Abstract: Customers of a service provider are able to provision compartments of the accounts. The both the accounts and the compartments, in some embodiments, may have associated computing resources and identities. One or more identities of the account may be authorized to perform administrative operations in the compartment. Identities of the compartment may lack the ability to perform any administrative actions outside of the compartment but inside of the account.

Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

Abstract: At a computing device, contents of one or more transaction records are obtained from a record-keeping network at which a decentralized consensus-based protocol is used to store transaction records of administrator changes of various devices. Using the contents of the obtained records, an administrator of the computing device is identified, as well as a network endpoint of the administrator. A set of instructions is obtained from the endpoint and executed.

Abstract: Customers of a service provider are able to provision compartments of the accounts. The both the accounts and the compartments, in some embodiments, may have associated computing resources and identities. One or more identities of the account may be authorized to perform administrative operations in the compartment. Identities of the compartment may lack the ability to perform any administrative actions outside of the compartment but inside of the account.

Abstract: Methods, systems, and computer-readable media for template-based onboarding of internet-connectible devices are disclosed. A device onboarding service receives an onboarding request comprising a proof and context of identity (PCI) of an Internet-connectible device (ICD). The service determines an account associated with the ICD based at least in part on the onboarding request. The account is associated with an account policy in an onboarding template that is determined at least in part by an owner of the account. If the PCI is verified against one or more criteria of the onboarding template, then a device configuration is determined based at least in part on the onboarding template. The service sends the device configuration to the ICD, and the ICD's behavior is determined at least in part on the device configuration. The ICD uses the access credentials of the device configuration to communicate with an application in a cloud computing environment.

Abstract: A technology is described for connecting a device to a network. An example method may include identifying a preinstalled network configuration for a default wireless network from device memory. The preinstalled network configuration may be used by the device to connect to the default wireless network and obtain a local network configuration for a local wireless network. Thereafter, the device may disconnect from the default wireless network and connect to the local wireless network using the local network configuration.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

Abstract: Customers of a service provider are able to provision compartments of the accounts. The both the accounts and the compartments, in some embodiments, may have associated computing resources and identities. One or more identities of the account may be authorized to perform administrative operations in the compartment. Identities of the compartment may lack the ability to perform any administrative actions outside of the compartment but inside of the account.

Abstract: Methods, systems, and computer-readable media for template-based onboarding of internet-connectible devices are disclosed. A device onboarding service receives an onboarding request comprising a proof and context of identity (PCI) of an Internet-connectible device (ICD). The service determines an account associated with the ICD based at least in part on the onboarding request. The account is associated with an account policy in an onboarding template that is determined at least in part by an owner of the account. If the PCI is verified against one or more criteria of the onboarding template, then a device configuration is determined based at least in part on the onboarding template. The service sends the device to the ICD, and the ICD's behavior is determined at least in part on the device configuration. The ICD uses the access credentials of the device configuration to communicate with an application in a cloud computing environment.

Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

Abstract: Technology is described for management of shadowing for devices. A computing hub may store device data from a device in a buffer associated with a local device shadow of the device. The computing hub may determine a write status of the device data using a last write marker representing a last data entry written to the buffer. The computing hub may also determine a shadowing upload status of the device data using a last sent shadow marker representing a last data entry of the buffer sent to a device shadowing service in a service provider environment. The computing hub may send computing hub information that includes the last write marker and the last sent shadow marker to the device shadowing service in the service provider environment.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: A method and apparatus for managing backlogged tasks are disclosed. In the method and apparatus, upon receiving a task pertaining to a requestor group, a number of outstanding tasks associated with the requestor group is determined and the task is submitted for processing if the number of outstanding tasks is within an allowable range. If the number of outstanding tasks is outside of the allowable range, take one or more actions may be taken, which may include rejecting the request.

Abstract: A service of a service provider can cause a compartment to be created in an account of a customer of the service provider. Computing resources are provisioned in the compartment and the service has administrative authority over the computing resources. The customer may have administrative authority over the compartment, but may lack authority over the computing resources inside of the compartment.

Abstract: A method and apparatus for providing a backlogged computing work exchange are provided. In the method and apparatus, a computer system receives a request, whereby satisfaction of the request requires enqueuing computing work, The computer system determines a queued computing work quota of a plurality of queued computing work quotas for use in enqueuing the computing work and submits the request for execution, whereby the request is associated with a second client and the queued computing work quota of the plurality of queued computing work quotas is associated with a first client different from the second client.

Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

Abstract: A client establishes a cryptographically protected communications session with a server. To detect a man-in-the-middle, the client echoes information about a certificate purportedly received from the server. The information echoed by the client is digitally signed so as to be verifiable by the server without any cryptographic key used in the cryptographically protected communications session or its establishment, thereby rendering the echoed information unmodifiable by a man-in-the-middle without invalidating the signature. The server can therefore verify both the echoed information and the digital signature to determine whether it has established a cryptographically protected communications session with the client or with a man-in-the-middle purporting to be the client.

Abstract: Systems and methods are described for delegating permissions to enable account access to entities not directly associated with the account. The systems determine a delegation profile associated with a secured account of at least one customer. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.

Abstract: Systems and methods provide logic that validates a code generated by a user, and that executes a function of a programmatic interface after the user code is validated. In one implementation, a computer-implemented method performs a multifactor authentication of a user prior to executing a function of a programmatic interface. The method includes receiving, at a server, a user code through a programmatic interface. The server computes a server code in response to the user code, and compares the user code to the server code to determine that the user code corresponds to the server code. The server validates the user code and executes a function of the programmatic interface, after the user code is validated.