Access control policy evaluation and remediation

US 10,225,152 B1
Filed: 09/30/2013
Issued: 03/05/2019
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer-readable storage media having collectively stored thereon instructions that, when executed by one or more processors of a system, cause the system to:

receive, from a requestor, a request to provide remediation guidance for a policy, the request indicating an access request;

evaluate a set of statements of the policy based at least in part on the access request, the set of statements being at least in part responsible for causing the access request to be unfulfillable;

generate one or more remediation sets of statements, each of the remediation sets of statements being based at least in part on the set of statements of the policy, the one or more remediation sets of statements being usable to cause the access request to be authorized by modifying or broadening a statement of the set of statements that is at least in part responsible for causing the access request to be unfulfillable;

determine a value of a complexity metric associated with the one or more remediation sets of statements, the value of the complexity metric;

being based at least in part on a mapping between the policy and the one or more remediation sets of statements; and

comprising at least one of;

a difference in bits, Bytes or characters between the policy and the one or more remediation sets of statements, ora difference between a number of actions permitted by the one or more remediation sets of statements and a number of actions permitted by the policy; and

provide the one or more remediation sets of statements to the requestor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for the evaluation and remediation of an access control policy is disclosed. In the method and apparatus, an intermediary service may make access request, on behalf of a customer, to one or more computing resources and the access control policy is evaluation to determine whether the request is authorized. Further, remediation options for the access control policy are offered for the request to be authorized.

37 Citations

View as Search Results

12 Claims

1. One or more non-transitory computer-readable storage media having collectively stored thereon instructions that, when executed by one or more processors of a system, cause the system to:
- receive, from a requestor, a request to provide remediation guidance for a policy, the request indicating an access request;
  
  evaluate a set of statements of the policy based at least in part on the access request, the set of statements being at least in part responsible for causing the access request to be unfulfillable;
  
  generate one or more remediation sets of statements, each of the remediation sets of statements being based at least in part on the set of statements of the policy, the one or more remediation sets of statements being usable to cause the access request to be authorized by modifying or broadening a statement of the set of statements that is at least in part responsible for causing the access request to be unfulfillable;
  
  determine a value of a complexity metric associated with the one or more remediation sets of statements, the value of the complexity metric;
  
  being based at least in part on a mapping between the policy and the one or more remediation sets of statements; and
  
  comprising at least one of;
  
  a difference in bits, Bytes or characters between the policy and the one or more remediation sets of statements, ora difference between a number of actions permitted by the one or more remediation sets of statements and a number of actions permitted by the policy; and
  
  provide the one or more remediation sets of statements to the requestor.

2. A system, comprising:
- one or more processors; and
  
  memory including instructions that, when executed by the one or more processors, cause the system to implement at least;
  
  an intermediary service configured to make one or more access requests on behalf of a customer;
  
  an access control enforcement engine configured to receive the one or more access requests and determine whether the one or more access requests are permitted according to an access control policy; and
  
  a remediation service configured to offer one or more remediation options for modifying the access control policy, the one or more remediation options being usable to cause the one or more access requests to be permitted by adding a new policy statement to the access control policy or modifying an existing policy statement of the access control policy, to yield a changed access control policy that will allow the one or more access requests to be permitted.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
- - 3. The system of claim 2, wherein:
    - the one or more access requests include information identifying one or more actions associated with one or more computing resources of the customer; and
      
      the intermediary service is further configured to make the one or more access requests on a condition that a request for access is received from the customer.
  - 4. The system of claim 2, wherein the intermediary service is further configured to receive an indication of grant or denial of the one or more access requests, the indication being associated with a token, the token encoding information usable for obtaining detailed information regarding an evaluation of the access control policy.
  - 5. The system of claim 4, wherein the intermediary service is further configured to:
    - augment the token to produce an augmented token, the token being augmented to include context information associated with a request for access received from the customer; and
      
      send the augmented token to the customer.
  - 6. The system of claim 2, wherein:
    - the remediation service is further configured to provide the one or more remediation options to the customer or to the intermediary service; and
      
      on a condition that the one or more remediation options are provided to the intermediary service, the intermediary service is further configured to utilize a remediation option of the one or more remediation options for modifying the access control policy.
  - 7. The system of claim 2, wherein:
    - the remediation service is further configured to associate the one or more remediation options with a rating, the rating being according to customer preference of the one or more remediation options; and
      
      offering the one or more remediation options including presenting the one or more remediation options to the customer in accordance with the rating.
  - 8. The system of claim 2, the remediation service is further configured to provide the one or more remediation options to the customer using a user interface (UI) or a wizard.
  - 9. The system of claim 2, wherein at least one of the one or more access requests is an application programming interface (API) function call.

10. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to:
- provide a user interface that causes one or more policies to be displayed to a user, the one or more policies including a policy remediation option that is usable for causing an access request to be granted by adding a new policy statement to the one or more policies or modifying an existing policy statement of the one or more policies, to yield one or more changed policies that will allow the access request to be granted,detect user interaction with the user interface that indicates selection of the policy remediation option, andas a result of detecting the user interaction, cause the policy remediation option to be used for access control for one or more computing resources.
- View Dependent Claims (11, 12)
- - 11. The non-transitory computer-readable storage medium of claim 10, the instructions further cause the computer system to:
    - cause one or more statements of the policy remediation option to be emphasized, the one or more statements emphasized including at least one of a modified existing policy statement, the modified existing policy statement being modified for causing the access request to be granted, and an added statement, the added statement being included in the remediation option for causing the access request to be granted.
  - 12. The non-transitory computer-readable storage medium of claim 10, wherein the one or more policies are displayed to the user in accordance with user affinity for one or more remediation strategies utilized in generating the one or more policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Popick, Daniel Stephen, Lyon, Derek Avery, Morkel, John Michael, Baer, Graeme David, Ranabahu, Ajith Harshana, Sedky, Khaled Salah
Primary Examiner(s)
Shin, Kyung H

Application Number

US14/042,233
Time in Patent Office

1,982 Days
Field of Search

709225, 713172, 726 1, 726 3, 726 4, 707792
US Class Current
CPC Class Codes

G06F 21/6236   between heterogeneous systems

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/0896   Bandwidth or capacity manag...

H04L 41/18   Delegation of network manag...

H04L 41/22   comprising specially adapte...

H04L 41/50   Network service management,...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/102   Entity profiles

Access control policy evaluation and remediation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Access control policy evaluation and remediation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links