Application instances authenticated by secure measurements
First Claim
1. A computer-implemented method, comprising:
- receiving, at an application programming interface of a computing resource service provider, a request from a customer of the computing resource service provider to associate a measurement of executable instructions of an application operating within an enclave with an application identity of the application, wherein the application identity specifies a version for the application;
registering the measurement in association with the application identity in a data store of a policy enforcement service;
receiving, at a service of the computing resource service provider, a request from a version of an installed application to access a resource in an environment of the computing resource service provider, the request specifying the application identity and a credential;
authenticating the version of the installed application by determining that the received application identity matches a registered application identity and verifying that the credential is a measurement of executable instructions of the installed application that matches the measurement of executable instructions of the application; and
allowing the version of the installed application to access the resource.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer-implemented system and method for receiving a request to associate one or more application instance definitions with an application identity of an application configured with a set of permissions to access computer resources in an environment of a computing resource service provider. The system and method cause a computer system to store the one or more application instance definitions in association with the application identity of the application. The system and method also cause the computer system to evaluate a request originating from an application corresponding to the application identity and the application instance definition to determine if fulfillment of the request complies with the permissions.
134 Citations
19 Claims
-
1. A computer-implemented method, comprising:
-
receiving, at an application programming interface of a computing resource service provider, a request from a customer of the computing resource service provider to associate a measurement of executable instructions of an application operating within an enclave with an application identity of the application, wherein the application identity specifies a version for the application; registering the measurement in association with the application identity in a data store of a policy enforcement service; receiving, at a service of the computing resource service provider, a request from a version of an installed application to access a resource in an environment of the computing resource service provider, the request specifying the application identity and a credential; authenticating the version of the installed application by determining that the received application identity matches a registered application identity and verifying that the credential is a measurement of executable instructions of the installed application that matches the measurement of executable instructions of the application; and allowing the version of the installed application to access the resource. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system, comprising:
memory to store instructions, if executed by one or more processors, cause the system to at least; receive a request to associate an application instance definition with an application identity specifying a version of an application, wherein the application instance definition is a measurement produced by measuring at least a portion of an instance of the application executing within an enclave; store the application instance definition in association with the application identity; receive a request from a version of an installed client application to access a resource, the request specifying the application identity and a credential; determine that the credential is another application instance definition that matches the application instance definition and that the received application identity matches the application identity associated with the application instance definition; and allow the version of the client application to access the resource. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least:
-
receive a request from a version of an installed client application to access a resource of a provider, wherein the request includes a measurement of an application instance measured executing within an enclave; obtain, from a data store that associates measurements of application instances with application identities, an application identity and a credential for the version of the client application associated with the measurement; determine, based at least in part on the application identity and the credential, a respective set of permissions associated with the application identity; determine that the respective set of permissions are sufficient to allow the version of the application to access the resource; and fulfill the request by allowing the version of the client application to access the resource. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification