公开(公告)号：US11997222B1

公开(公告)日：2024-05-28

申请号：US17732362

申请日：2022-04-28

Applicant: Amazon Technologies, Inc.

Inventor： Peter Zachary Bowen ,  Todd Lawrence Cignetti ,  Preston Anthony Elder, III ,  Brandonn Gorman ,  Ronald Andrew Hoskinson ,  Jonathan Kozolchyk ,  Kenneth Lawler ,  Marcel Andrew Levy ,  Kyle Benjamin Schultheiss ,  Sandeep Shantharaj ,  Param Sharma ,  Jose Maria Silveira Neto

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3268 ,  H04L9/0897 ,  H04L9/3247 ,  H04L9/3297

Abstract: A computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by private certificate authorities. A private certificate authority hosted by the computing resource service provider is able to issue signed certificates to network entities within the customer enterprise. The certificate management service provides a network-accessible application programming interface to the private certificate authority that allows applications to create and deploy private certificates programmatically. The system provides the flexibility to create private certificates for applications that require custom certificate lifetimes or resource names.

公开(公告)号：US11563590B1

公开(公告)日：2023-01-24

申请号：US16018009

申请日：2018-06-25

Applicant: Amazon Technologies, Inc.

Inventor： Peter Zachary Bowen ,  Todd Lawrence Cignetti ,  Preston Anthony Elder, III ,  Brandonn Gorman ,  Ronald Andrew Hoskinson ,  Jonathan Kozolchyk ,  Kenneth Lawler ,  Marcel Andrew Levy ,  Kyle Benjamin Schultheiss ,  Sandeep Shantharaj ,  Param Sharma ,  Jose Maria Silveira Neto

IPC: H04L9/32

Abstract: A computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by public and/or private certificate authorities. In an embodiment, when a new certificate is generated, a certificate template is used to apply various settings and policies for the new certificate. In various examples, templates may be used to establish default values, enforce required and optional values, place restrictions on one or more data fields, and enforce signature requirements. In some embodiments, the template establishes rules for rejecting certificate requests that don't conform to the template.

公开(公告)号：US11212291B2

公开(公告)日：2021-12-28

申请号：US16453929

申请日：2019-06-26

Applicant: Amazon Technologies, Inc.

Inventor： Jonathan Kozolchyk ,  Darin Keith McAdams ,  Jeffrey J. Fielding ,  Vaibhav Mallya ,  Darren E. Canavor

IPC: H04L29/06

Abstract: A security service enables service providers to register available services. Prospective service consumers may register with the security service to access a particular registered service, and may specify conditions for access that are subject to approval by the corresponding service provider. Based on the registrations of the service provider and the service consumer, the security service can define access policies that may be enforced to control the conditions under which a service consumer accesses or utilizes the particular service. Additionally, changes to the access policies may be propagated to running services in near real time. Some implementations enable masking of information provided to particular service consumers based on determined needs of each service consumer for access to particular information. In some instances, the service providers may provide log information to the security service, which may be monitored to identify anomalies, security breaches or the like.

公开(公告)号：US20170331629A1

公开(公告)日：2017-11-16

申请号：US15668644

申请日：2017-08-03

Applicant: Amazon Technologies, Inc.

Inventor： Jonathan Kozolchyk ,  Darren E. Canavor ,  Jeffrey J. Fielding ,  Vaibhav Mallya ,  Darin Keith McAdams

IPC: H04L9/32 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L9/3213 ,  H04L9/3239 ,  H04L29/06 ,  H04L63/0428 ,  H04L63/102 ,  H04L67/1097

Abstract: In some implementations, tokens that are representative of sensitive data may be used in place of the sensitive data to maintain the security of the sensitive data. For example, data may be separated into sensitive data and nonsensitive data, and at least the sensitive data is securely delivered to a data storage service. The data storage service generates a token that is representative of the sensitive data and stores the sensitive data as secure data. The data storage service may deliver the token to an entity that also receives the nonsensitive data, and the entity may use the token in place of the sensitive data. In some implementations, different tokens are generated each time the same piece of sensitive data is submitted for storage as secure data. Further, in some implementations, An expiration time may be assigned to sensitive data, and expired data and associated tokens may be deleted.

公开(公告)号：US12137175B1

公开(公告)日：2024-11-05

申请号：US17364160

申请日：2021-06-30

Applicant: Amazon Technologies, Inc.

Inventor： Param Sharma ,  Todd Cignetti ,  Josh Rosenthol ,  Jonathan Kozolchyk

IPC: H04L9/32 ,  H04L9/30

Abstract: Described are automated systems and methods for employing certificate authority meta-resources to facilitate automatic renewal and/or rotation of certificates and/or certificate authorities in a PKI hierarchy. For example, embodiments of the present disclosure can provide creating a certificate authority meta-resource, which can maintain and monitor certain information to facilitate automatic renewal and rotation of certificates and/or certificate authorities in a PKI hierarchy. The certificate authority meta-resource can also keep track of the active certificate authorities and certificates to ensure that trust is maintained without manual configuration of the PKI hierarchy.

公开(公告)号：US10020942B2

公开(公告)日：2018-07-10

申请号：US15668644

申请日：2017-08-03

Applicant: Amazon Technologies, Inc.

