Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

Abstract: Tags may be used in decisions by an access management service regarding access of computing resources (“resources”) by principals (e.g., users, roles, etc.). The tags may also be used to determine cost information, for grouping resources and/or principals, and for other reasons. The tags may be assigned to principals, to resources, or both. The resource may be a virtual or physical type of computing resource. Tags may be metadata, which may include a key-value pair. Tags may include email addresses, cost centers, project identifiers, location, team name, etc. The value may be a number, letters, or a combination of both. In some embodiments, the values may be limited to certain numbers or bytes, and some numbers and/or letter combinations may be excluded for special use.

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

Abstract: Various embodiments provide for a pre-validation of various aspects of an application deployment before any resources are provisioned in a user account. Pre-validation can perform checks on aspects such as connectivity and credential-based access for instances to be provisioned in a user account. A determination can also be made as to whether a role exists in the user account that has the appropriate policies and permissions to enable these instances, if provisioned, to have access to external services and resources needed to support the application. These checks can be performed through a launch wizard or deployment service that can collect information though a single console, and can ensure that these checks succeed before the requested instances are provisioned in the user account.

Abstract: Tags may be used in decisions by an access management service regarding access of computing resources (“resources”) by principals (e.g., users, roles, etc.). The tags may also be used to determine cost information, for grouping resources and/or principals, and for other reasons. The tags may be assigned to principals, to resources, or both. The resource may be a virtual or physical type of computing resource. Tags may be metadata, which may include a key-value pair. Tags may include email addresses, cost centers, project identifiers, location, team name, etc. The value may be a number, letters, or a combination of both. In some embodiments, the values may be limited to certain numbers or bytes, and some numbers and/or letter combinations may be excluded for special use.

Abstract: A system and method for generating a policy entitlement map usable to provide a visualization of policies based at least in part on a set of resources of a service of a computing resource service provider, a set of actions that can be taken with the set of resources, or one or more identities. The policy entitlement map may be generated to reflect a set of actions performable by identities of the one or more identities, a set of resources accessible by the identities, or a set of actions that may be performed on the resources.

Abstract: Tags may be used in decisions by an access management service regarding access of computing resources (“resources”) by principals (e.g., users, roles, etc.). The tags may also be used to determine cost information, for grouping resources and/or principals, and for other reasons. The tags may be assigned to principals, to resources, or both. The resource may be a virtual or physical type of computing resource. Tags may be metadata, which may include a key-value pair. Tags may include email addresses, cost centers, project identifiers, location, team name, etc. The value may be a number, letters, or a combination of both. In some embodiments, the values may be limited to certain numbers or bytes, and some numbers and/or letter combinations may be excluded for special use.

Abstract: A customer of a policy management service may use an interface to access a graphical composer and generate one or more graphical representations of policies that may be applicable to the customer's one or more resources. Once the customer has created a graphical representation of a policy, the policy management service may generate a permission model based at least on the graphical representation of the policy to perform one or more simulations and determine whether the requested policy includes any errors or conflicts. If the one or more simulations result in the requested policy including no errors or conflicts, the policy management service may serialize the permission model to create a representation of the policy in a policy language. This representation of the policy may then be used to control access to the customer's one or more resources in accordance with the policy.

Abstract: A customer of a computing resource service provider may use an interface to access a graphical composer and generate one or more graphical representations of applications that may be provided to a variety of users of the customer's one or more resources. Once the customer has created a graphical representation of an application, a domain specific language model based at least on the graphical representation of the application may be created such that one or more simulations may be performed to determine whether the requested application includes any errors or conflicts. If the one or more simulations result in the application including no errors or conflicts, the domain specific language model may be compiled in an executable programming language to create the application. The application may then be provided to users who may utilize devices capable of understanding the executable programming language to install the application.

Abstract: Tags may be used in decisions by an access management service regarding access of computing resources (“resources”) by principals (e.g., users, roles, etc.). The tags may also be used to determine cost information, for grouping resources and/or principals, and for other reasons. The tags may be assigned to principals, to resources, or both. The resource may be a virtual or physical type of computing resource. Tags may be metadata, which may include a key-value pair. Tags may include email addresses, cost centers, project identifiers, location, team name, etc. The value may be a number, letters, or a combination of both. In some embodiments, the values may be limited to certain numbers or bytes, and some numbers and/or letter combinations may be excluded for special use.

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

Abstract: A method and apparatus for the evaluation and remediation of an access control policy is disclosed. In the method and apparatus, an intermediary service may make access request, on behalf of a customer, to one or more computing resources and the access control policy is evaluation to determine whether the request is authorized. Further, remediation options for the access control policy are offered for the request to be authorized.