Stephen Schmidt

This patent relates to aggregating trace information for testing data share permission compliance in a cloud provider. Because cloud providers have large numbers of services, movement of data subject to sharing permissions between these services is difficult to verify for proving correct permission enforcement. Traces are obtained using an encoded token to discover the movement of data across different services and verify correct application of permissions for the data (e.g., allowing for data… Show more

This patent relates to aggregating trace information for testing data share permission compliance in a cloud provider. Because cloud providers have large numbers of services, movement of data subject to sharing permissions between these services is difficult to verify for proving correct permission enforcement. Traces are obtained using an encoded token to discover the movement of data across different services and verify correct application of permissions for the data (e.g., allowing for data to be combined or used with other data). Then the traces are aggregated in a cryptographically verifiable format and provided upon request to various client applications. In this way, tools to verify data sharing compliance or various other client applications that may make use of trace information can obtain access to a centralized repository of data movements and compliance evidence for a cloud provider. Show less

This patent relates to a service that provides an interface for configuring private networks (e.g., VPCs) within a provider network and is a continuation of the original patent family relating to VPCs. A request is received via the interface to configure network addresses for a client’s private network. The service also provides am interface for configuring access of instances within a private network to a remote resource service. The private network may be configured to associate an identifier… Show more

This patent relates to a service that provides an interface for configuring private networks (e.g., VPCs) within a provider network and is a continuation of the original patent family relating to VPCs. A request is received via the interface to configure network addresses for a client’s private network. The service also provides am interface for configuring access of instances within a private network to a remote resource service. The private network may be configured to associate an identifier that represents the remote resource service with an indicated network address for an instance within the private network, so that communications sent to the remote resource service via the indicated network address to access a resource of the remote resource service are modified to include an indication of the identifier for use by the remote resource service in identifying the namespace. This may be used, for example, in configuring a VPN connection between the VPC and a client site. Show less

This patent relates to a service that provides an interface for configuring private networks (e.g., VPCs) within a provider network. A request is received via the interface to configure network addresses for a client’s private network. The service also provides am interface for configuring access of instances within a private network to a remote resource service. The private network may be configured to associate an identifier that represents the remote resource service with an indicated… Show more

This patent relates to a service that provides an interface for configuring private networks (e.g., VPCs) within a provider network. A request is received via the interface to configure network addresses for a client’s private network. The service also provides am interface for configuring access of instances within a private network to a remote resource service. The private network may be configured to associate an identifier that represents the remote resource service with an indicated network address for an instance within the private network, so that communications sent to the remote resource service via the indicated network address to access a resource of the remote resource service are modified to include an indication of the identifier for use by the remote resource service in identifying the namespace. This may be used, for example, in configuring a VPN connection between the VPC and a client site. Show less

A request to access a computing resource of a computing resource service provider is determined to be associated with specious data previously generated by the computing resource service provider. Information about an entity associated with the request is determined from the request. The information is provided to a breach detection system as notification of a potential attack against the computing resource service provider.

This patent relates to a service that provides an interface for configuring private networks (e.g., VPCs) within a cloud provider network. Customers can use the interface to configure network addresses for their private network. Customers can also use the interface for configuring access of instances within a private network to a remote resource service. The private network may be configured to associate an identifier that represents the remote resource service with an indicated network address… Show more

This patent relates to a service that provides an interface for configuring private networks (e.g., VPCs) within a cloud provider network. Customers can use the interface to configure network addresses for their private network. Customers can also use the interface for configuring access of instances within a private network to a remote resource service. The private network may be configured to associate an identifier that represents the remote resource service with an indicated network address for an instance within the private network, so that communications sent to the remote resource service via the indicated network address to access a resource of the remote resource service are modified to include an indication of the identifier for use by the remote resource service in identifying the namespace. This may be used, for example, in configuring a VPN connection between the VPC and a client site. Show less

