Securing services and intra-service communications

US 9,985,974 B2
Filed: 03/09/2017
Issued: 05/29/2018
Est. Priority Date: 06/16/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a security service, from a service provider that is separate from the security service, a registration for a service provided by the service provider, the registration identifying one or more application programming interfaces (APIs) related to the service;

receiving, by the security service, from a first service consumer and a second service consumer, a respective request to access the service, the respective requests including an identification of the one or more APIs related to the service to be accessed by the first service consumer and by the second service consumer, the one or more APIs providing a quantity of information in response to access requests from service consumers; and

defining an access policy limiting the first service consumer and the second service consumer access to the one or more APIs related to the service, and the access policy defining a subset of the quantity of information available to the first service consumer and to the second service consumer from the service provider via the one or more APIs, with the subset being different for the first service consumer and for the second service consumer and associated with a third party separate from the first and second service consumer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security service enables service providers to register available services. Prospective service consumers may register with the security service to access a particular registered service, and may specify conditions for access that are subject to approval by the corresponding service provider. Based on the registrations of the service provider and the service consumer, the security service can define access policies that may be enforced to control the conditions under which a service consumer accesses or utilizes the particular service. Additionally, changes to the access policies may be propagated to running services in near real time. Some implementations enable masking of information provided to particular service consumers based on determined needs of each service consumer for access to particular information. In some instances, the service providers may provide log information to the security service, which may be monitored to identify anomalies, security breaches or the like.

Citations

20 Claims

1. A method comprising:
- receiving, by a security service, from a service provider that is separate from the security service, a registration for a service provided by the service provider, the registration identifying one or more application programming interfaces (APIs) related to the service;
  
  receiving, by the security service, from a first service consumer and a second service consumer, a respective request to access the service, the respective requests including an identification of the one or more APIs related to the service to be accessed by the first service consumer and by the second service consumer, the one or more APIs providing a quantity of information in response to access requests from service consumers; and
  
  defining an access policy limiting the first service consumer and the second service consumer access to the one or more APIs related to the service, and the access policy defining a subset of the quantity of information available to the first service consumer and to the second service consumer from the service provider via the one or more APIs, with the subset being different for the first service consumer and for the second service consumer and associated with a third party separate from the first and second service consumer.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - in response to receiving the requests to access the service, sending, by the security service to the service provider, a request to approve the access to the service by the first service consumer and by the second service consumer.
  - 3. The method of claim 2, further comprising:
    - receiving, by the security service, approval from the service provider allowing the access to the service by the service consumer.
  - 4. The method of claim 1, further comprising issuing a respective secret key to the first service consumer and to the second service consumer for use by the first service consumer and by the second service consumer to provide authentication information when accessing the service.
  - 5. The method of claim 1, wherein the access policy is defined, based at least in part on, the registration and the requests.

6. A system comprising:
- at least one computing device that implements one or more services, wherein the one or more services;
  
  receive a registration identifying one or more application programming interfaces (APIs) related to a service provided by a service provider;
  
  receive a first request associated with a first service consumer, the first request including an identification of the one or more APIs related to the service to be accessed by the first service consumer, the one or more APIs providing a quantity of information in response to access requests from service consumers; and
  
  define an access policy that;
  
  limits the first service consumer access to the one or more APIs related to the service, anddefines a first subset of the quantity of information available to the first service consumer from the service provider via the one or more APIs, with the first subset being different than a second subset of the quantity of information available to a second service consumer via the one or more APIs related to the service, the quantity of information associated with a third party separate from the first and second service consumer.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The system of claim 6, wherein the one or more services further configured to:
    - define an access and policy for the first service consumer with respect to the service based, at least in part, on a minimum frequency at which the first service consumer will access the service; and
      
