Identity and access management-based access control in virtual networks

US 9,438,506 B2
Filed: 12/11/2013
Issued: 09/06/2016
Est. Priority Date: 12/11/2013
Status: Active Grant

First Claim

Patent Images

1. A provider network, comprising:

a network substrate;

one or more computing devices implementing an access control service configured to manage and evaluate policies on the provider network; and

a plurality of host devices, wherein each host device implements one or more resource instances;

wherein one or more of the host devices are each configured to;

obtain a network packet from a resource instance on the respective host device;

communicate with the access control service to determine whether the resource instance is or is not allowed to open a connection to a target indicated by the network packet according to an evaluation of a policy associated with the resource instance performed by the service;

if the resource instance is allowed to open a connection to a target indicated by the network packet according to the policy, send one or more network packets from the resource instance to the target via an overlay network path over the network substrate; and

if the resource instance is not allowed to open a connection to a target indicated by the network packet according to the policy, discard the network packet without sending the network packet to the target.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for providing identity and access management-based access control for connections between entities in virtual (overlay) network environments. At the encapsulation layer of the overlay network, an out-of-band connection creation process may be leveraged to enforce access control and thus allow or deny overlay network connections between sources and targets according to policies. For example, resources may be given identities, identified resources may assume roles, and policies may be defined for the roles that include permissions regarding establishing connections to other resources. When a given resource (the source) attempts to establish a connection to another resource (the target), role(s) may be determined, policies for the role(s) may be identified, and permission(s) checked to determine if a connection from the source to the target over the overlay network is to be allowed or denied.

20 Citations

View as Search Results

20 Claims

1. A provider network, comprising:
- a network substrate;
  
  one or more computing devices implementing an access control service configured to manage and evaluate policies on the provider network; and
  
  a plurality of host devices, wherein each host device implements one or more resource instances;
  
  wherein one or more of the host devices are each configured to;
  
  obtain a network packet from a resource instance on the respective host device;
  
  communicate with the access control service to determine whether the resource instance is or is not allowed to open a connection to a target indicated by the network packet according to an evaluation of a policy associated with the resource instance performed by the service;
  
  if the resource instance is allowed to open a connection to a target indicated by the network packet according to the policy, send one or more network packets from the resource instance to the target via an overlay network path over the network substrate; and
  
  if the resource instance is not allowed to open a connection to a target indicated by the network packet according to the policy, discard the network packet without sending the network packet to the target.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The provider network as recited in claim 1, wherein the target is another resource instance on the provider network or an endpoint on another network.
  - 3. The provider network as recited in claim 1, wherein the resource instance and the target are both resource instances in a private network implementation of a particular client on the provider network.
  - 4. The provider network as recited in claim 1, wherein, to determine whether the resource instance is or is not allowed to open a connection to a target indicated by the network packet, the access control service is further configured to determine and evaluate a policy associated with the target, wherein the resource instance is only allowed to open a connection to the target if both the policy associated with the resource instance and the policy associated with the target allow the connection.
  - 5. The provider network as recited in claim 1, wherein the resource instances are implemented as virtual machines (VMs) on the host devices, wherein each host device includes a virtual machine monitor (VMM) that monitors a plurality of virtual machines (VMs) on the respective host device, and wherein the VMMs on the host devices perform said obtaining, said accessing, and said sending.
  - 6. The provider network as recited in claim 1, wherein, to evaluate the policy associated with the resource instance, the access control service is configured to:
    - determine that the resource instance has assumed a role in a private network implementation of a particular client on the provider network;
      
      determine a policy associated with the role which the resource instance has assumed; and
      
      evaluate the policy associated with the role.
  - 7. The provider network as recited in claim 1, wherein, to send the one or more network packets from the resource instance to the target via an overlay network path over the network substrate, the host device is configured to:
    - encapsulate the one or more network packets according to an encapsulation protocol to generate one or more encapsulation packets; and
      
      send the encapsulation packets onto the network substrate to be routed to the target according to routing information in the encapsulation packets.
  - 8. The provider network as recited in claim 1, further comprising one or more network devices configured to:
    - communicate with an endpoint external to an overlay network implemented on the network substrate to establish an identity for the endpoint on the overlay network;
      
      access the access control service to determine that the endpoint is allowed to open a connection to a target resource instance via the overlay network according to an evaluation of a policy associated with the target resource instance; and
      
      in response to said determining, send one or more network packets from the endpoint to the target resource instance via an overlay network path over the network substrate.

9. A method, comprising:
- obtaining, by an encapsulation layer process implemented on a host device in a provider network, a network packet from one of one or more resource instances implemented on the host device, wherein the network packet is directed to a target endpoint;
  
  determining that the resource instance is identified as a principal according to an identity and access management environment on the provider network;
  
  determining that the principal is allowed to open a connection to the target endpoint according an evaluation of a policy associated with the principal; and
  
  in response to said determining that the principal is allowed to open a connection to the target endpoint;
  
  encapsulating one or more network packets from the resource instance and directed to the target endpoint according to an encapsulation protocol to generate one or more encapsulation packets; and
  
  sending the one or more encapsulation packets onto a network substrate of the provider network to be routed to the target endpoint according to routing information in the encapsulation packets.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method as recited in claim 9, wherein the target endpoint is another resource on the provider network or an endpoint on another network.
  - 11. The method as recited in claim 9, wherein the resource instance and the target endpoint are both resource instances in a private network implementation of a particular client on the provider network.
  - 12. The method as recited in claim 9, wherein said determining that the principal is allowed to open a connection to the target endpoint according an evaluation of a permission statement of a policy associated with the principal comprises:
    - the encapsulation layer process sending a policy evaluation request to an access control service on the provider network;
      
      determining, by the access control service, the policy associated with the principal;
      
      evaluating, by the access control service, one or more permission statements in the policy associated with the principal to determine that the policy allows the principal to open connections to a resource associated with the target endpoint; and
      
      indicating to the encapsulation layer process that the principal is allowed to open connections to the target endpoint.
  - 13. The method as recited in claim 12, wherein the access control service further performs determining and evaluating a policy associated with the resource associated with the target endpoint, wherein the principal is only allowed to open a connection to the resource if both the policy associated with the principal and the policy associated with the resource allow the connection.
  - 14. The method as recited in claim 12, wherein each permission statement in the policy associated with the principal indicates one or more actions for which permission is to be allowed or denied, one or more resources to which the permission statement applies, and whether the indicated one or more actions are allowed or denied for the indicated one or more resources.
  - 15. The method as recited in claim 9, further comprising:
    - obtaining, by the encapsulation layer process, another network packet from a resource instance identified as the principal according to the identity and access management environment, wherein the other network packet is directed to another target endpoint;
      
      determining that the principal is not allowed to open a connection to the other target endpoint according to an evaluation of a policy associated with the principal; and
      
      in response to said determining, discarding the other network packet without sending the network packet to the other target endpoint.
  - 16. The method as recited in claim 9, wherein said determining that the principal is allowed to open a connection to the target endpoint according an evaluation of a policy associated with the principal comprises:
    - determining that the principal has assumed a role in a private network implementation of a particular client on the provider network, wherein the policy associated with the principal is a policy associated with the role that the principal has assumed; and
      
      evaluating the policy associated with the role to determine that the principal is allowed to open a connection to the target endpoint.

17. A non-transitory computer-accessible storage medium storing program instructions computer-executable to implement an encapsulation layer process on a device in a provider network, the encapsulation layer process configured to:
- obtain a network packet from a source endpoint, wherein the network packet is directed to a target endpoint;
  
  determine a resource identifier for the source endpoint and a resource identifier for the target endpoint;
  
  determine a policy associated with the resource identifier for the source endpoint and a policy associated with the resource identifier for the target endpoint;
  
  determine that the source endpoint is allowed to open a connection to the target endpoint according to an evaluation of one or both of the policy associated with the resource identifier for the source endpoint and the policy associated with the resource identifier for the target endpoint; and
  
  in response to said determining that the source endpoint is allowed to open a connection to the target endpoint;
  
  tag one or more network packets from the source endpoint and directed to the target endpoint with encapsulation metadata according to an encapsulation protocol to generate one or more encapsulation packets; and
  
  send the encapsulation packets onto a network substrate of the provider network to be routed to the target endpoint according to the encapsulation metadata in the encapsulation packets.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-accessible storage medium as recited in claim 17, wherein, to determine that the source endpoint is allowed to open a connection to the target endpoint according to an evaluation of one or both of the policy associated with the resource identifier for the source endpoint and the policy associated with the resource identifier for the target endpoint, the encapsulation layer process is configured to:
    - evaluate the policy associated with the resource identifier for the source endpoint to determine that the policy allows the source endpoint to open connections to the resource identifier associated with the target endpoint; and
      
      evaluate the policy associated with the resource identifier for the target endpoint to determine that the policy allows the target endpoint to accept connections from the resource identifier associated with the source endpoint.
  - 19. The non-transitory computer-accessible storage medium as recited in claim 17, wherein the encapsulation layer process is further configured to include identity-related information for the source endpoint as metadata in at least one of the one or more encapsulation packets, wherein the identity-related information for the source endpoint is configured to be used at the target endpoint to make access decisions for the source endpoint according to policy at the target endpoint.
  - 20. The non-transitory computer-accessible storage medium as recited in claim 17, wherein the source endpoint is external to the provider network, wherein the target endpoint is a resource instance on the provider network, and wherein, to determine a resource identifier for the source endpoint, the encapsulation layer process is configured to communicate with the source endpoint to establish a secure identity for the source endpoint on the provider network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Ryland, Mark
Primary Examiner(s)
Donaghue, Larry

Application Number

US14/103,628
Publication Number

US 20150163158A1
Time in Patent Office

1,000 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

H04L 12/4633   Interconnection of networks...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 45/00   Routing or path finding of ...

H04L 45/76   Routing in software-defined...

H04L 47/70   Admission control; Resource...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Identity and access management-based access control in virtual networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Identity and access management-based access control in virtual networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others