| 发明名称 | Managing multiple security policy representations in a distributed environment | ||
| 摘要 | Customers accessing resources or services in a distributed environment can obtain assurance that a provider of that environment will only allow requests to access those resources or services when those requests satisfy at least one security policy associated with the customer. A customer can provide a security policy update that might be written in a different representation (e.g., version) than is supported by all relevant policy evaluation engines across the distributed environment. A component or service such as an access management service can evaluate the representation of the policy, as well as the representations supported by the evaluation engines, and can determine if the features of the policy update are supported by the representations of the engines. If so, the policy update can be translated to express the policy document in the supported representation(s), such that the policy can be utilized without having to update the relevant engines. | ||
| 申请公布号 | US9083749(B1) | 申请公布日期 | 2015.07.14 |
| 申请号 | US201213654111 | 申请日期 | 2012.10.17 |
| 申请人 | Amazon Technologies, Inc. | 发明人 | Roth Gregory Branchek;O'Neill Kevin Ross;Pratt Brian Irl |
| 分类号 | G06F21/60;H04L29/06 | 主分类号 | G06F21/60 |
| 代理机构 | Hogan Lovells US LLP | 代理人 | Hogan Lovells US LLP |
| 主权项 | 1. A computer-implemented method of managing multiple representations of a security policy in a distributed environment, comprising: receiving a first security policy document associated with a customer of the distributed environment, the customer having access rights to one or more resources of the distributed environment, the first security policy including one or more access criteria for allowing a request to obtain access to the one or more resources; determining a first representation of a policy language associated with the first security policy document and a second representation of the policy language supported by at least one policy evaluation engine of the distributed environment, the at least one policy evaluation engine configured to manage access to at least a portion of the one or more resources; generating a second security policy document by translating content of the first security policy document to be expressed in the second representation of the policy language; providing a copy of at least one of the first security policy document or the second policy document to each of the at least one policy evaluation engine; receiving the request for access to at least a portion of the one or more resources, information for the request being directed to a respective evaluation engine for the portion of the one or more resources; determining an appropriate security policy document for the request; and determining whether to grant access to the portion of the one or more resources, for the request, by evaluating the information for the request using the appropriate security policy document. | ||
| 地址 | Reno NV US | ||