Methods and apparatus for controlling snapshot exports

US 9,916,321 B2
Filed: 02/29/2016
Issued: 03/13/2018
Est. Priority Date: 10/04/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

performing, by a snapshot export control process implemented on one or more devices on a provider network;

receiving, on behalf of a client via a service of the provider network, a request directed to one or more snapshots of a data volume, wherein the one or more snapshots are stored on a data store on the provider network;

determining whether the client has rights to export the one or more snapshots, wherein said determining comprises, for each of the one or more snapshots, examining a snapshot manifest file corresponding to the snapshot, wherein the snapshot manifest file maps data blocks of a client data volume to locations of data chunks stored in the snapshot, and wherein said examining compares account information for the client with information from the snapshot manifest; and

sending a response to the request, the response indicating the determination or returning a list that includes those snapshots for which the client export rights were determined.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus, and computer-accessible storage media for controlling export of snapshots to external networks in service provider environments. Methods are described that may be used to prevent customers of a service provider from downloading snapshots of volumes, such as boot images created by the service provider or provided by third parties, to which the customer does not have the appropriate rights. A request may be received from a user to access one or more snapshots, for example a request to export the snapshot or a request for a listing of snapshots. For each snapshot, the service provider may determine if the user has rights to the snapshot, for example by checking a manifest for the snapshot to see if entries in the snapshot manifest belong to an account other than the customer'"'"'s. If the user has rights to the snapshot, the request is granted; otherwise, the request is not granted.

81 Citations

View as Search Results

20 Claims

1. A method, comprising:
- performing, by a snapshot export control process implemented on one or more devices on a provider network;
  
  receiving, on behalf of a client via a service of the provider network, a request directed to one or more snapshots of a data volume, wherein the one or more snapshots are stored on a data store on the provider network;
  
  determining whether the client has rights to export the one or more snapshots, wherein said determining comprises, for each of the one or more snapshots, examining a snapshot manifest file corresponding to the snapshot, wherein the snapshot manifest file maps data blocks of a client data volume to locations of data chunks stored in the snapshot, and wherein said examining compares account information for the client with information from the snapshot manifest; and
  
  sending a response to the request, the response indicating the determination or returning a list that includes those snapshots for which the client export rights were determined.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as recited in claim 1, wherein each snapshot manifest file records account identifiers for creators of the data blocks and includes creator account information for data blocks in the respective snapshot, and wherein said examining compares account information for the client with the creator account information for the data blocks in the respective snapshot.
  - 3. The method as recited in claim 2, further comprising:
    - identifying, via said examining, a snapshot that includes at least one data block created by a different account than a client account, wherein the client does not have rights to export a snapshot that includes data created by the different account; and
      
      generating a response to the request that does not include the identified snapshot.
  - 4. The method as recited in claim 3, wherein the request is a request for a list of the client'"'"'s snapshots stored on the data store, and wherein said generating a response to the request that does not include the identified snapshot comprises not including an indication of the identified snapshot in the list.
  - 5. The method as recited in claim 1, wherein the request is a request to export a specified snapshot to an external network, and wherein said sending the response to the request comprises sending a response indicating that the client does not have rights to export the specified snapshot to the external network.
  - 6. The method as recited in claim 1, further comprising identifying, via said examining, at least one snapshot that includes only data for which the client has rights to export, wherein the response to the request includes the identified at least one snapshot.
  - 7. The method as recited in claim 6, further comprising:
    - identifying, via said examining, at least one snapshot that the client has rights to export;
      
      including an indication of the identified at least one snapshot that the client has rights to export in the list; and
      
      returning the list to the client in the response to the request.
  - 8. The method as recited in claim 1, further comprising, for each of the one or more snapshots, adding an indication of the snapshot and an indication of the client'"'"'s determined rights regarding export of the snapshot to a cache that includes indications of snapshots and indications of the client'"'"'s rights regarding export of the snapshots.

