Abstract: A vehicle data management system and data jurisdiction system manage vehicle data between multiple jurisdictions and enables a set of jurisdiction rules involving rules of various jurisdictions to be applied consistently. The vehicle data jurisdiction system can detect changes in jurisdiction of a vehicle based on various pieces of received vehicle information and applies appropriate jurisdiction rules from a set of jurisdiction rules. Various jurisdictions may have conflicting jurisdiction rules and, in such circumstances, the data jurisdiction system resolves potential conflicts between the rules using a jurisdiction rules resolution workflow. Based on the resolution of the conflict, the data jurisdiction system can migrate data of the vehicle to one or more other jurisdictions, or otherwise implement the correct rules determined by resolving the conflict.

Abstract: Unstructured data items are stored at an object storage service. A filtering requirement to be used to generate a result set for an access request is determined. Using a transformed representation of the filtering requirement, a target set of tokens of the filtering requirement which are to be obfuscated within a log record is identified. A log record that comprises substitute tokens for the target set of tokens is generated and stored.

Abstract: Various embodiments of apparatuses and methods for trusted and/or attested packet timestamping are described. In some embodiments, the disclosed system and methods include a reference timekeeper providing a reference clock to host computing devices. The host computing devices host compute instances using a first set of computing resources, and also contain isolated timing hardware utilizing a different set of computing resources. The isolated timing hardware sets a hardware clock based on a signal corresponding to the reference clock from the reference timekeeper. The isolated timing hardware then receives a packet from a particular compute instance, creates a timestamp for the packet based at least in part on the hardware clock, where the timestamp is outside the control of the compute instances, and sends the packet and the timestamp through a data network to transmit to a packet destination.

Abstract: Execution status of managed time series processing tasks may be tracked. Status of a time series processing task that operations on different portions of a time series may be respectively captured. A request for the status of one of the portions of the time series with respect to the time series processing task may be received. The status may be identified and returned. For failed tasks, a failure reason may be generated by the time series processing system and included in a response with a failure status.

Abstract: A certificate revocation manager performs scheduled synchronization of a certificate revocation table with certificate revocation lists (CRLs) independent of connection requests from clients. The certificate revocation table includes entries that each indicate a client certificate that has been revoked by a certificate authority (CA). On a scheduled basis, the certificate revocation manager synchronizes the entries of the certificate revocation table with current CRLs obtained from different CAs. When a service at receives a request from a client to establish a connection, the service generates a composite key based on a CA identifier and a certificate identifier of a client certificate provided by the client. The service performs a lookup on the certificate revocation table based on the composite key. Based on a result of the lookup, the certificate revocation manager determines whether the client certificate is revoked.

Abstract: Systems and methods are disclosed for contactless powering and control of conveyors on shuttles. An example system may include a track, a first transmitter disposed at a first location along the track, the first transmitter configured to transmit power and data wirelessly, and a shuttle configured to move along the track. The shuttle may include a conveyor, and a first receiver configured to wirelessly receive the power and the data from the first transmitter, where the power is used to power the conveyor. The shuttle may not have an onboard power source coupled to the conveyor.

Abstract: A plurality of security rule processing nodes is configured for network traffic of a set of sources and destinations. Respective subsets of configuration information of the sources and destinations, including security rules, are transmitted to the nodes. Respective addresses of at least a subset of the nodes are transmitted to a packet processing intermediary. The intermediary requests evaluation of applicable security rules with respect to packet flows by selected nodes prior to initiating routing actions for packets of the flows.

Abstract: Respective network metrics sets corresponding to one or more data sources are examined at a network health manager. Network health states corresponding to one or more endpoint pair categories are determined based on the analysis of the network metric sets. An indication of the network health state of a particular endpoint pair category is stored.

Abstract: Methods and apparatus for client-directed placement of remotely configured service instances are described. One or more placement target options are selected for a client of a network-accessible service based on criteria such as service characteristics of the placement targets. The selected options, including a particular placement target that includes instance hosts configurable from remote control servers, are indicated programmatically to the client. A determination is made that a service instance is to be configured at the particular placement target on behalf of the client. A remote control server is configured to issue administrative commands to an instance host at the particular placement target to configure the service instance.

Abstract: A network address assigned to a virtual network interface of a packet transformation node of a flow management service is identified. A packet of a particular network flow associated with an application implemented at an isolated virtual network is sent to the network address. Using a rewrite directive generated at a rewriting decisions node of the service and cached at the packet transformation node, a transformed packet corresponding to a packet received at the packet transformation node is generated and transmitted to a destination.

Abstract: Methods and apparatus for coordinating inter-region operations in provider networks. An inter-region coordinator (IRC) operates asynchronously to the control planes of regional networks to coordinate inter-region operations. The IRC in a region may include one or more IRC servers. To perform inter-region operations, the servers may implement a local-remote-local method in which a server invokes an API in the local region to get work, sends the work to a control plane of a remote region, receives a response from the remote region, and informs the control plane in the local region of the status of the work.

Abstract: Artifacts, including parameters are data sets, associated with experiment tasks are stored at an experiment management service. A query specifying a particular value of a parameter and a particular data set is received, and an indication of an experiment result associated with the particular data set and the particular parameter value is provided.

Abstract: A distributed storage system may store data object instances in persistent storage and may store keymap information for those data object instances in a distributed hash table on multiple computing nodes. Each data object instance may include a composite key containing a user key. The keymap information for each data object instance may map the user key to a locator and the locator to the data object instance. A request to store or retrieve keymap information for a data object instance may be routed to a particular computing node based on a consistent hashing scheme in which a hash function is applied to a portion of the composite key of the data object instance. Thus, related entries may be clustered on the same computing nodes. The portion of the key to which the hash function is applied may include a pre-determined number of bits or be identified using a delimiter.

Abstract: A system that provides services to clients may receive and service requests, various ones of which may require different amounts of work. The system may determine whether it is operating in an overloaded or underloaded state based on a current work throughput rate, a target work throughput rate, a maximum request rate, or an actual request rate, and may dynamically adjust the maximum request rate in response. For example, if the maximum request rate is being exceeded, the maximum request rate may be raised or lowered, dependent on the current work throughput rate. If the target or committed work throughput rate is being exceeded, but the maximum request rate is not being exceeded, a lower maximum request rate may be proposed. Adjustments to the maximum request rate may be made using multiple incremental adjustments. Service request tokens may be added to a leaky token bucket at the maximum request rate.

Abstract: A system that implements a scaleable data storage service may maintain tables in a data store on behalf of storage service clients. The service may maintain data in partitions stored on respective computing nodes in the system. The service may support multiple throughput models, including a committed throughput model and a best effort throughput model. A service request to create a table may specify that requests directed to the table should be serviced under a committed throughput model and may specify the committed throughput level in terms of logical service request units. The service may reserve low-latency storage and other resources sufficient to meet the specified committed throughput level. A client/user may request a modification to the committed throughput level in anticipation of workload changes, such as an increase or decrease in traffic or data volume. In response, the system may increase or decrease the resources reserved for the table.

Abstract: Managed lifecycle roles are disclosed. Managed lifecycle roles may be used for secure credential vending or otherwise. For instance, an entity (e.g., administrator or other entity) requests, via an interface of a role manager, creation of a role associated with a lifecycle definition (e.g., an expression of an enforceable expiration of the role or similar characteristic). The role manager stores the role and role lifecycle definition to a data store. Another entity requests to use the role to perform some operation with respect to a resource. A credential service validates the request against a lifecycle definition for the role (and against an access control list, in some examples) and responds to valid requests with credentials useable to perform the operation with respect to the resource. The other entity uses the credentials to perform the operation with respect to the resource. A sweep process manages attributes of the roles.

Abstract: A database system may add a read-only query engine to perform read-only queries associated with points-in-time of a database. In various embodiments, the read-only query engine may be added in response to a manual request, an automatic refresh of a network endpoint, a query specifying a point-in-time, or a connection request. The read-only query engine may perform the point-in-time queries on a version the database at the point-in-time and return results for the queries. Upon completion of the queries or at a determined time, the database system may remove the read-only query engine. The specified point-in-time may refer to a current time, a prior time, or a future time with respect to the current time.

Abstract: Systems, methods, and computer-readable media are disclosed for language-agnostic subtitle drift detection and correction. A method may include determining subtitles and/or captions from media content (e.g., videos), the subtitles and/or captions corresponding to dialog in the media content. The subtitles may be broken up into segments which may be analyzed to determine a likelihood of drift (e.g., a likelihood that the subtitles are out of synchronization with the dialog in the media content) for each segment. For segments with a high likelihood of drift, the subtitles may be incrementally adjusted to determine an adjustment that eliminates and/or reduces the amount of drift, and the drift in the segment may be corrected based on the drift amount detected. A linear regression model and/or human blocks determined by human operators may be used to otherwise optimize drift correction.

Abstract: Systems, methods, and computer-readable media are disclosed for processing input data to determine an entity such as a product, service, user profile, etc. referenced in or otherwise relevant to a semantic context of the input data. Information related to the entity may be provided as an information package (e.g., a card) that is shareable as part of an electronic message. The card may include a representation of a network resource identifier that identifies a network resource, a network location of the network resource, and an access mechanism for accessing a representation (e.g. a product detail page) of the network resource. The network resource identifier may include one or more tags or tokens that identify an electronic messaging application provider and/or a user such as a sender or recipient of an electronic message that includes the card so as to enable compensating the provider and/or the user for a purchase of a product or service to which the card relates.

Abstract: Methods and apparatus for conditional master election in a distributed database are described. A plurality of replicas of a database object are stored by a distributed database service. Some types of operations corresponding to client requests directed at the database object are to be coordinated by a master replica. Client access to the database object is enabled prior to election of a master replica. In response to a triggering condition, a particular replica is elected master. The master coordinates implementation of operations with one or more other replicas in response to client requests.

Abstract: Technologies are provided for increasing electronic noise of a memory device during an initialization of the memory device and performing initialization operations, such as memory access centering operations, for the memory device while the electronic noise of the memory device is increased. The electronic noise of the memory device can be increased by increasing a level of ground bounce (or ground noise) during a training phase of the memory device. Increasing the ground noise can comprise increasing an inductance across a memory of the memory device during the training phase. The inductance can be increased by deactivating one or more ground connections of the memory during the memory's training phase. Additionally or alternatively, the inductance can be increased by activating one or more inductors connected to one or more ground connections of the memory during the memory's training phase.

Abstract: A network-attachable data transfer device housed within a shippable enclosure that incorporates an updateable electronic display for displaying shipping destination information is disclosed. The device may be initialized (e.g., prepared to receive data, and the updateable electronic shipping display set to the shipping destination) by a service provider and shipped, in accordance with the displayed destination address, as a self-contained shipping unit. The device may be installed onto a network at the destination and loaded with data. The display may also be updated with the next destination address such that the device is shipped to the updated destination address (e.g., back to the service provider, or onto other destinations before being send back to the service provider). When the device is received back at the service provider, the data is transferred from the device to a service provider storage facility, wiped of data, and prepared to be sent out again.

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement an extension manager of a virtualized computing service. The extension manager establishes a secure network channel for communications between the peripheral device, which is located at a premise external to a provider network, and a data center of the provider network. The extension manager assigns a network address of the substrate network of the service to a hardware server at the external premise. The substrate address is also assigned to an extension traffic intermediary at the data center. In response to a command directed to the virtualized computing service, one or more compute instance configuration operations are performed at the hardware server.

Abstract: Methods, systems, and computer-readable media for automated packetless network reachability analysis are disclosed. An analysis is performed of network configuration data for a network comprising a host computer. Based at least in part on the analysis, one or more ports at the host computer that are reachable from another computer are determined. Based at least in part on the analysis, one or more routes to the one or more ports are determined. A report is generated that is descriptive of the one or more ports and the one or more routes.

Abstract: A training system may create and train a machine learning model with knowledge transfer. The knowledge transfer may transfer knowledge that is acquired by another machine learning model that has been previously trained to the machine learning model that is under training. The knowledge transfer may include a combination of representation transfer and instance transfer, the two of which may be performed alternatingly. The instance transfer may further include a filter mechanism to selectively identify instances with a satisfactory performance to implement the knowledge transfer.

Abstract: A rack-mountable computer system enables an airflow that cools components in an upstream portion of the computer system interior to be cooled through mixing with a bypass airflow downstream of the components in the upstream portion. The mixed airflow can cool components in a downstream portion of the interior. The bypass airflow is directed by a bypass plenum that is unencompassed by the separate plenum that directs the airflow to cool the upstream portion components. The bypass plenum can be at least partially established by an external surface the computer system and one or more external structures, including an external surface of an adjacently mounted computer system. Relative flow rates through the separate plenums can be adjusted, via flow control elements, to separately control heat removal from components upstream and downstream of the air mixing, based at least in part upon air temperatures in the separate interior portions.

Abstract: An interactive interpretation session with respect to a first version of a machine learning model is initiated. In the session, indications of factors contributing to a prediction decision are provided, as well indications of candidate model enhancement actions. In response to received input, an enhancement action is implemented to obtain a second version of the model. The second version of the model is stored.

Abstract: A system can determine by which path/tunnel an Internet destination can be best reached for a user with an IP address from a static BGP range. The system looks up the destination address in an egress map. This map can either specify a tunnel that should be used for encapsulation for static BGP, or (when tunnel is not present) cause the system to send out unencapsulated traffic, in which the traffic follows normal BGP routing on a border network.

Abstract: A representation of a workflow comprising a plurality of tasks is obtained. An execution of an instance of the workflow is initiated. The execution comprises selecting, with respect to a particular task of the workflow, a particular execution resource option from a set comprising at least a first execution resource option and a second resource execution option. A result of the execution is stored.

Abstract: In response to a first programmatic request, metadata indicating that a first isolated read channel of a real-time category has been associated with a first target stream is stored at a stream management service. In response to another request, metadata indicating that a second isolated read channel of a non-real-time category has been associated with a second target stream is stored. In response to a read request indicating the first channel or the second channel, one or more data records of the corresponding target streams are provided.

Abstract: Indications of sample machine learning models which create synthetic content items are provided via programmatic interfaces. A representation of a synthetic content item produced by one of the sample models in response to input obtained from a client of a provider network is presented. In response to a request from the client, a machine learning model is trained to produce additional synthetic content items.

Abstract: Devices, systems, and methods are provided for on-target rate optimization for video.

Abstract: Methods and apparatus for interfaces to manage direct network peerings. A system may include a data center, endpoint routers and a connectivity coordinator. The coordinator implements a programmatic interface defining connectivity operations. The coordinator receives a request for dedicated connectivity to data center resources, formatted according to the interface. The coordinator selects a target endpoint router at which to establish a physical link to implement the dedicated connectivity, and transmits a response identifying the target endpoint router and including configuration instructions for setting up a physical link for the dedicated connectivity.

Abstract: A file system manager implemented at a provider network identifies a storage device of a first group of storage devices of a provider network as an initial location of a file system object. Based on an access metric associated with the object, the file system manager initiates a transfer of contents of the object to a second storage device of a different storage device group, without receiving a client request specifying the transfer. In response to an access request received via a file system programmatic interface, contents of the object are provided from the second storage device. Based on a second access metric, the object is transferred back to the first group of storage devices.

Abstract: A transaction request compliant with a first version of a journal schema of a multi-data-store storage system is received at a journal manager. The journal schema indicates attributes of data objects which may be materialized at various data stores of the system. The journal manager stores an entry in the system's journal if the transaction meets acceptance criteria. Writes indicated in the entry are materialized at the data stores after verifying that the entry is compliant with the journal schema. After verifying that member data stores have approved a proposed change to the journal schema, another entry indicating a different version of the journal schema is added to the journal. Client-side components of the system obtain the current version of the journal schema to prepare the transaction requests.

