Virtual service provider zones
First Claim
Patent Images
1. A system, comprising:
- a first hardware-implemented data storage service, implemented with computing resources in a first set of facilities that is operated by a computing resource service provider; and
a second data storage service, implemented with computing resources in a second set of facilities that is geographically distinct from the first set of facilities and operated by the computing resource service provider, where first data storage service is configured according to first set of regulations associated with a first legal jurisdiction and second data storage service is configured according to a second set of regulations that is different from the first set of regulations and associated with a second legal jurisdiction, the first data storage service receiving web service requests and the first data storage service operating as a proxy to the second data storage service by at least;
receiving, at a first web service interface of the first data storage service, a request from a requestor to store data, the request originating from a network not operated by the computing resource service provider and identifying authentication credentials usable for fulfillment of the request by the first data storage service based at least in part on the first set of facilities being located in the first legal jurisdiction and the authentication credentials being unusable for fulfillment of requests to the second data storage service based at least in part on the second set of facilities being located in the second legal jurisdiction that is different from the first legal jurisdiction;
encrypting the data using a cryptographic key to generate encrypted data, the cryptographic key being accessible to the first data storage service while inaccessible to the second data storage service by preventing access to the key by an entity located in a particular facility of the second set of facilities; and
transmitting the encrypted data to the entity for persistent storage on behalf of the requestor.
1 Assignment
0 Petitions
Accused Products
Abstract
A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.
311 Citations
20 Claims
-
1. A system, comprising:
-
a first hardware-implemented data storage service, implemented with computing resources in a first set of facilities that is operated by a computing resource service provider; and a second data storage service, implemented with computing resources in a second set of facilities that is geographically distinct from the first set of facilities and operated by the computing resource service provider, where first data storage service is configured according to first set of regulations associated with a first legal jurisdiction and second data storage service is configured according to a second set of regulations that is different from the first set of regulations and associated with a second legal jurisdiction, the first data storage service receiving web service requests and the first data storage service operating as a proxy to the second data storage service by at least; receiving, at a first web service interface of the first data storage service, a request from a requestor to store data, the request originating from a network not operated by the computing resource service provider and identifying authentication credentials usable for fulfillment of the request by the first data storage service based at least in part on the first set of facilities being located in the first legal jurisdiction and the authentication credentials being unusable for fulfillment of requests to the second data storage service based at least in part on the second set of facilities being located in the second legal jurisdiction that is different from the first legal jurisdiction; encrypting the data using a cryptographic key to generate encrypted data, the cryptographic key being accessible to the first data storage service while inaccessible to the second data storage service by preventing access to the key by an entity located in a particular facility of the second set of facilities; and transmitting the encrypted data to the entity for persistent storage on behalf of the requestor. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method, comprising:
-
implementing a first data storage service using computing resources in a first facility and operated by a computing resource service provider, where the first data storage service operates as a proxy to an entity in a different legal jurisdiction from the first facility by at least; receiving, via a network not operated by the computing resource service provider, a request to store data, the request identifying authentication credentials usable for fulfillment of the request by the first data storage service based at least in part on a legal jurisdiction associated with the first facility and the authentication credentials unusable for fulfillment of requests to a second data storage service implemented with computing resources in a second facility that is geographically distinct from the first facility and operated by the computing resource service provider, where the first data storage service is configured according to first set of regulations associated with a first legal jurisdiction and the second data storage service is configured according to a second set of regulations that is different from the first set of regulations and associated with a second legal jurisdiction; encrypting the data using a cryptographic key to obtain encrypted data, the cryptographic key being accessible to the first data storage service while inaccessible to the second data storage service by preventing access to the key by the entity for which the first data storage service is the proxy, the entity located in the second legal jurisdiction; and transmitting the encrypted data to the entity for persistent storage on behalf of a requestor. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to:
-
execute a first data storage service with computing resources of a first facility that is in a first legal jurisdiction and operated by a computing resource service provider; operate the first data storage service as a proxy; receive, via a network not operated by the computing resource service provider, a request to store data, the request identifying authentication credentials usable for fulfillment of the request by the first data storage service and unusable for fulfillment of requests to a second data storage service implemented with computing resources in a second facility that is geographically distinct from the first facility and operated by the computing resource service provider, where the first data storage service is configured according to first set of regulations associated with a first legal jurisdiction and the second data storage service is configured according to a second set of regulations that is different from the first set of regulations and associated with a second legal jurisdiction; and fulfill the request by at least; causing the first data storage service to obtain encrypted data, the encrypted data generated based at least in part on using a cryptographic key to encrypt the data, the cryptographic key being accessible to the first data storage service while being inaccessible to the second data storage service by preventing access to the key by an entity for which the first data storage service is the proxy, the entity located in the second legal jurisdiction; and causing the first data storage service to transmit the encrypted data to the entity. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification