| 发明名称 | Access control using impersonization | ||
| 摘要 | A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request. | ||
| 申请公布号 | US9420007(B1) | 申请公布日期 | 2016.08.16 |
| 申请号 | US201314096783 | 申请日期 | 2013.12.04 |
| 申请人 | Amazon Technologies, Inc. | 发明人 | Roth Gregory Branchek;Wren Matthew James;Pratt Brian Irl |
| 分类号 | G06F21/00;H04L29/06;H04L9/32;G06F21/60 | 主分类号 | G06F21/00 |
| 代理机构 | Davis Wright Tremaine LLP | 代理人 | Davis Wright Tremaine LLP |
| 主权项 | 1. A system of a virtual computing resource service provider, comprising a plurality of computing devices collectively configured to implement an authentication system, a policy evaluation system and a first and second and third computing resource service, wherein: the authentication system processes an authentication request by verifying an electronic signature of a first request and provides an authentication response having information identifying a set of computing resource services being a cause of the authentication request; the first computing resource service receives the first request and, as a result, submits the authentication request to the authentication system, receives the authentication response and, as part of fulfilling the first request, uses the authentication response to submit a second request to the second computing resource service; the first request triggered by a single customer request and the second request being triggered by the first request; the policy evaluation system evaluates, based at least in part on a user profile associated with the single customer request and the information identifying the set of computing resource services that caused the authentication request including the first computing resource service, a set of policies applicable to the second request to determine a policy determination; the second computing resource service receives the second request from the first computing resource service and processes the second request in accordance with the policy determination; the third computing resource service receives a third request from the second computing resource service, the third request triggered by the second request, the first request, and the single customer request; and the third computing resource service processes the third request in accordance with a policy based at least in part on the user profile associated with the single customer request and information identifying a set of computing resource services that triggered the third request, including the first and second computing resource service. | ||
| 地址 | Seattle WA US | ||