Abstract: Systems and methods authenticate storage devices. In one implementation, a computer-implemented method is provided for authenticating a storage device. According to the method, a manifest that identifies a destination is receive. A transfer station reads a digital signature from the storage device. The digital signature is validated and, based on the validation of the digital signature, a transfer of one or more files from the storage device via the transfer station is authorized to the destination identified in the manifest.

Abstract: Techniques are described for providing customizable sign-on functionality, such as via an access manager system that provides single sign-on functionality and other functionality to other services for use with those services’ users. The access manager system may maintain various sign-on and other account information for various users, and provide single sign-on functionality for those users using that maintained information on behalf of multiple unrelated services with which those users interact. The access manager may allow a variety of types of customizations to single sign-on functionality and/or other functionality available from the access manager, such as on a per-service basis via configuration by an operator of the service, such as co-branding customizations, customizations of information to be gathered from users, customizations of authority that may be delegated to other services to act on behalf of users, etc.

Abstract: Techniques are described for managing communications between multiple intercommunicating computing nodes, such as multiple virtual machine nodes hosted on one or more physical computing machines or systems. In some situations, users may specify groups of computing nodes and optionally associated access policies for use in the managing of the communications for those groups, such as by specifying which source nodes are allowed to transmit data to particular destinations nodes. In addition, determinations of whether initiated data transmissions from source nodes to destination nodes are authorized may be dynamically negotiated for and recorded for later use in automatically authorizing future such data transmissions without negotiation. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.

Abstract: Techniques are described for providing managed computer networks, such as for managed virtual computer networks overlaid on one or more other underlying computer networks. In some situations, the techniques include facilitating replication of a primary computing node that is actively participating in a managed computer network, such as by maintaining one or more other computing nodes in the managed computer network as replicas, and using such replica computing nodes in various manners. For example, a particular managed virtual computer network may span multiple broadcast domains of an underlying computer network, and a particular primary computing node and a corresponding remote replica computing node of the managed virtual computer network may be implemented in distinct broadcast domains of the underlying computer network, with the replica computing node being used to transparently replace the primary computing node in the virtual computer network if the primary computing node becomes unavailable.

Abstract: Computer systems and associated methods are disclosed to implement a model development environment (MDE) that allows a team of users to perform iterative model experiments to develop machine learning (ML) media models. In embodiments, the MDE implements a media data management interface that allows users to annotate and manage training data for models. In embodiments, the MDE implements a model experimentation interface that allows users to configure and run model experiments, which include a training run and a test run of a model. In embodiments, the MDE implements a model diagnosis interface that displays the model's performance metrics and allows users to visually inspect media samples that were used during the model experiment to determine corrective actions to improve model performance for later iterations of experiments. In embodiments, the MDE allows different types of users to collaborate on a series of model experiments to build an optimal media model.

Abstract: When a query is received by a stateful data processing service, the service determines, for each table scan (and associated operations) of a query, whether to select the table scan for execution by a stateless data processing service. The selected table scans are sent to the stateless data processing service for execution, and results are received by the stateful data processing service. The stateful data processing service may also execute other table scans of the query locally, against a local data cache. If the data is not present in the local data cache, then the stateful data processing service will copy the table data into the local data cache before executing the table scan. A query result based on the remote and/or local table scans may then be returned to the client.

Abstract: Querying databases may be performed with references to machine learning models. A database query may be received that references a machine learning model and database. In response to the query, the machine learning model may provide information which may be returned as part of a result of the query or may be used to generate a result of the query. The machine learning model may be generated in response to a request to generate a machine learning model that includes a database query that identifies the data upon which a machine learning technique may be applied to generate the machine learning model.