9. A system, comprising:
- at least one processor; and
  
  a memory comprising program instructions, wherein the program instructions are executed by at least one processor to implement a snapshot export control service configured to;
  
  receive, via a service of a provider network, a request on behalf of a client of the provider network, the request directed to one or more snapshots of one or more data volumes, wherein the one or more snapshots are stored on a data store on the provider network;
  
  determine, from information related to the snapshot, whether the client has appropriate rights to export the snapshot to an external network; and
  
  send a response to the request, the response indicating the determination or returning a list that includes those snapshots for which the client export rights were determined.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system of claim 9, wherein to determine whether the client has appropriate rights said snapshot export control service is further configured to, for each of the one or more snapshots, examine a snapshot manifest file corresponding to the snapshot, wherein the snapshot manifest file maps data blocks of a client data volume to locations of data chunks stored in the snapshot, and wherein said examination compares account information for the client with information from the snapshot manifest file.
  - 11. The system of claim 10, wherein each snapshot manifest file includes creator account information for data blocks in the respective snapshot, and wherein said examination compares account information for the client with the creator account information for the data blocks in the respective snapshot.
  - 12. The system as recited in claim 10, wherein, to determine whether the client has appropriate rights to export the snapshot, the snapshot export control service is further configured to determine, via said examination, whether the snapshot includes at least one data block created by a different account than the client account, wherein the client does not have rights to export data created by the different account.
  - 13. The system as recited in claim 10, wherein, to determine, from information related to the snapshot, whether the client has appropriate rights to export the snapshot to an external network, the snapshot export control service is further configured to:
    - check a cache that includes indications of snapshots and indications of the client'"'"'s rights regarding export of the snapshots indicated in the cache to determine whether the snapshot is listed in the cache; and
      
      for a snapshot that is listed in the cache, determine the client'"'"'s rights regarding export of the snapshot from the cache.
  - 14. The system as recited in claim 13, wherein the snapshot export control service is further configured to, for a snapshot is not listed in the cache:
    - examine a snapshot manifest file corresponding to the snapshot, wherein the snapshot manifest file includes creator account information for data in the respective snapshot, and wherein said examination compares account information for the client with the creator account information for the data blocks in the respective snapshot; and
      
      determine, via said examination, whether the snapshot includes at least one data block created by a different account than the client account, wherein the client does not have rights to export data created by the different account.
  - 15. The system as recited in claim 9, wherein the snapshot export control service is further configured to add an indication of the snapshot and an indication of the client'"'"'s determined rights regarding export of the snapshot to a cache that includes indications of snapshots and indications of the client'"'"'s rights regarding export of the snapshots.
  - 16. The system as recited in claim 15, wherein the snapshot export control service is further configured to add an indication of the snapshot and an indication of the client'"'"'s determined rights regarding export of the snapshot to the cache.
  - 17. The system as recited in claim 9, wherein the request is a request to export a specified snapshot to the external network, and wherein said export of the specified snapshot is performed if the client has appropriate rights to export the snapshot to the external network and is not performed if the client does not have appropriate rights to export the snapshot to the external network.

18. A non-transitory computer-readable storage medium storing program instruction that are executed to implement a snapshot export control process configured to:
- receive, via a service of a service provider network, information indicating a client of the provider network and one or more snapshots stored on a data store on the provider network, wherein a snapshot is a backup of a client volume on the provider network;
  
  determine whether the client has rights to export the one or more snapshots, wherein said determination comprises, for each of the one or more snapshots, examining a snapshot manifest corresponding to the snapshot, wherein the snapshot manifest includes account information for one or more creators of data in the respective snapshot, and wherein the determination is based on whether the snapshot includes data created by at least one account that is not the client'"'"'s account; and
  
  return an indication of the determination or return a list that includes those snapshots for which the client export rights were determined.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer-readable storage medium of claim 18, wherein the snapshot manifest maps data blocks of the client volume to locations of data chunks stored in the snapshot and records account identifiers for creators of the data blocks.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein to determine, from a snapshot manifest for the snapshot, that the client does not have appropriate rights to export the snapshot, the snapshot export control process is further configured to:
    - compare account information for the client with the creator account information for the data blocks in the snapshot manifest; and
      
      determine, via said comparison, that the snapshot includes at least one data block created by a different account than the client'"'"'s account, wherein the client does not have rights to export data created by the different account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Sundaram, Arun, Lin, Yun, Salyers, David Carl
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
TRUONG, THONG P

Application Number

US15/056,648
Publication Number

US 20160179839A1
Time in Patent Office

743 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/128   Details of file system snap...

G06F 16/178   Techniques for file synchro...

G06F 16/27   Replication, distribution o...

G06F 21/6218   to a system of files or obj...

G06F 21/78   to assure secure storage of...

G06F 3/0604   Improving or facilitating a...

G06F 3/0622   in relation to access

G06F 3/0637   Permissions

G06F 3/065   Replication mechanisms

G06F 3/067   Distributed or networked st...

H04L 67/1097   for distributed storage of ...

H04L 9/40   Network security protocols

Methods and apparatus for controlling snapshot exports

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for controlling snapshot exports

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links