A computing resource service provider may operate one or more services configured to provide customers with access to computing resources. Attackers may attempt to exfiltrate customer data from the one or more services. In order to prevent attackers from obtaining customer data the one or more services may provide specious data in response to an attack. The attack may be detected based at least in part on a set of triggers that indicate a likelihood of attack. The specious data may be… Show more

A computing resource service provider may operate one or more services configured to provide customers with access to computing resources. Attackers may attempt to exfiltrate customer data from the one or more services. In order to prevent attackers from obtaining customer data the one or more services may provide specious data in response to an attack. The attack may be detected based at least in part on a set of triggers that indicate a likelihood of attack. The specious data may be configured to appear to the attacker as authentic customer data and/or that the attack is successful. Additionally, the specious data may be detectable by the one or more service, enabling the one or more service to collect additional data corresponding to the attack and/or attacker. Show less

Systems and methods are provided for configuring and monitoring computing resources of an entity for compliance with one or more standards. In one implementation, a server receives one or more identifiers of one or more standards and determines a plurality of configuration settings for the computing resources of the entity, based on the received one or more identifiers. The plurality of configuration settings comply with the one or more standards. The computing resources of the entity are… Show more

Systems and methods are provided for configuring and monitoring computing resources of an entity for compliance with one or more standards. In one implementation, a server receives one or more identifiers of one or more standards and determines a plurality of configuration settings for the computing resources of the entity, based on the received one or more identifiers. The plurality of configuration settings comply with the one or more standards. The computing resources of the entity are configured according to the plurality of configuration settings. The server detects an event related to the computing resources. The detected event and the plurality of configuration settings are evaluated for compliance with the one or more standards. A determination is made whether the entity is compliant with the one or more standards, based on the evaluation, and an action is taken, based on the determination. Show less

Systems and method for the management of virtual machine instances are provided. A network data transmission analysis system can use contextual information in the execution of virtual machine instances to isolate and migrate virtual machine instances onto physical computing devices. The contextual information may include information obtained in observing the execution of virtual machines instances, information obtained from requests submitted by users, such as system administrators. Still… Show more

Systems and method for the management of virtual machine instances are provided. A network data transmission analysis system can use contextual information in the execution of virtual machine instances to isolate and migrate virtual machine instances onto physical computing devices. The contextual information may include information obtained in observing the execution of virtual machines instances, information obtained from requests submitted by users, such as system administrators. Still further, the network data transmission analysis system can also include information collection and retention for identified virtual machine instances. Show less

Systems and methods are provided for configuring and monitoring computing resources of an entity for compliance with one or more standards. In one implementation, a server receives one or more identifiers of one or more standards and determines a plurality of configuration settings for the computing resources of the entity, based on the received one or more identifiers. The plurality of configuration settings comply with the one or more standards. The computing resources of the entity are… Show more

Systems and methods are provided for configuring and monitoring computing resources of an entity for compliance with one or more standards. In one implementation, a server receives one or more identifiers of one or more standards and determines a plurality of configuration settings for the computing resources of the entity, based on the received one or more identifiers. The plurality of configuration settings comply with the one or more standards. The computing resources of the entity are configured according to the plurality of configuration settings. The server detects an event related to the computing resources. The detected event and the plurality of configuration settings are evaluated for compliance with the one or more standards. A determination is made whether the entity is compliant with the one or more standards, based on the evaluation, and an action is taken, based on the determination. Show less

Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a… Show more

Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. If so, secure private access between an existing computer network and new computer network extension that is being provided may be enabled using one or more VPN connections or other private access mechanisms. Show less

A computer-implemented method includes restricting access to customer data to certain geographic regions authorized by the customer. The restriction can be managed by associating policy information with the customer data that identifies the geographic regions authorized by the customer. Resources attempting to access the customer data can evaluate the policy information associated with the customer data with respect to the geographic location in which the resource is located to determine… Show more

A computer-implemented method includes restricting access to customer data to certain geographic regions authorized by the customer. The restriction can be managed by associating policy information with the customer data that identifies the geographic regions authorized by the customer. Resources attempting to access the customer data can evaluate the policy information associated with the customer data with respect to the geographic location in which the resource is located to determine whether the resource is permitted to access the customer data. The restriction can also be managed by encrypting the customer data with a cryptographic key that corresponds to the customer and/or the authorized geographic regions. Show less

In certain embodiments, a computer-implemented method includes receiving intercepted data associated with a first entity. The intercepted data may be intercepted in response to a request for information from a second entity. The method may include converting the intercepted data from a first format to a second format, the second format compliant with a standard for providing intercepted data to the second entity. The method may include storing, in one or more memory units, the intercepted… Show more

In certain embodiments, a computer-implemented method includes receiving intercepted data associated with a first entity. The intercepted data may be intercepted in response to a request for information from a second entity. The method may include converting the intercepted data from a first format to a second format, the second format compliant with a standard for providing intercepted data to the second entity. The method may include storing, in one or more memory units, the intercepted communication data in the second format. The one or more memory units may be part of a subset of a plurality of computing resources designated for use by the first entity. The method may include storing audit data providing a record of a chain of custody of the intercepted communication data. The method may include providing access to a portion of the stored intercepted communication data in the second format to the second entity. Show less

Systems and method for the management of virtual machine instances are provided. A network data transmission analysis system can use contextual information in the execution of virtual machine instances to isolate and migrate virtual machine instances onto physical computing devices. The contextual information may include information obtained in observing the execution of virtual machines instances, information obtained from requests submitted by users, such as system administrators. Still… Show more

Systems and method for the management of virtual machine instances are provided. A network data transmission analysis system can use contextual information in the execution of virtual machine instances to isolate and migrate virtual machine instances onto physical computing devices. The contextual information may include information obtained in observing the execution of virtual machines instances, information obtained from requests submitted by users, such as system administrators. Still further, the network data transmission analysis system can also include information collection and retention for identified virtual machine instances. Show less

A system for managing virtual machine instances comprising: a processor; a first computing device, the first computing device hosting at least one virtual machine instance associated with a first set of virtual machine instances and at least one virtual machine instance associated with a second set of virtual machine instances, wherein a virtual machine instance is associated with a set of virtual machine instances by an affiliation to one of a plurality of users; a second computing device, the… Show more

A system for managing virtual machine instances comprising: a processor; a first computing device, the first computing device hosting at least one virtual machine instance associated with a first set of virtual machine instances and at least one virtual machine instance associated with a second set of virtual machine instances, wherein a virtual machine instance is associated with a set of virtual machine instances by an affiliation to one of a plurality of users; a second computing device, the second computing device hosting at least one virtual machine instance associated with the first set of virtual machine instances; and a system manager executed on the processor, wherein the system manager is configured to: determine an event based at least partly on a detected activity associated with execution of one or more of the first set of virtual machine instances; in response to the determined event, prevent instantiation of an additional virtual machine instance not associated with the first set of virtual machine instances on the first computing device hosting the at least one virtual machine instance associated with the first set of virtual machine instances; initiate the additional virtual machine instance on another computing device not hosting one or more of the first set of virtual machine instances; migrate virtual machine instances not associated with the one or more of the first set of virtual machine instances from the first computing device; initiate a new virtual machine instance associated with the first set of virtual machine instances on the first computing device; and migrate the at least one virtual machine instance associated with the one or more of the first set of virtual machine instances from the second computing device to the first computing device. Show less

Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a… Show more

Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. If so, secure private access between an existing computer network and new computer network extension that is being provided may be enabled using one or more VPN connections or other private access mechanisms. Show less

Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a… Show more

Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. If so, secure private access between an existing computer network and new computer network extension that is being provided may be enabled using one or more VPN connections or other private access mechanisms. Show less