Inventor： Jonathan Kozolchyk ,  Darren E. Canavor ,  Jeffrey J. Fielding ,  Vaibhav Mallya ,  Darin Keith McAdams

IPC: H04L29/00 ,  H04L9/32 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L9/3213 ,  H04L9/3239 ,  H04L29/06 ,  H04L63/0428 ,  H04L63/102 ,  H04L67/1097

Abstract: In some implementations, tokens that are representative of sensitive data may be used in place of the sensitive data to maintain the security of the sensitive data. For example, data may be separated into sensitive data and nonsensitive data, and at least the sensitive data is securely delivered to a data storage service. The data storage service generates a token that is representative of the sensitive data and stores the sensitive data as secure data. The data storage service may deliver the token to an entity that also receives the nonsensitive data, and the entity may use the token in place of the sensitive data. In some implementations, different tokens are generated each time the same piece of sensitive data is submitted for storage as secure data. Further, in some implementations, An expiration time may be assigned to sensitive data, and expired data and associated tokens may be deleted.

公开(公告)号：US20170180389A1

公开(公告)日：2017-06-22

申请号：US15454986

申请日：2017-03-09

Applicant: Amazon Technologies, Inc.

Inventor： Jonathan Kozolchyk ,  Darin Keith McAdams ,  Jeffrey J. Fielding ,  Vaibhav Mallya ,  Darren E. Canavor

IPC: H04L29/06

CPC classification number: H04L63/105 ,  H04L63/06 ,  H04L63/08 ,  H04L63/10 ,  H04L63/1408 ,  H04L63/20

Abstract: A security service enables service providers to register available services. Prospective service consumers may register with the security service to access a particular registered service, and may specify conditions for access that are subject to approval by the corresponding service provider. Based on the registrations of the service provider and the service consumer, the security service can define access policies that may be enforced to control the conditions under which a service consumer accesses or utilizes the particular service. Additionally, changes to the access policies may be propagated to running services in near real time. Some implementations enable masking of information provided to particular service consumers based on determined needs of each service consumer for access to particular information. In some instances, the service providers may provide log information to the security service, which may be monitored to identify anomalies, security breaches or the like.

公开(公告)号：US09674194B1

公开(公告)日：2017-06-06

申请号：US14207157

申请日：2014-03-12

Applicant: Amazon Technologies, Inc.

Inventor： Jon Arron McClintock ,  Darren Ernest Canavor ,  Daniel Wade Hitchcock ,  Jonathan Kozolchyk

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/10 ,  G06F21/10 ,  G06F21/33 ,  G06F21/34 ,  G06F21/604 ,  G06F21/6218 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3263 ,  H04L63/102 ,  H04L63/12 ,  H04L63/123 ,  H04L63/126

Abstract: A resource owner or administrator submits a request to a permissions management service to create a permissions grant which may include a listing of actions a user may perform on a resource. Accordingly, the permissions management service may create the permissions grant and use a private cryptographic key to digitally sign the created permissions grant. The permissions management service may transmit this digitally signed permissions grant, as well as a digital certificate comprising a public cryptographic key for validating the permissions grant, to a target resource. The target resource may use the public cryptographic key to validate the digital signature of the permissions grant and determine whether a user is authorized to perform one or more actions based at least in part on a request from the user to perform these one or more actions on the resource.

公开(公告)号：US12101417B1

公开(公告)日：2024-09-24

申请号：US16827563

申请日：2020-03-23

Applicant: Amazon Technologies, Inc.

Inventor： Michael S Slaughter ,  Marcel Andrew Levy ,  Trevoli Ponds-White ,  Derek Bronson ,  Jonathan Kozolchyk ,  Georgy Sebastian ,  Brandonn Gorman ,  Graeme David Baer ,  Israel Galvez ,  Kenneth Lawler

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/40 ,  H04L61/4511

CPC classification number: H04L9/3268 ,  H04L9/321 ,  H04L9/3247 ,  H04L9/3265 ,  H04L61/4511 ,  H04L63/105

Abstract: An interface of a certificate management system acts as a target for management of digital authentication certificates from a group of candidate certificate authorities. Entities make certificate signing requests on behalf of subjects. The requests are received at an interface that appears to the requesting entities as a sole source of the signed certificates. But a certificate management component that processes the requests received by the interface applies a selection technique to select a particular certificate authority from a group of candidate certificate authorities available to sign the certificates. The certificate management component forwards the request to the particular certificate authority, receives back the signed certificate, and responds to the certificate signing request with the signed certificate. Although the certificate signing requests were all made via a same interface, the signed certificates can have different chains of trust. Various criteria may be used for the selection.

公开(公告)号：US11888994B1

公开(公告)日：2024-01-30

申请号：US17364232

申请日：2021-06-30

Applicant: Amazon Technologies, Inc.

Inventor： Param Sharma ,  Josh Rosenthol ,  Todd Cignetti ,  Jonathan Kozolchyk

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3263 ,  H04L9/0825 ,  H04L9/0836 ,  H04L9/0891

Abstract: Described are automated systems and methods for providing a template design for a public-key infrastructure (PKI) system. For example, certain infrastructure information and stored PKI information can be processed to determine a PKI template, which can specify the configuration for a proposed PKI hierarchy. A configurable representation of the proposed PKI hierarchy can be generated and presented to the user, which can facilitate review, modification, and further customization of the proposed PKI hierarchy. Aspects of the present disclosure can also determine costs associated with the proposed PKI hierarchy, and can create and deploy the proposed PKI hierarchy.