      provide at least a portion of the access policy to the first service consumer to enable the first service consumer to comply with the minimum frequency at which the first service consumer will access the service.
  - 8. The system of claim 6, wherein the first requests associated with the first service consumer further includes an election by the first service consumer to opt out of receiving data labeled as secure data.
  - 9. The system of claim 6, wherein the one or more services further revoke authorization to access to the service based on an expiration event and to require the first service consumer to submit a second request for authorization to access to the service after the expiration event.
  - 10. The system of claim 6, wherein the one or more services:
    - generate log information related to the first service consumer accessing the one or more APIs related to the service;
      
      generate an alert based at least in part on the log information; and
      
      provide, in response to the alert, a user interface including a control selectable to restrict access of the first service consumer to the one or more APIs.
  - 11. The system of claim 10, wherein generating the response to the alert is based at least in part on determining that the first service consumer has exceeded an allowed rate for access requests based at least in part on analysis of the log information.
  - 12. The system of claim 6, wherein the one or more services:
    - receive a first API call from the first service consumer, the first API call signed using a first secret key assigned to the first service consumer;
      
      receive a second API call from the second service consumer, the second API call signed using a second secret key assigned to the second service consumer; and
      
      authenticate the first and second API calls respectively using the first and second secret keys corresponding to the first and second service consumer, wherein the system has access to a plurality of different secret keys, each corresponding to one of a plurality of different service consumers authorized to access the API, including the first and second service consumer.

13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, if executed by one or more processors of a computer system, cause the computer system to at least:
- receive, at a security service, a registration identifying one or more application programming interfaces (APIs) related to a service provided by a service provider, the one or more APIs providing a quantity of information in response to access requests from service consumers;
  
  receive a first request from a first service consumer indicating the one or more APIs related to the service to be accessed by the first service consumer; and
  
  define an access policy based at least in part on the first request that;
  
  limits the first service consumer access to the one or more APIs related to the service; and
  
  defines a first subset of the quantity of information available to the first service consumer from the service provider via the one or more APIs, with the first subset being different than a second subset of the quantity of information available to a second service consumer via the one or more APIs related to the service, the quantity of information associated with a third party separate from the first and second service consumer.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions further cause the computer system to:
    - receive an indication that the first service consumer is exceeding a specified access rate established for the first service consumer with respect to the service;
      
      receive an activation of a blocking control activated to block the first service consumer; and
      
      block access requests received from the first service consumer with respect to the service in response to activation of the blocking control.
  - 15. The non-transitory computer-readable storage medium of claim 14, wherein blocking access requests received from the first service consumer with respect to the service comprises blocking API calls from the first service consumer to a first API of the one or more APIs related to the service.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein blocking access requests received from the first service consumer with respect to the service comprises blocking access requests of the first service consumer to the service, while allowing access requests of the first service consumer to another service provided by the service provider.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the executable instructions further cause the computer system to:
    - receive an indication that the first service consumer will perform throttling of access requests to maintain a rate of access requests within the specified access rate established for the first service consumer; and
      
      cease to block access requests of the first service consumer in response to the indication that the first service consumer will perform throttling.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions further cause the computer system to:
    - generate log information related to first service consumer and second service consumer accessing the service; and
      
      generate a first alert based at least in part on determining from the log information that the first service consumer is exceeding a first service access rate established for the first service consumer that is different than a second service access rate established for the second service consumer.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions further cause the computer system to:
    - send, in response to receiving the first request to access the service, a second request to the service provider to approve the access to the service by the first service consumer; and
      
      receive approval from the service provider allowing the access to the service by the first service consumer.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions further cause the computer system to:
    - issue a first secret key to the first service consumer for use by the first service consumer to provide authentication information when accessing the service; and
      
      issue a second secret key to the second service consumer for use by the second service consumer to provide authentication information when accessing the service, the second secret key being different than the first secret key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Kozolchyk, Jonathan, McAdams, Darin Keith, Fielding, Jeffrey J., Mallya, Vaibhav, Canavor, Darren E.
Primary Examiner(s)
Tran, Tri

Application Number

US15/454,986
Publication Number

US 20170180389A1
Time in Patent Office

446 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Securing services and intra-service communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Securing services and intra-service communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links