Methods and apparatus for controlling snapshot exports
First Claim
1. A method, comprising:
- performing, by a snapshot export control process implemented on one or more devices on a provider network;
receiving, on behalf of a client via a service of the provider network, a request directed to one or more snapshots of a data volume, wherein the one or more snapshots are stored on a data store on the provider network;
determining whether the client has rights to export the one or more snapshots, wherein said determining comprises, for each of the one or more snapshots, examining a snapshot manifest file corresponding to the snapshot, wherein the snapshot manifest file maps data blocks of a client data volume to locations of data chunks stored in the snapshot, and wherein said examining compares account information for the client with information from the snapshot manifest; and
sending a response to the request, the response indicating the determination or returning a list that includes those snapshots for which the client export rights were determined.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatus, and computer-accessible storage media for controlling export of snapshots to external networks in service provider environments. Methods are described that may be used to prevent customers of a service provider from downloading snapshots of volumes, such as boot images created by the service provider or provided by third parties, to which the customer does not have the appropriate rights. A request may be received from a user to access one or more snapshots, for example a request to export the snapshot or a request for a listing of snapshots. For each snapshot, the service provider may determine if the user has rights to the snapshot, for example by checking a manifest for the snapshot to see if entries in the snapshot manifest belong to an account other than the customer'"'"'s. If the user has rights to the snapshot, the request is granted; otherwise, the request is not granted.
81 Citations
20 Claims
-
1. A method, comprising:
performing, by a snapshot export control process implemented on one or more devices on a provider network; receiving, on behalf of a client via a service of the provider network, a request directed to one or more snapshots of a data volume, wherein the one or more snapshots are stored on a data store on the provider network; determining whether the client has rights to export the one or more snapshots, wherein said determining comprises, for each of the one or more snapshots, examining a snapshot manifest file corresponding to the snapshot, wherein the snapshot manifest file maps data blocks of a client data volume to locations of data chunks stored in the snapshot, and wherein said examining compares account information for the client with information from the snapshot manifest; and sending a response to the request, the response indicating the determination or returning a list that includes those snapshots for which the client export rights were determined. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
9. A system, comprising:
-
at least one processor; and a memory comprising program instructions, wherein the program instructions are executed by at least one processor to implement a snapshot export control service configured to; receive, via a service of a provider network, a request on behalf of a client of the provider network, the request directed to one or more snapshots of one or more data volumes, wherein the one or more snapshots are stored on a data store on the provider network; determine, from information related to the snapshot, whether the client has appropriate rights to export the snapshot to an external network; and send a response to the request, the response indicating the determination or returning a list that includes those snapshots for which the client export rights were determined. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable storage medium storing program instruction that are executed to implement a snapshot export control process configured to:
-
receive, via a service of a service provider network, information indicating a client of the provider network and one or more snapshots stored on a data store on the provider network, wherein a snapshot is a backup of a client volume on the provider network; determine whether the client has rights to export the one or more snapshots, wherein said determination comprises, for each of the one or more snapshots, examining a snapshot manifest corresponding to the snapshot, wherein the snapshot manifest includes account information for one or more creators of data in the respective snapshot, and wherein the determination is based on whether the snapshot includes data created by at least one account that is not the client'"'"'s account; and return an indication of the determination or return a list that includes those snapshots for which the client export rights were determined. - View Dependent Claims (19, 20)
-
Specification