Administration of a context-based cloud security assurance system
US-2016156664-A1 · Jun 2, 2016 · US
Pre-deployment security analyzer service for virtual computing resources
US11017107B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11017107-B2 |
| Application number | US-201815913741-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 6, 2018 |
| Priority date | Mar 6, 2018 |
| Publication date | May 25, 2021 |
| Grant date | May 25, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A security assessment system of a computing resource service provider performs security analyses of virtual resource instances, such as virtual machine instances and virtual data store instances, to verify that certain invariable security requirements are satisfied by the instances' corresponding configurations; these analyses are performed before the instances are provisioned and deployed. If the security checks, which can be selected by the administrator of the resources, fail, the requested resources are denied deployment. Notifications identifying the faulty configuration(s) may be send to the administrative user. A template for launching virtual resource instances may be transformed into an optimized template for performing the pre-deployment security checks, such as by storing information needed to perform the checks within the optimized template itself.
First claim
Opening claim text (preview).
What is claimed is: 1. A system, comprising one or more processors and memory storing computer-executable instructions that, when executed by the one or more processors, cause the system to: receive a request to deploy a virtual computing resource instance; identify a first virtual resource definition used to launch the virtual computing resource instance with a first configuration based at least in part on the request; obtain a first security check comprising one or more security requirements of the first configuration; and responsive to a determination that the first configuration satisfies the one or more security requirements: configure the virtual computing resource instance to have the first configuration; and deploy the virtual computing resource instance into a virtual computing environment; and subsequent to deploying the virtual computing resource instance: obtain monitoring data describing network activity associated with the virtual computing resource instance; and determine whether the monitoring data indicates that a deployed configuration of the virtual computing resource instance satisfies the one or more security requirements. 2. The system of claim 1 , wherein executing the instructions further causes the system to: identify a first template specifying the first virtual resource definition and the first security check; obtain, from the first template, a first set of configuration parameters and information identifying the first security check; and generate the first configuration from the first set of configuration parameters. 3. The system of claim 2 , wherein the first template further specifies a first security policy definition that defines a first security policy for controlling access to the virtual computing resource instance, and executing the instructions further causes the system to: obtain, using the first template, the first security policy; and determine whether the first security policy satisfies the one or more security requirements. 4. The system of claim 1 , wherein the one or more security requirements correspond to access permissions of the virtual computing resource instance, and executing the instructions further causes the system to: simulate network activity within the virtual computing environment; collect information describing an expected response of the virtual computing resource instance to the network activity, based at least in part on the first configuration; and determine whether the information indicates that the first configuration satisfies the one or more security requirements. 5. The system of claim 1 , wherein the instructions, when executed, cause the system to: obtain one or more data files comprising the first configuration; and perform a static analysis of the one or more data files to determine whether the first configuration satisfies the one or more security requirements. 6. The system of claim 1 , wherein to obtain the first security check, executing the instructions causes the system to: receive, from a client computing device communicatively connected to the one or more processors, a request to configure pre-deployment security analysis of the virtual computing resource instance; allow the client computing device to access an application programming interface (API) for configuring the pre-deployment security analysis; and receive, from the client computing device via the API, an indication to perform the first security check. 7. The system of claim 6 , wherein executing the instructions further causes the system to deliver to the client computing device via the API a user interface enabling a client using the client computing device to select the first security check from a set of security checks each associated with a corresponding resource type of a plurality of resource types. 8. A system, comprising one or more processors and memory storing computer-executable instructions that, when executed by the one or more processors, cause the system to, before causing a virtual computing resource instance to be deployed into a virtual computing environment to: identify a first virtual resource definition used to launch the virtual computing resource instance with a first configuration; obtain a first security check comprising one or more security requirements of the first configuration; determine that the first configuration satisfies the one or more security requirements; identify a first template used to launch: a first virtual computing resource instance as the virtual computing resource instance with the first configuration; and a second virtual computing resource instance with a second configuration and an operational connection to the first virtual computing resource instance, the first template specifying the first virtual resource definition; and responsive to a determination that the first configuration does not satisfy the one or more security requirements, deny deployment of both the first virtual computing resource instance and the second virtual computing resource instance. 9. The system of claim 8 , wherein executing the instructions further causes the system to: obtain a second security check comprising one or more access permissions of the second configuration; determine whether the second configuration applies the one or more access permissions to the second virtual computing resource instance; responsive to a determination that the second configuration does not apply the one or more access permissions, deny deployment of both the first virtual computing resource instance and the second virtual computing resource instance; and responsive to a determination that the first configuration satisfies the one or more security requirements and the second configuration applies the one or more access permissions to the second virtual computing resource instance, cause the first virtual computing resource instance to be deployed with the first configuration into the virtual computing environment and the second virtual computing resource instance to be deployed with the second configuration into the virtual computing environment. 10. The system of claim 8 , wherein: to determine whether the first configuration satisfies the one or more security requirements, executing the instructions causes the system to obtain evaluation data and compare the evaluation data to one or more stored thresholds; the first virtual resource definition includes configuration parameters for creating the first configuration for the first virtual computing resource instance; the first template further specifies a validator resource definition that includes the first security check; and executing the instructions further causes the system to: receive a request to transform the first template to produce a second template that is optimized for pre-deployment security analysis of virtual computing resources launched using the second template; modify the validator resource definition to produce an optimized validator resource definition that includes the evaluation data or a reference to the evaluation data; modify the first virtual resource definition to produce an optimized virtual resource definition that includes a dependency parameter; and create the second template including the optimized validator resource definition and the optimized virtual resource definition. 11. The system of claim 10 , wherein executing the instructions further causes the system to, subsequent to creating the second template: receive a request to deploy virtual computing resources into the virtual computing environment; determine, based on the request to deploy virtual computing resources, that the second template is to
Assignees
Inventors
Classifications
- G06F21/6218Primary
to a system of files or objects, e.g. local or distributed file system or database · CPC title
- G06F9/5077Primary
Logical partitioning of resources; Management or configuration of virtualized resources (specific details on emulation or internal functioning of virtual machines G06F9/455) · CPC title
Configuring for program initiating, e.g. using registry, configuration files · CPC title
Hypervisors; Virtual machine monitors · CPC title
Task life-cycle, e.g. stopping, restarting, resuming execution (G06F9/4881 takes precedence) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11017107B2 cover?
- A security assessment system of a computing resource service provider performs security analyses of virtual resource instances, such as virtual machine instances and virtual data store instances, to verify that certain invariable security requirements are satisfied by the instances' corresponding configurations; these analyses are performed before the instances are provisioned and deployed. If …
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/6218. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 25 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).