Secure proxy

摘要

Methods and systems are provided herein to enable secure proxying of network traffic between trusted and untrusted environments. In particular, a secure proxy may be provided that includes a set of security layers and a secure endpoint resolver, either of which may be provided and/or updated by a service provider. The security layers may be associated with policies that may be applicable to various network protocol layers (e.g., application layer). The security layers may be used to inspect, restrict and/or modify traffic between the trusted and untrusted environment to ensure data and network security. The secure endpoint resolver may be used, for example, by an application in the trusted environment, to obtain current service-related information such as the list of IP addresses currently associated with a service or service endpoint. Such endpoint information may be used, in turn, to update security layer policies such as a white list.

主权项

1. A computer-implemented method for providing secure communication with computing resources, comprising:
receiving, by one or more computer systems configured with executable instructions, at a secure proxy of a trusted environment, a request from an application to access a computing resource service in an untrusted environment provided by a computing resource service provider, the secure proxy of the trusted environment including a secure endpoint resolver, the request specifying at least an endpoint associated with the computing resource service, the endpoint indicating a location of the computer resource service within a network of the untrusted environment; determining, by the secure endpoint resolver of the secure proxy, a set of network addresses currently associated with the endpoint based at least in part on a set of policies, the network addresses of the set being distinct from the endpoint; providing a network address from the set of network addresses to the application; allowing network traffic between the application and at least a subset of the set of network addresses currently associated with the endpoint at least by updating one or more of the set of policies, the subset including at least the network address provided to the application; establishing a secure connection between the application and the computing resource service located at the network address; and after establishing the secure connection, enforcing at least some of the set of policies on network traffic from the application to the computing resource service located at the network address.