Abstract: A system and method for establishing and using quantum safe enclaves is described. In some embodiments, secure shared randomness is distributed between nodes, for example using quantum key distribution. The secured shared randomness is used to generate quantum safe network keys that enable quantum safe network links to be established between any of the nodes included in the quantum safe enclave. A network manager enforces policies that restrict communications between nodes of the quantum safe enclave to transmission via quantum safe network links. Such an arrangement protects communicated data from quantum enabled attacks that may compromise other forms of encryption.

Abstract: An interface for requesting, and technique for generation of, a backup of a past state of a database table are provided. Changes made to a database table are accumulated, in durable storage, and snapshots of partitions of the table are obtained. The accumulated changes and the successive partition snapshots are used to generate a past state of the database at any point in time across a continuum between successive snapshots. Although each partition of the table may have a snapshot that was generated at a time different from when other partition snapshots were generated, changes from respective change logs may be selectively log-applied to distinct partitions of a table to generate backup in the past of the entire table at common point-in-time across partitions.

Abstract: A system and method for providing quantum entanglement as a service are described. Intermediate nodes which may be located in trusted or trustless locations are used to distribute quantum entanglement to endpoints, such as endpoints of customers of a quantum entanglement distribution service. The distributed quantum entanglement provides a secure communication path that does not rely on trust placed in an infrastructure or software provider. To distribute the quantum entanglement, intermediate nodes comprising quantum memories are used. Joint measurements are performed on quantum particles of respective entangled quantum pairs received at the intermediate nodes without collapsing superposition states of the particles. This allows for the quantum entanglement to be extended across intermediate nodes while maintaining entanglement and superposition of the entangled quantum particles.

Abstract: A fault tolerant quantum computer is implemented using hybrid acoustic-electric qubits or electromagnetic qubits, as a few examples. A control circuit includes symmetrically arranged asymmetrically threaded superconducting quantum interference devices (ATSs) that excite phonons in a resonator by driving a storage mode of the resonator and dissipate phonons from the resonator via an open transmission line coupled to the control circuit, wherein the open transmission line is configured to absorb photons from a dump mode of the control circuit. The symmetric ATSs are arranged such that undesirable terms in respective Hamiltonians for the ATSs individually, cancel each other out when combined in the symmetric configuration.

Abstract: Techniques are described that enable users to configure the mirroring of network traffic sent to or received by computing resources associated with a virtual network of computing resources at a service provider network. The mirrored network traffic can be used for many different purposes including, for example, network traffic content inspection, forensic and threat analysis, network troubleshooting, data loss prevention, and the like. Users can configure such network traffic mirroring without the need to manually install and manage network capture agents or other such processes on each computing resource for which network traffic mirroring is desired. Users can cause mirrored network traffic to be stored at a storage service in the form of packet capture (or “pcap”) files, which can be used by any number of available out-of-band security and monitoring appliances including other user-specific monitoring tools and/or other services of the service provider network.

Abstract: Techniques are described for providing managed virtual computer networks that have a configured logical network topology with virtual networking devices, such as by a network-accessible configurable network service, with corresponding networking functionality provided for communications between multiple computing nodes of the virtual computer network by emulating functionality that would be provided by the virtual networking devices if they were physically present.

Abstract: An indication of a set of premises between which network traffic is to be routed via a private fiber backbone of a provider network is obtained. Respective virtual routers are configured for a first premise and a second premise, and connectivity is established between the virtual routers and routing information sources at the premises. Contents of at least one network packet originating at the first premise are transmitted to the second premise via the private fiber backbone using routing information obtained at the virtual routers from the routing information source at the second premise.

Abstract: Systems, devices, and methods are provided for authorizing access to database management system (DBMS) resources using security policies managed by a service external to the DBMS. A DBMS may be provisioned to obtain a database request, identify one or more securable resources that from applications, determines a request context for the system call, and sends a request to an external policy management service. The policy management service may be used to perform a policy evaluation to determine whether to grant access to the securable resources. In some cases, policies are cached by the DBMS. In various examples, the DBMS and policy management service are both hosted on resources managed by a computing resource service provider on behalf of a customer to run mainframe workloads.