Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

Abstract: Embodiments are directed to managing data in a file system. The file system that includes storage nodes that may be associated with storage volumes that may have a different capacity for storing data. A storage capacity of the file system may be determined based on a number of stripes of data that fit in the file system such that each stripe may be comprised of chunks that have a same chunk storage capacity. Slots in the file system that each match the chunk storage capacity may be determined based on the storage volumes. The chunks may be assigned to the slots in the file system based on the capacity of the storage nodes such that a number of chunks allocated to a same storage volume or a same storage node may be based on protection factor information.

Abstract: Embodiments are directed to a replication engine that provides a root node for a file that may be associated with a replication snapshot where the file is comprised of the root node, internal nodes, and data nodes. The replication engine may start at the root node and traverse the file system. If a visited internal node has an epoch value that matches the epoch, the replication engine may continue the traversal by visiting a next unvisited adjacent internal node. If the visited internal node has an epoch value that mismatches the epoch, the replication engine may backtrack to a nearest adjacent internal node that matches the epoch. And, in response to visiting a data node the replication engine may be arranged to determine blocks that are associated with the data node and communicate a copy of the blocks to a target file system.

Abstract: Techniques are provided for establishing a session with an application using asymmetric cryptography. Techniques include secure single-sign on capabilities using asymmetric cryptography. With asymmetric signatures, the use of browser local storage and the Web Crypto application programming interface (API), the key cannot be extracted from the browser that it was generated for. The mechanism allows a web domain to track a user login session using a non-extractable asymmetric key stored in the client's web browser, and leverage the non-extractable asymmetric key for single sign-on.

Abstract: Techniques are provided for establishing a session with an application using asymmetric cryptography. Techniques include secure single-sign on capabilities using asymmetric cryptography. With asymmetric signatures, the use of browser local storage and the Web Crypto application programming interface (API), the key cannot be extracted from the browser that it was generated for. The mechanism allows a web domain to track a user login session using a non-extractable asymmetric key stored in the client's web browser, and leverage the non-extractable asymmetric key for single sign-on.

Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

Abstract: Embodiments are directed to a replication engine that provides a root node for a file that may be associated with a replication snapshot where the file is comprised of the root node, internal nodes, and data nodes. The replication engine may start at the root node and traverse the file system. If a visited internal node has an epoch value that matches the epoch, the replication engine may continue the traversal by visiting a next unvisited adjacent internal node. If the visited internal node has an epoch value that mismatches the epoch, the replication engine may backtrack to a nearest adjacent internal node that matches the epoch. And, in response to visiting a data node the replication engine may be arranged to determine blocks that are associated with the data node and communicate a copy of the blocks to a target file system.

Abstract: Embodiments are directed to a file system engine that provides a file system with parent objects associated with child objects. The file system engine provides a replication snapshot associated with an epoch of the file system such that each child object modified during the epoch and each associated parent object is associated with the replication snapshot. A root object of a portion of the file system included in the replication snapshot may be provided. A replication engine may traverse the portion of file system starting from the root object such that the parent objects that are not associated with the replication snapshot are omitted from the traversal. The replication engine may determine replication objects based on the traversal such that each replication object was modified during the epoch. Then the replication engine may execute a replication job that copies replication objects to a target file system.

Abstract: Embodiments are directed to file systems. A replication engine may establish a secure communication channel between a source file system and a target file system. The replication engine may: instantiate a replication job associated with rules; determine changes in the source file system; determine characteristics of the replication job that may be based on the changes; compare the to the characteristics and a black-out schedule; execute the replication job to communicate the changes in the source file system to the target file system based on a result of the comparison. Upon completion of the replication job, the replication engine may automatically instantiating a next replication job to copy subsequent changes in the source file system to the target file system.

Abstract: Embodiments are directed to file systems. A replication engine may establish a secure communication channel between a source file system and a target file system. The replication engine may: instantiate a replication job associated with rules; determine changes in the source file system; determine characteristics of the replication job that may be based on the changes; compare the to the characteristics and a black-out schedule; execute the replication job to communicate the changes in the source file system to the target file system based on a result of the comparison. Upon completion of the replication job, the replication engine may automatically instantiating a next replication job to copy subsequent changes in the source file system to the target file system.

Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

Abstract: Systems and methods for attesting to information about a computing resource involve electronically signed documents. For a computing resource, a document containing information about the resource is generated and electronically signed. The document may be provided to one or more entities as an attestation to at least some of the information contained in the document. Attestation to information in the document may be a prerequisite for performance of one or more actions that may be taken in connection with the computing resource.

Abstract: A plurality of virtual computing resources is detected to have been provisioned. Credentials are distributed to the plurality of virtual computing resources. A credentials map that maps the credentials to the plurality of virtual computing resources is updated. The credentials for the plurality of virtual computing resources are activated to enable the plurality of virtual computing resources to use the credentials to authenticate to a second computer system that manages a resource service, with the credentials being inaccessible to resources of the resource service. A virtual computing resource of the plurality of virtual computing resources is detected to been deprovisioned, and the credentials for the virtual computing resource are deactivated.

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

Abstract: A plurality of virtual computing resources is detected to have been provisioned. Credentials are distributed to the plurality of virtual computing resources. A credentials map that maps the credentials to the plurality of virtual computing resources is updated. The credentials for the plurality of virtual computing resources are activated to enable the plurality of virtual computing resources to use the credentials to authenticate to a second computer system that manages a resource service, with the credentials being inaccessible to resources of the resource service. A virtual computing resource of the plurality of virtual computing resources is detected to been deprovisioned, and the credentials for the virtual computing resource are deactivated.

Abstract: Embodiments are directed to file systems. A replication engine may establish a secure communication channel between a source file system and a target file system. The replication engine may: instantiate a replication job associated with rules; determine changes in the source file system; determine characteristics of the replication job that may be based on the changes; compare the to the characteristics and a black-out schedule; execute the replication job to communicate the changes in the source file system to the target file system based on a result of the comparison. Upon completion of the replication job, the replication engine may automatically instantiating a next replication job to copy subsequent changes in the source file system to the target file system.

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

Abstract: Systems and methods provide a storage media on a portable physical object associated with a set of credentials that enables access to a set of computing resources associated with a set of Web services. In some embodiments, information including a set of credentials is prepackaged onto the storage media of the portable physical object. A pre-activated subscription to the set of Web services in a distributed system is provisioned. Access to the set of Web services is enabled when the portable physical object is coupled with a computing device and the set of credentials is authenticated. In some embodiments, the portable physical object is purchased by a user on a prepaid basis without requiring the user to register an account with the set of Web services, allowing the user to remain anonymous with respect to interaction with the set of Web services.

Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.