Managing security groups for data instances

US 9,705,888 B2
Filed: 03/31/2009
Issued: 07/11/2017
Est. Priority Date: 03/31/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of managing security permissions, comprising:

under control of one or more computer systems configured with executable instructions,provisioning a data instance in a data environment that includes a first distributed computing system configured to provide native access to data instances for a plurality of customers, wherein a separate control environment includes a second distributed computing system that is separate from and configured to manage the data environment, wherein the data environment that includes the first distributed computing system and the separate control environment that includes the second distributed computing system are both part of a service provider network;

generating a native security group for the data instance;

generating, by the separate control environment, at least one control security group for the data instance and associating the at least one control security group with the native security group for the data instance;

receiving, by the separate control environment, a request from a customer to update one or more permissions of the at least one control security group of the data instance;

subsequent to receipt of the request, updating at least one permission for the at least one control security group while allowing the customer native access to the data instance in the data environment in accordance with a permission in the native security group;

storing, in the separate control environment, the at least one permission for use in determining subsequent access to the data instance by at least one member of the at least one control security group; and

controlling access to the data instance via the data environment based at least in part upon the at least one permission stored in the separate control environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access level and security group information can be updated for a data instance without having to take down or recycle the instance. A data instance created in a data environment will have at least one default security group. Permissions can be applied to the default security group to limit access via the data environment. A control security group can be created in a control environment and associated with the default security group. Permissions can be applied and updated with respect to the control security group without modifying the default security group, such that the data instance does not need to be recycled or otherwise made unavailable. Requests to perform actions with respect to the control security groups are made via the control environment, while allowing native access to the data via the data environment.

159 Citations

24 Claims

1. A computer-implemented method of managing security permissions, comprising:
- under control of one or more computer systems configured with executable instructions,provisioning a data instance in a data environment that includes a first distributed computing system configured to provide native access to data instances for a plurality of customers, wherein a separate control environment includes a second distributed computing system that is separate from and configured to manage the data environment, wherein the data environment that includes the first distributed computing system and the separate control environment that includes the second distributed computing system are both part of a service provider network;
  
  generating a native security group for the data instance;
  
  generating, by the separate control environment, at least one control security group for the data instance and associating the at least one control security group with the native security group for the data instance;
  
  receiving, by the separate control environment, a request from a customer to update one or more permissions of the at least one control security group of the data instance;
  
  subsequent to receipt of the request, updating at least one permission for the at least one control security group while allowing the customer native access to the data instance in the data environment in accordance with a permission in the native security group;
  
  storing, in the separate control environment, the at least one permission for use in determining subsequent access to the data instance by at least one member of the at least one control security group; and
  
  controlling access to the data instance via the data environment based at least in part upon the at least one permission stored in the separate control environment.
- View Dependent Claims (2, 3)
- - 2. The computer-implemented method of claim 1, wherein:
    - multiple control security groups are associated with the data instance for the customer, each of the multiple control security groups having at least one of a different set of permissions or a different set of members.
  - 3. The computer-implemented method of claim 1, wherein updating the at least one permission for the at least one control security group includes at least one of:
    - adding a new control security group, deleting the at least one control security group, adding at least one user, deleting at least one user, updating a password for the at least one control security group, or modifying an access level of the at least one control security group to the data instance in the data environment.

4. A computer-implemented method of managing a data instance, comprising:
- under control of one or more computer systems configured with executable instructions,provisioning the data instance in a data environment, the data environment comprising a first distributed computing system for providing native access to data instances for a plurality of customers;
  
  receiving, by a separate control environment, a request from a customer to update a control security group for the data instance, the separate control environment comprising a second distributed computing system that is separate from the first distributed computing system of the data environment and that is configured to enable management of the data instances, wherein the data environment comprising the first distributed computing system and the separate control environment comprising the second distributed computing system are both part of a service provider network, the control security group being associated with a native security group for the data instance in the data environment;
  
  updating the control security group while allowing the customer native access to the data instance in the data environment in accordance with a permission in the native security group; and
  
