| 发明名称 | Access controls on the use of freeform metadata | ||
| 摘要 | Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment. | ||
| 申请公布号 | US9576141(B2) | 申请公布日期 | 2017.02.21 |
| 申请号 | US201313747239 | 申请日期 | 2013.01.22 |
| 申请人 | Amazon Technologies, Inc. | 发明人 | Brandwine Eric Jason;DeSantis Peter Nicholas;Thrane Léon |
| 分类号 | G06F17/30;G06F15/173;G06F21/62 | 主分类号 | G06F17/30 |
| 代理机构 | Hogan Lovells US LLP | 代理人 | Hogan Lovells US LLP |
| 主权项 | 1. A computer implemented method for controlling association of metadata with computing resources, the method comprising: associating an access control list with the metadata, the access control list specifying principals that are allowed to assign, modify, or delete the metadata and for which computing resources the principals are allowed to assign, modify or delete the metadata, wherein the metadata is usable to determine whether to grant or deny operations on corresponding computing resources; receiving, from a first user, a first request to assign one of the metadata to at least one computing resource; in response to receiving the first request, evaluating the access control list to determine whether the first user matches at least one of the principals specified in the access control list; associating the one of the metadata with the at least one computing resource upon determining that the first user matches at least one of the principals specified in the access control list; receiving a second request from a second user to perform an operation on the at least one computing resource, wherein the second user is associated with an access control policy, the access control policy specifying operations permitted by the second user on the at least one computing resource based at least in part on the one of the metadata; identifying a reference to the one of the metadata in the access control policy; and resolving the second request based at least in part on the one of the metadata specifying an access condition for the access control policy. | ||
| 地址 | Reno NV US | ||