or more non-transitory computer-readable storage media of claim 16, wherein the second user account exists in a third region, the third region different from the first region and the second region.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Mandadi, Srikanth, Sedky, Khaled Salah, Praus, Slavka, Barbour, Marc R.
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/958,887
Time in Patent Office

803 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 9/3247   involving digital signatures

Cross-region roles

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Cross-region roles

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links