  controlling access to the data instance via the data environment based at least in part upon the updated control security group.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
- - 5. The computer-implemented method of claim 4, wherein:
    - the request is a Web services call received to an externally-facing application programming interface (API) of the separate control environment.
  - 6. The computer-implemented method of claim 4, wherein updating the control security group includes at least one of:
    - adding a new control security group, deleting the control security group, adding at least one user, deleting at least one user, updating a password for the control security group, or modifying an access level of the control security group to the data instance in the data environment.
  - 7. The computer-implemented method of claim 4, wherein the request is received to a Web services layer including components operable to perform at least one task corresponding to at least one of:
    - authenticating users based on credentials, authorizing the users, throttling user requests, marshalling requests and responses, or unmarshalling the requests and responses.
  - 8. The computer-implemented method of claim 4, further comprising:
    - in response to receiving the request, storing information for the request to a job queue.
  - 9. The computer-implemented method of claim 8, further comprising:
    - in response to detecting the information stored in the job queue, assembling and executing a workflow to manage updating the control security group.
  - 10. The computer-implemented method of claim 4, wherein:
    - information for the updated control security group is communicated to a host manager for the data instance in the data environment.
  - 11. The computer-implemented method of claim 4, further comprising:
    - providing separate interfaces in the separate control environment enabling a user to submit requests to add, delete, and modify user information for the control security group.
  - 12. The computer-implemented method of claim 4, further comprising restricting processing of requests affecting the control security group to the control environment.

13. A system for controlling a data environment using a separate control environment, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the system to;
  
  provision a data instance in the data environment, the data environment comprising a first distributed computing system for providing native access to data instances for a plurality of customers;
  
  receive, by the separate control environment, a request from a customer to update a control security group for the data instance, the separate control environment comprising a second distributed computing system, that is separate from the first distributed computing system of the data environment and that is configured to enable management of the data instances, wherein the data environment comprising the first distributed computing system and the separate control environment comprising the second distributed computing system are both part of a service provider network, the control security group being associated with a native security group for the data instance in the data environment;
  
  update the control security group while allowing the customer native access to the data instance in the data environment in accordance with a permission in the native security group; and
  
  control access to the data instance via the data environment based at least in part upon the updated control security group.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the instructions, when executed to cause the system to update the control security group, cause the system to:
    - add a new control security group, delete the control security group, add at least one user, delete at least one user, update a password for the control security group, or modify an access level of the control security group to the data instance in the data environment.
  - 15. The system of claim 13, wherein the instructions that, when executed by the at least one processor, further cause the system to:
    - in response to receiving the request, store information for the request to a job queue.
  - 16. The system of claim 15, wherein the instructions that, when executed by the at least one processor, further cause the system to:
    - in response to detecting the information stored in the job queue, assemble and execute a workflow to manage updating the control security group.
  - 17. The system of claim 13, wherein:
    - information for the updated control security group is communicated to a host manager for the data instance in the data environment.
  - 18. The system of claim 13, wherein:
    - multiple control security groups are associated with the data instance for the customer, each control security group having at least one of a different set of permissions or a different set of members.
  - 19. The system of claim 13, wherein:
    - requests affecting the control security group are restricted to being processed by the control environment.

20. A computer program product embedded in a non-transitory computer-readable medium and including instructions that, when executed by at least one computing device, cause the at least one computing device to:
- provision a data instance in a data environment, the data environment comprising a first distributed computing system for providing native access to data instances for a plurality of customers;
  
  receive, by a separate control environment, a request from a customer to update a control security group for the data instance, the separate control environment comprising a second distributed computing system, that is separate from the first distributed computing system of the data environment and that is configured to enable management of the data instances, wherein the data environment comprising the first distributed computing system and the separate control environment comprising the second distributed computing system are both part of a service provider network, the control security group being associated with a native security group for the data instance in the data environment;
  
  update the control security group while allowing the customer native access to the data instance in the data environment in accordance with a permission in the native security group; and
  
  control access to the data instance via the data environment based at least in part upon the updated control security group.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The computer program product of claim 20, wherein the instructions that, when executed by the at least one computing device to cause the at least one computing device to update the control security group, cause the at least one computing device to:
    - add a new control security group, delete the control security group, add at least one user, delete at least one user, update a password for the control security group, or modify an access level of the control security group to the data instance in the data environment.
  - 22. The computer program product of claim 20, wherein the instructions that, when executed by the at least one computing device, further cause the at least one computing device to:
    - in response to receiving the request, store information for the request to a job queue.
  - 23. The computer program product of claim 22, wherein the instructions that, when executed by the at least one computing device, further cause the at least one computing device to:
    - in response to detecting the information stored in the job queue, assemble and execute a workflow to manage updating the control security group.
  - 24. The computer program product of claim 20, wherein:
    - information for the updated control security group is communicated to a host manager for the data instance in the data environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
McAlister, Grant A. M.
Primary Examiner(s)
Desrosiers, Evans

Application Number

US12/416,017
Publication Number

US 20100251339A1
Time in Patent Office

3,024 Days
Field of Search

726 6, 370351, 713187
US Class Current
CPC Class Codes

G06F 21/604 Tools and structures for ma...

H04L 63/104 Grouping of entities

Managing security groups for data instances

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

159 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Managing security groups for data instances

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

159 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links