What technology area does this patent fall under?

Primary CPC classification H04L63/20. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jun 04 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Identifying serverless functions with over-permissive roles

US12003541B2 · US · B2

Patent metadata
Field	Value
Publication number	US-12003541-B2
Application number	US-201816024863-A
Country	US
Kind code	B2
Filing date	Jul 1, 2018
Priority date	Jul 3, 2017
Publication date	Jun 4, 2024
Grant date	Jun 4, 2024

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Based on analyzing a serverless function associated with a first role, a set of security permissions granted to the serverless function is identified based on the first role and a first attribute of the serverless function. A least privilege role indicating a set of least privilege security permissions for the serverless function is generated based, at least in part, on the first attribute. Based on comparing the least privilege role with the first role, it is determined if the set of security permissions granted to the serverless function is more permissive than the set of least privilege security permissions. Based on determining that the set of security permissions granted to the serverless function is more permissive than the set of least privilege security permissions, the first role is reported as over-permissive.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: based on analyzing a serverless function for which a first role is defined, identifying actual security permissions that the first role grants to the serverless function for access to a first resource; generating a least privilege role for the serverless function that grants least privilege security permissions for access to the first resource based, at least in part, on a first attribute of the serverless function, wherein the least privilege security permissions comprise a set of minimal permissions for access to the first resource by the serverless function; determining if the actual security permissions granted to the serverless function by the first role are less strict than the least privilege security permissions granted by the least privilege role based, at least in part, on comparing the least privilege security permissions with the actual security permissions; and based on determining that the actual security permissions granted to the serverless function are less strict than the least privilege security permissions, reporting that the first role defined for the serverless function is over-permissive relative to the least privilege security permissions and performing a mitigation action for the serverless function. 2. The method of claim 1 , wherein generating the least privilege role comprises generating a security policy, and wherein the security policy indicates the least privilege security permissions. 3. The method of claim 1 , wherein reporting that the first role is over-permissive comprises generating an alert indicating that the first role is over-permissive. 4. The method of claim 1 , wherein performing the mitigation action for the serverless function comprises preventing building or deployment of the serverless function. 5. The method of claim 1 , wherein performing the mitigation action for the serverless function comprises preventing or stopping execution of the serverless function. 6. The method of claim 1 , wherein the first attribute comprises at least one of a region, an account, a service, and a resource called or accessed by the serverless function. 7. The method of claim 1 further comprising identifying at least one of a security vulnerability and an insecure configuration in the serverless function based on analyzing the serverless function. 8. The method of claim 1 , wherein analyzing the serverless function comprises analyzing one or more configuration files associated with the serverless function. 9. The method of claim 1 , wherein analyzing the serverless function comprises analyzing the serverless function based on detecting that the serverless function has been created or updated. 10. A non-transitory computer-readable medium having instructions stored thereon, the instructions executable by a processor to perform operations comprising: based on analyzing a serverless function for which a first role is defined, identifying actual security permissions that the first role grants to the serverless function for access to a first resource; generating a least privilege role for the serverless function that grants least privilege security permissions for access to the first resource based, at least in part, on a first attribute of the serverless function, wherein the least privilege security permissions comprise a set of minimal permissions for access to the first resource by the serverless function; determining whether the actual security permissions granted to the serverless function by the first role are more permissive than the least privilege security permissions based, at least in part, on comparing the least privilege security permissions with the actual security permissions; and based on determining that the actual security permissions granted to the serverless function are more permissive than the least privilege security permissions, reporting that the first role defined for the serverless function is over-permissive relative to the least privilege security permissions and performing a mitigation action for the serverless function. 11. The non-transitory computer-readable medium of claim 10 , wherein generating the least privilege role comprises generating a security policy, and wherein the security policy indicates the least privilege security permissions. 12. The non-transitory computer-readable medium of claim 10 , wherein performing the mitigation action for the serverless function comprises preventing building or deployment of the serverless function. 13. The non-transitory computer-readable medium of claim 10 , wherein performing the mitigation action for the serverless function comprises preventing or stopping execution of the serverless function. 14. A system comprising: a processor; a computer-readable medium having instructions stored thereon that are executable by the processor to cause the system to, based on analysis a serverless function for which a first role is defined, identify actual security permissions that the first role grants to the serverless function for access to a first resource; generate a least privilege role for the serverless function that grants least privilege security permissions for access to the first resource based, at least in part, on a first attribute of the serverless function, wherein the least privilege security permissions comprise a set of minimal permissions for access to the first resource by the serverless function; determine if the actual security permissions granted to the serverless function by the first role are less strict than the least privilege security permissions granted by the least privilege role based, at least in part, on comparison of the least privilege security permissions with the actual security permissions; and based on a determination that the actual security permissions granted to the serverless function are less strict than the least privilege security permissions, report that the first role defined for the serverless function is over-permissive relative to the least privilege security permissions and perform a mitigation action for the serverless function. 15. The system of claim 14 , wherein the instructions executable by the processor to cause the system to generate the least privilege role comprise instructions executable by the processor to cause the system to generate a security policy, wherein the security policy indicates the least privilege security permissions. 16. The system of claim 14 , wherein the instructions executable by the processor to cause the system to perform the mitigation action for the serverless function comprise instructions executable by the processor to cause the system to prevent building or deployment of the serverless function. 17. The system of claim 14 , wherein the instructions executable by the processor to cause the system to perform the mitigation action for the serverless function comprise instructions executable by the processor to cause the system to prevent or stop execution of the serverless function. 18. The system of claim 14 , wherein the instructions executable by the processor to cause the system to analyze the serverless function comprise instructions executable by the processor to cause the system to analyze the serverless function based on detection of creation of the serverless function or detection of an update to the serverless function. 19. The system of claim 14 , wherein the first attribute comprises at least one of a region, an account, a service, and a resource called or accessed by the serverless function.

Assignees

Twistlock Ltd

Inventors

Classifications

H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
H04L63/1433
Vulnerability analysis · CPC title
H04L63/107
wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals · CPC title

Patent family

Related publications grouped by family.

View patent family 64739331

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US12003541B2 cover?: Based on analyzing a serverless function associated with a first role, a set of security permissions granted to the serverless function is identified based on the first role and a first attribute of the serverless function. A least privilege role indicating a set of least privilege security permissions for the serverless function is generated based, at least in part, on the first attribute. Bas…
Who is the assignee on this patent?: Twistlock Ltd
What technology area does this patent fall under?: Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jun 04 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).