Distributed policy enforcement with optimizing policy transformations

摘要

User-specified policies may be efficiently implemented and enforced with a distributed set of policy enforcement components. User-specified policies may be transformed into a normal form. Sets of normal form policies may be optimized. The optimized policies may be indexed and/or divided and provided to the distributed set of policy enforcement components. The distributed policy enforcement may have a sandbox mode and/or verification mode enabling policy configuration verification. With appropriate authorization, substitute data may be used in verification mode to evaluate requests with respect to policies. Evaluation results, relevant policies, and decision data utilized during request evaluation may be collected, filtered and reported at a variety of levels of detail. Originating user-specified policies may be tracked during the policy normalization process to enable reference to user-specified policies in verification mode reports.

主权项

1. A computer-implemented method for distributed policy enforcement, comprising:
under control of one or more computer systems configured with executable instructions,
receiving, at a policy management component of a virtual resource provider, a user-specified policy with respect to at least one action capable of being performed by the virtual resource provider; incorporating the user-specified policy into a first set of normal form policies at least in part by determining whether the user-specified policy is redundant with respect to the first set of normal form policies by generating a second set of normal form policies having a common form that correspond to the user-specified policy, each of the first set of normal form policies having the common form; generating an index of the first set of normal form policies based at least in part on a common set of policy elements of the common form; identifying, based at least in part on the index, at least one subset of the first set of normal form policies that is relevant to at least one of a plurality of policy enforcement components; providing said at least one subset of the first set of normal form policies to at least one of the plurality of policy enforcement components of the virtual resource provider identified as relevant; receiving a request to perform said at least one action at a user interface of the virtual resource provider; and enforcing the user-specified policy received at the policy management component at least in part by evaluating the request with respect to said at least one subset of the first set of normal form policies at said at least one of the plurality of policy enforcement components.