| 发明名称 | Identity and access management-based access control in virtual networks | ||
| 摘要 | Methods and apparatus for providing identity and access management-based access control for connections between entities in virtual (overlay) network environments. At the encapsulation layer of the overlay network, an out-of-band connection creation process may be leveraged to enforce access control and thus allow or deny overlay network connections between sources and targets according to policies. For example, resources may be given identities, identified resources may assume roles, and policies may be defined for the roles that include permissions regarding establishing connections to other resources. When a given resource (the source) attempts to establish a connection to another resource (the target), role(s) may be determined, policies for the role(s) may be identified, and permission(s) checked to determine if a connection from the source to the target over the overlay network is to be allowed or denied. | ||
| 申请公布号 | US9438506(B2) | 申请公布日期 | 2016.09.06 |
| 申请号 | US201314103628 | 申请日期 | 2013.12.11 |
| 申请人 | Amazon Technologies, Inc. | 发明人 | Ryland Mark |
| 分类号 | H04L9/32;H04L12/56;H04L12/66;H04L12/701;H04L12/24;H04L12/911 | 主分类号 | H04L9/32 |
| 代理机构 | Meyertons, Hood, Kivlin, Kowert & Goetzel, P.C. | 代理人 | Kowert Robert C.;Meyertons, Hood, Kivlin, Kowert & Goetzel, P.C. |
| 主权项 | 1. A provider network, comprising: a network substrate; one or more computing devices implementing an access control service configured to manage and evaluate policies on the provider network; and a plurality of host devices, wherein each host device implements one or more resource instances; wherein one or more of the host devices are each configured to: obtain a network packet from a resource instance on the respective host device;communicate with the access control service to determine whether the resource instance is or is not allowed to open a connection to a target indicated by the network packet according to an evaluation of a policy associated with the resource instance performed by the service;if the resource instance is allowed to open a connection to a target indicated by the network packet according to the policy, send one or more network packets from the resource instance to the target via an overlay network path over the network substrate; andif the resource instance is not allowed to open a connection to a target indicated by the network packet according to the policy, discard the network packet without sending the network packet to the target. | ||
| 地址 | Reno NV US | ||