Access control using impersonization

US 9,906,564 B2
Filed: 06/29/2017
Issued: 02/27/2018
Est. Priority Date: 12/04/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

memory to store instructions that, if executed by one or more processors of the system, cause the system to;

send a first request and an authentication response associated with the first request, the authentication response including information identifying a set of computing resource devices to be accessed;

utilize the authentication response, based at least in part on fulfilling the first request, to send a second request;

process the second request according to a policy determination, the policy determination is determined by at least evaluating a set of policies applicable to the second request based at least in part on the first request and the authentication response; and

send a third request, the third request being processed according to a policy of the policy determination, processing the policy is based at least in part on a user profile associated with the authentication response that triggered the third request, including the first request and the second request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

Citations

20 Claims

1. A system, comprising:
- memory to store instructions that, if executed by one or more processors of the system, cause the system to;
  
  send a first request and an authentication response associated with the first request, the authentication response including information identifying a set of computing resource devices to be accessed;
  
  utilize the authentication response, based at least in part on fulfilling the first request, to send a second request;
  
  process the second request according to a policy determination, the policy determination is determined by at least evaluating a set of policies applicable to the second request based at least in part on the first request and the authentication response; and
  
  send a third request, the third request being processed according to a policy of the policy determination, processing the policy is based at least in part on a user profile associated with the authentication response that triggered the third request, including the first request and the second request.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein:
    - process the second request includes use of a first cryptographic key specified in the second request to perform one or more cryptographic operations;
      
      process the third request includes use of a second cryptographic key specified in the third request to perform one or more cryptographic operations; and
      
      the set of policies specify one or more conditions required to be satisfied before the first and second cryptographic keys are usable.
  - 3. The system of claim 1, wherein:
    - the first request is sent on behalf of a customer of a computing resource service provider of a first, second, and third computing resource devices; and
      
      the set of policies include policy determination that is different than the policy determination would be if the first request was received from an entity that is not the customer.
  - 4. The system of claim 3, wherein the first, second, and third computing resource devices further implement an application programming interface through which application programming interface requests are sent, by a customer of a computing resource service provider of the first, second, and third computing resource devices, to define one or more conditions for processing requests sent by the first, second, and third computing resource devices on behalf of the customer.
  - 5. The system of claim 3, wherein the second computing resource device comprises an application programming interface through which customers of a computing resource service provider of the first, second, and third computing resource devices are able to send requests to be processed by the first, second, and third computing resource devices.

6. A computer-implemented method, comprising:
- sending a first request and an authentication response associated with the first request, the authentication response including information identifying a set of computing resource services to be accessed;
  
  utilizing the authentication response, based at least in part on fulfilling the first request, to send a second request;
  
  processing the second request according to a policy determination, the policy determination is determined by at least evaluating a set of policies applicable to the second request based at least in part on the first request and the authentication response; and
  
  sending a third request, the third request being processed according to a policy of the policy determination, processing the policy is based at least in part on a user profile associated with the authentication response that triggered the third request, including the first request and the second request.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 7. The computer-implemented method of claim 6, wherein:
    - the first, second, and third requests include a cryptographic key; and
      
      processing the first, second, and third requests involves performance of one or more cryptographic operations using the cryptographic key.
  - 8. The computer-implemented method of claim 7, wherein the first, second, and third requests include an identifier of the cryptographic key.
  - 9. The computer-implemented method of claim 6, wherein processing the first, second, and third requests is based at least in part on the policy that comprises:
    - determining, based at least in part on information provided with the first, second, and third requests, one or more services that each sent a corresponding request thereby becoming a cause of the first, second, and third requests; and
      
      determining, based at least in part on the determined one or more services, that the processing of the first, second, and third requests is in compliance with the policy.
  - 10. The computer-implemented method of claim 9, wherein the authentication response associated provided with the first request is encoded in a token generated by an authentication service.
  - 11. The computer-implemented method of claim 6, wherein:
    - the first request is triggered by a customer request sent to a first service, the customer request corresponding to a service provider account.
  - 12. The computer-implemented method of claim 11, wherein the policy requires the first request to be sent from a user associated with the service provider account, and if not, the first request will be denied.
  - 13. The computer-implemented method of claim 6, further comprising, as a result of sending the first, second, and third requests, writing a set of one or more intermediate services that causes the first, second, and third requests to be identified to an audit log in association with the first, second, and third requests.
  - 14. The computer-implemented method of claim 11, wherein:
    - the set of policies include policy determination is different than the policy determination would be if the first request was received from a user of the service provider account compared to if the first request was not received from a user of the service provider account.
  - 15. The computer-implemented method of claim 6, wherein:
    - the policy specifies a cryptographic key; and
      
      processing the first, second, and third requests based at least in part on the policy being performed as a result of using the cryptographic key required for processing the first, second, and third requests.
  - 16. The computer-implemented method of claim 6, wherein:
    - the policy specifies a tag value; and
      
      processing the first, second, and third requests based at least in part on the policy being performed as a result of the first, second, and third requests being applicable to a set of computing resources associated with the tag value.

17. A non-transitory computer-readable storage medium having stored thereon instructions that, if executed by one or more processors of a computer system, cause the computer system to:
- send a first request and an authentication response associated with the first request, the authentication response including information identifying a set of computing resource devices to be accessed;
  
  utilize the authentication response, based at least in part on fulfilling the first request, to send a second request;
  
  process the second request according to a policy determination, the policy determination is determined by at least evaluating a set of policies applicable to the second request based at least in part on the first request and the authentication response; and
  
  send a third request, the third request being processed according to a policy of the policy determination, processing the policy is based at least in part on a user profile associated with the authentication response that triggered the third request, including the first request and the second request.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein the instructions that, if executed by one or more processors of a computer system, further cause the computer system to analyze a first and second token, generated by an authentication service, provided with the second and third requests.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the second request accesses, in plaintext form, data persistently stored in encrypted form.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein the set of policies applicable to the second request includes at least one policy determinable based at least in part on the data persistently stored in encrypted form.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Wren, Matthew James, Pratt, Brian Irl
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/638,227
Publication Number

US 20170324782A1
Time in Patent Office

243 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

H04L 2463/062   applying encryption of the ...

H04L 63/126   the source of the received ...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 9/3247   involving digital signatures

Access control using impersonization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access control using impersonization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links