Abstract: Systems and methods for data enrichment as a service are described herein. A service provider of a computing resource service provider may provide services for enriching data with additional data. The service provider may receive a set of enrichment parameters. The enrichment parameters may be used to determine whether data obtained by the service provider is eligible for enrichment. If data is eligible for enrichment, the data may be enriched according to the enrichment parameters, thereby generating enriched data. The enriched data may be stored in association with the data.

Abstract: A multi-tenant provider network may implement confidential data capture and analysis for virtual computing resources. Network traffic for virtual compute instances may be evaluated to identify possible malicious behavior of the virtual compute instances. In some embodiments, a stream of raw metering data for individual network communications to the virtual compute instances may be evaluated. A confidential analysis may be performed for identified virtual compute instances, evaluating confidential data utilized by the virtual compute instances for malicious software. Results of the confidential analysis may be generated according to an access policy that restricts access to the confidential data. The results may be provided to a client that is restricted from accessing the confidential data according to the access policy.

Abstract: Systems and methods for providing computer system monitoring as a service of a computing resource service provider, monitoring capacity computer system of a customer of the computing resource service provider, and based on the request, launching a monitoring agent in a protected execution environment in which the monitoring agent is configured to generate an assessment of the computer system and provide the assessment of the computer system.

Abstract: Approaches are described for collecting and/or utilizing network traffic information, such as network flow data, within a virtualized computing environment. The network traffic information can be collected on one or more host computing devices that host virtual machines. The collected network traffic information can include virtualized computing environment specific information, such as a user account identifier (ID), virtual machine identifier (ID), session termination information and the like. The collected network traffic information can also be presented to the user of the virtualized computing environment.

Abstract: Techniques for securely instantiating applications associated with computing resource service provider services on hardware that is controlled by third parties and/or customers of the computing resource service provider are described herein. A request to instantiate an application is received and fulfilled by selecting a computer system from computer systems that are controlled by a third party and/or a customer of the computing resource service provider. The computer system is selected based at least in part on the hardware capabilities of the computer system associated with instantiating a secure execution environment. The application is then instantiated within a secure execution environment operating on the computer system.

Abstract: Systems and methods for providing computer system monitoring as a service of a computing resource service provider, monitoring capacity computer system of a customer of the computing resource service provider, and based on the request, launching a monitoring agent in a protected execution environment in which the monitoring agent is configured to generate an assessment of the computer system and provide the assessment of the computer system.

Abstract: Systems and methods for providing computer system monitoring as a service of a computing resource service provider, monitoring capacity computer system of a customer of the computing resource service provider, and based on the request, launching a monitoring agent in a protected execution environment in which the monitoring agent is configured to generate an assessment of the computer system and provide the assessment of the computer system.

Abstract: Systems and methods for providing computer system monitoring as a service of a computing resource service provider, monitoring capacity computer system of a customer of the computing resource service provider, and based on the request, launching a monitoring agent in a protected execution environment in which the monitoring agent is configured to generate an assessment of the computer system and provide the assessment of the computer system.

Abstract: Techniques for securely instantiating applications associated with computing resource service provider services on hardware that is controlled by third parties and/or customers of the computing resource service provider are described herein. A request to instantiate an application is received and fulfilled by selecting a computer system from computer systems that are controlled by a third party and/or a customer of the computing resource service provider. The computer system is selected based at least in part on the hardware capabilities of the computer system associated with instantiating a secure execution environment. The application is then instantiated within a secure execution environment operating on the computer system.

Abstract: Techniques for hosting components of provider services within secure execution environments are described herein. Information associated with a request received at a control plane of a service is received at a secure execution environment and, based at least in part on that information, one or more tasks is determined that may be performed to respond to the request. A task of the one or more tasks is performed within the secure execution environment to generate a response to the request, the response is encrypted within the secure execution environment using a key stored within the secure execution environment and available to a component of a computer system, and the encrypted response is made available.

Abstract: Approaches are described for collecting and/or utilizing network traffic information, such as network flow data, within a virtualized computing environment. The network traffic information can be collected on one or more host computing devices that host virtual machines. The collected network traffic information can include virtualized computing environment specific information, such as a user account identifier (ID), virtual machine identifier (ID), session termination information and the like. The collected network traffic information can also be presented to the user of the virtualized computing environment.

Abstract: Techniques for operating web services within secure execution environments running within computing resource service provider environments are described herein. A web service provides an application that can be instantiated within a secure execution environment associated with a customer computer system that is hosted by a computing resource service provider and programmatically managed by the customer and the customer computer system provides validation of the secure execution environment. Web service requests from the customer computer system are received by the web service application hosted within the secure execution environment. As the one or more web service requests are received by the web service within the secure execution environment, the requests are fulfilled by executing instructions associated with the web service within the secure execution environment.

Abstract: Methods and systems for instantiating an enclave according to a request, the enclave being instantiated at a determined location of a set of locations in a computing environment of a computing resource service provider hosting a set of computing resources. The enclave further being instantiated with executable code specified by a customer for processing network traffic in accordance with the executable code in a computing environment.

Abstract: Techniques for hosting components of provider services within secure execution environments are described herein. Information associated with a request received at a control plane of a service is received at a secure execution environment and, based at least in part on that information, one or more tasks is determined that may be performed to respond to the request. A task of the one or more tasks is performed within the secure execution environment to generate a response to the request, the response is encrypted within the secure execution environment using a key stored within the secure execution environment and available to a component of a computer system, and the encrypted response is made available.

Abstract: A system and method of performing a multi-party computation by determining a function for use in the multi-party computation, receiving a plurality of input values for the function, evaluating the function based at least in part on the plurality of input values to generate a result wherein the result is not usable to determine an input of the plurality of input values, and providing an output based at least in part on the result.

Abstract: Approaches are described for collecting and/or utilizing network traffic information, such as network flow data, within a virtualized computing environment. The network traffic information can be collected on one or more host computing devices that host virtual machines. The collected network traffic information can include virtualized computing environment specific information, such as a user account identifier (ID), virtual machine identifier (ID), session termination information and the like. The collected network traffic information can also be presented to the user of the virtualized computing environment.

Abstract: Techniques for managing secure execution environments provided as a service to computing resource service provider customers are described herein. A request to launch a secure execution environment is received from a customer and fulfilled by launching a secure execution environment on a selected computer system. The secure execution environment is then validated and upon a successful validation, one or more applications are provided to the secure execution environment to be executed within the secure execution environment. As additional requests relating to managing the secure execution environment are received, operations are performed based on the requests.

Abstract: Techniques for securely instantiating control plane components of provider services, at least a portion of which are instantiated within secure execution environments, are described herein. A request to instantiate the control plane of a service provided by a computing resource service provider is fulfilled by selecting a target computer system. The target computer system is selected based at least in part on the hardware capabilities of the target computer system. The control plane is then instantiated within a secure execution environment operating on the target computer system.

Abstract: A method and system for running an additional execution environment associated with a primary execution environment, receiving a request from the primary execution environment to create the additional execution environment, and, in response to the request, creating the additional execution environment such that entities other than the primary execution environment have insufficient privileges to access the additional execution environment.

Abstract: Techniques for managing secure execution environments provided as a service to computing resource service provider customers are described herein. A request to launch a secure execution environment is received from a customer and fulfilled by launching a secure execution environment on a selected computer system. The secure execution environment is then validated and upon a successful validation, one or more applications are provided to the secure execution environment to be executed within the secure execution environment. As additional requests relating to managing the secure execution environment are received, operations are performed based on the requests.