Proxy manager using replica authentication information
US-2019356661-A1 · Nov 21, 2019 · US
Security credential revocations in a cloud provider network
US11334661B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-11334661-B1 |
| Application number | US-202016915726-A |
| Country | US |
| Kind code | B1 |
| Filing date | Jun 29, 2020 |
| Priority date | Jun 29, 2020 |
| Publication date | May 17, 2022 |
| Grant date | May 17, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are described for enabling software applications to obtain temporary security credentials used to interact with a cloud provider network and, upon the revocation of an active set of temporary security credentials used by an application (e.g., due to concerns about the temporary credential's potential exposure to one or more unauthorized third parties), to readily obtain new temporary security credentials that the application can use to continue operation with minimal interruption. The temporary security credentials can be used, for example, to enable the cloud provider network to authenticate requests sent by software applications or users to various services or other components of the cloud provider network. An operator of a cloud provider network may provide a software development kit (SDK) that application developers can use to incorporate functionality related to the management of temporary security credentials.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method comprising: sending, to a computing device executing a software application that includes first functionality implemented based on user code generated by a developer of the software application and further including second functionality implemented based on one or more software libraries provided by an operator of a cloud provider network, first temporary security credentials provided by the cloud provider network, wherein the first temporary security credentials include a first security token that stores session information associated with the first temporary security credentials; determining that security of the first temporary security credentials has been potentially compromised; revoking the first temporary security credentials; receiving a first application programming interface (API) request from the computing device, wherein the first API request includes authentication information generated based on the first temporary security credentials; sending a response indicating that the first API request is denied, wherein the response causes the second functionality of the software application to obtain second temporary security credentials provided by the cloud provider network, wherein the second temporary security credentials include a second security token; receiving, from the computing device, a second API request including authentication information generated based on the second temporary security credentials; and successfully authenticating and authorizing the second API request. 2. The computer-implemented method of claim 1 , further comprising: causing execution of an executable computing resource that is separate from the software application and that is used to make a determination of whether to revoke the first temporary security credentials; and receiving a request from the executable computing resource to revoke the first temporary security credentials, and wherein the first temporary security credentials are revoked based on the request received from the executable computing resource. 3. The computer-implemented method of claim 1 , wherein the first temporary security credentials and the second temporary security credentials are automatically provided to the software application by an instance metadata service of the cloud provider network. 4. A computer-implemented method comprising: sending, to a computing device executing a software application that includes first functionality implemented based on user code generated by a developer of the software application and further including second functionality implemented based on one or more software libraries provided by an operator of a cloud provider network, first security credentials provided by the cloud provider network; revoking the first security credentials responsive to a determination that security of the first security credentials has been potentially compromised; receiving a first application programming interface (API) request from the computing device, wherein the first API request includes authentication information generated based on the first security credentials; sending a response indicating that the first API request is denied, wherein the response causes the second functionality of the software application to obtain second security credentials provided by the cloud provider network; receiving, from the computing device, a second API request including authentication information generated based on the second security credentials; and successfully authenticating and authorizing the second API request. 5. The computer-implemented method of claim 4 , further comprising: causing execution of an executable computing resource that is separate from the software application and that is used to make a determination of whether to revoke the first security credentials; and receiving a request from the executable computing resource to revoke the first security credentials, and wherein the first security credentials are revoked based on the request received from the executable computing resource. 6. The computer-implemented method of claim 4 , wherein the cloud provider network automatically provides the first security credentials and the second security credentials to the software application. 7. The computer-implemented method of claim 6 , wherein the first security credentials and the second security credentials are automatically provided to the software application by an instance metadata service of the cloud provider network. 8. The computer-implemented method of claim 6 , wherein the first security credentials and the second security credentials are automatically provided to the software application by an identity provider (IDP) system. 9. The computer-implemented method of claim 4 , wherein the cloud provider network revoked the first security credentials responsive to identification of anomalous activity associated with the first security credentials, and wherein the anomalous activity is detected by at least one of: a user of the cloud provider network, a session anomaly detecting application, or a threat detection service of the cloud provider network. 10. The computer-implemented method of claim 4 , further comprising: providing, to the computing device, third security credentials; modifying permissions associated with the third security credentials responsive to a determination that security of the third security credentials has been potentially compromised; receiving a third API request from the computing device, wherein the third API request includes third authentication information generated based on the third security credentials; and sending a response to the third API request, wherein the response indicates to the software application that the request is not permitted based on the third security credentials. 11. The computer-implemented method of claim 4 , further comprising: providing, to the computing device, third security credentials; modifying an expiration time associated with the third security credentials to obtain a modified expiration time, wherein the expiration time is modified responsive to a determination that security of the third security credentials has been potentially compromised; receiving a third API request from the computing device, wherein the third API request includes third authentication information generated based on the third security credentials, wherein the third API request is generated after the modified expiration time; and sending a response to the third API request, wherein the response indicates to the software application that the request is denied. 12. The computer-implemented method of claim 4 , wherein revoking the first security credentials includes adding an identifier of the first security credentials to a session revocation list, wherein the session revocation list stores one or more identifiers of security credentials revoked by the cloud provider network responsive to determinations that security of the one or more security credentials has been potentially compromised. 13. The computer-implemented method of claim 4 , wherein the second security credentials are temporary security credentials, and wherein the temporary security credentials include a security token storing session information associated with the temporary security credentials. 14. The computer-implemented method of claim 4 , wherein the second API request involves a request to perform an action involving a computing resource provided by a service of the cloud provider network, and wherein the request is within permissions of a role associated with the second secu
Assignees
Inventors
Classifications
Revocation or update of secret information, e.g. encryption key update or rekeying · CPC title
using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL] · CPC title
Time limited access, e.g. to a computer or data · CPC title
- H04W12/082Primary
using revocation of authorisation · CPC title
using time-dependent keys, e.g. periodically changing keys (cryptographic mechanisms or cryptographic arrangements for controlling usage of secret information H04L9/088) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11334661B1 cover?
- Techniques are described for enabling software applications to obtain temporary security credentials used to interact with a cloud provider network and, upon the revocation of an active set of temporary security credentials used by an application (e.g., due to concerns about the temporary credential's potential exposure to one or more unauthorized third parties), to readily obtain new temporary…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04W12/082. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 17 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).