| 发明名称 | Provider-arbitrated mandatory access control policies in cloud computing environments | ||
| 摘要 | Methods and apparatus for provider-arbitrated mandatory access control policies in cloud computing environments are disclosed. A system includes an access manager, and a plurality of resources configurable to provide a plurality of distributed, web-accessible services. Each service has a respective service manager. The access manager determines whether a mandatory access control policy document specified by a service manager of a particular service applies to an administration request, wherein the policy indicates that a permission setting for a resource being used to implement at least a portion of the particular service cannot be modified by a client with administrative rights on the resource. In response to determining that the policy document applies, and that an evaluation of the policy document indicates that an administrative operation specified in the administration request is prohibited by the policy, the access manager rejects the administration request. | ||
| 申请公布号 | US8813225(B1) | 申请公布日期 | 2014.08.19 |
| 申请号 | US201213525010 | 申请日期 | 2012.06.15 |
| 申请人 | Amazon Technologies, Inc. | 发明人 | Fuller Erik J.;Brandwine Eric J.;Lefelhocz Christopher J.;Ganguly Arijit;Schultze Eric W. |
| 分类号 | H04L29/06 | 主分类号 | H04L29/06 |
| 代理机构 | Meyertons, Hood, Kivlin, Kowert & Goetzel, P.C. | 代理人 | Kowert Robert C.;Meyertons, Hood, Kivlin, Kowert & Goetzel, P.C. |
| 主权项 | 1. A system, comprising a plurality of computing devices configured to implement: a plurality of resources of a provider network configurable to provide a plurality of distributed, web-accessible services to clients of the provider network, wherein each service of the plurality of services has a respective service manager configured to coordinate provision of the service; and an access manager; wherein the access manager is operable to: determine whether a mandatory access control policy document specified by a service manager of a particular service of the plurality of services applies to an administration request, wherein the policy document indicates that a permission setting associated with a particular type of administrative operation on a particular resource of the plurality of resources being used to implement at least a portion of the particular service cannot be modified by a client to whom a set of owner administrative rights to the particular resource have been granted, wherein the particular resource is allocated to the client (a) without an acquisition request for the particular resource from the client and (b) as a result of an acquisition request generated by the service manager on behalf of the client; andin response to determining that the policy document applies to the administration request, and that an evaluation of the policy document indicates that an administrative operation specified in the administration request is prohibited in accordance with the policy document, reject the administration request. | ||
| 地址 | Reno NV US | ||