Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.

Abstract: A method of restricting data access based on properties of at least one of a process and a machine executing the process includes receiving, by an access control management system, from a first computing device, information associated with an encrypted data object. The method includes requesting, by the access control management system, from a verifier, verification that a second computing device executes a process in accordance with a process attribute identified in the information associated with the encrypted data object. The method includes sending, by the access control management system, to the second computing device, the received information associated with the encrypted data object, responsive to the verification of the process attribute.

Abstract: A method of restricting data access based on properties of at least one of a process and a machine executing the process includes receiving, by an access control management system, from a first computing device, information associated with an encrypted data object. The method includes requesting, by the access control management system, from a verifier, verification that a second computing device executes a process in accordance with a process attribute identified in the information associated with the encrypted data object. The method includes sending, by the access control management system, to the second computing device, the received information associated with the encrypted data object, responsive to the verification of the process attribute.

Abstract: Devices and methods are provided for using an identity-aware proxy to filter transmissions for virtual networks. The device may receive an encrypted application programming interface (API) call from a second device, wherein the encrypted API call is associated with a remote network resource, and wherein the device is included in a remote network which includes the remote network resource. The device may determine, based on the encrypted API call, an account associated with the remote network resource. The device may determine that the account is not authorized to access the remote network resource using the remote network. The device may send an error notification to the second device.

Abstract: Techniques are described for enabling software applications to obtain temporary security credentials used to interact with a cloud provider network and, upon the revocation of an active set of temporary security credentials used by an application (e.g., due to concerns about the temporary credential's potential exposure to one or more unauthorized third parties), to readily obtain new temporary security credentials that the application can use to continue operation with minimal interruption. The temporary security credentials can be used, for example, to enable the cloud provider network to authenticate requests sent by software applications or users to various services or other components of the cloud provider network. An operator of a cloud provider network may provide a software development kit (SDK) that application developers can use to incorporate functionality related to the management of temporary security credentials.

Abstract: A method for treating a natural gas containing carbon dioxide using membrane modules which are assigned to a first treatment stage or a second treatment stage and are fluidically connected to a retentate mode or a permeate mode. When evolution in the operating conditions results in one of the processing levels requiring less membrane surface for gas processing and the other processing level requiring more membrane surface for gas processing, then the method allows for reassignment of needed membrane modules assigned from one processing level requiring less membrane surface to another processing level requiring more membrane surface.

Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.

Abstract: A customer in a computing resource provider environment, running an application on a VM instance, uses role credentials to request access to one or more web services. The request is forwarded to an enclave associated with the VM instance such that the enclave digitally signs the request and access to the one or more web services is provided.

Abstract: Techniques are described for enabling software applications to obtain temporary security credentials used to interact with a cloud provider network and, upon the revocation of an active set of temporary security credentials used by an application (e.g., due to concerns about the temporary credential's potential exposure to one or more unauthorized third parties), to readily obtain new temporary security credentials that the application can use to continue operation with minimal interruption. The temporary security credentials can be used, for example, to enable the cloud provider network to authenticate requests sent by software applications or users to various services or other components of the cloud provider network. An operator of a cloud provider network may provide a software development kit (SDK) that application developers can use to incorporate functionality related to the management of temporary security credentials.

Abstract: A first network namespace and second network namespace are created in a computing instance of a computer system, with the second network namespace being accessible to the first network namespace via an interface. A service is executed in the first namespace and an encoder is executed in the second namespace, with the encoder transforming media from one format to another format. Communication from the encoder to the service is regulated via the interface.

Abstract: A method for treating a natural gas containing carbon dioxide using membrane modules which are assigned to a first treatment stage or a second treatment stage and are fluidically connected to a retentate mode or a permeate mode. When evolution in the operating conditions results in one of the processing levels requiring less membrane surface for gas processing and the other processing level requiring more membrane surface for gas processing, then the method allows for reassignment of needed membrane modules assigned from one processing level requiring less membrane surface to another processing level requiring more membrane surface.

Abstract: The present invention relates to a method for the catalytic conversion in vapor phase of disulfide oil into methane and hydrogen sulfide, comprising the step of contacting disulfide oil, eventually in the presence of water, with a supported transition metal catalyst.

Abstract: The present invention relates to a distributor tray (1) comprising chimneys (2) for the passage of gas and means for the passage of liquid. The distributor tray furthermore has at least one casing (10) for distributing the gas. The casing (10) is arranged around a plurality of chimneys (2), and has gas remixing means and gas redistribution means.

Abstract: A collection of fault categories, including faults associated with internal resources at a provider network, is presented via an interface of a fault injection service. A fault injection mode, selected from a set which comprises a non-randomized mode, to be used to inject faults into a target environment is determined. Fault injection agents introduce faults into the target environment in accordance with the fault injection mode.

Abstract: A computing resource service provider grants a first set of security permissions to a principal (e.g., a user) which may be used to access a plurality of computing resources. The permissions may be associated with a first security token. The principal may access resources using the first set of security permissions, and a system (e.g., a service provider) may identify a subset of security permissions that are sufficient to provide access to the computing resources accessed by the principal using the first set of permissions. The subset may be associated with the principal. In some cases, the principal operating under the subset of permissions may be denied access to a computing resource and may be granted access to the computing resource by operating under the first set of permissions.

Abstract: The present invention relates to a gas-redirecting device presenting an upper plane and a plurality of gas-redirecting tubes comprising an inlet end and an outlet end. For each gas-redirecting tube, the orthogonal projections of the inlet end and the outlet end onto the upper plane have an over-lapping area of at most 50% of the total area of the upper plane covered by the orthogonal projections. Also provided is a liquid-gas contacting column comprising a gas-redirecting device, a floating support comprising a liquid-gas contacting column, at least two packed beds and a method for improving the efficiency of a liquid-gas contacting column which is based on redirecting the gas from a wetted zone of a lower packed bed to a wetted zone of the higher packed bed.

Abstract: A method of restricting data access based on properties of at least one of a process and a machine executing the process includes receiving, by an access control management system, from a first computing device, information associated with an encrypted data object. The method includes requesting, by the access control management system, from a verifier, verification that a second computing device executes a process in accordance with a process attribute identified in the information associated with the encrypted data object. The method includes sending, by the access control management system, to the second computing device, the received information associated with the encrypted data object, responsive to the verification of the process attribute.

Abstract: A customer may request a service endpoint for a service in their virtual network on a provider network. In response, a service endpoint is generated in the customer's virtual network, a local IP address in the IP address range of the customer's virtual network is assigned to the service endpoint, and a DNS name is assigned to the service endpoint. Resources on the customer's virtual network resolve the DNS name of the service endpoint to obtain the local IP address of the service endpoint and send service requests for the service to the local IP address of the service endpoint. The service endpoint adds routing information to the service requests and sends the service requests over the network substrate to be routed to the service.

Abstract: The invention relates to a method for the treatment of natural gas containing carbon dioxide, methane and paraffins. The method comprising: a step of extracting the paraffins from the natural gas in a paraffin-removal column, and a step of separating the carbon dioxide and the methane in a distillation column. The operation of the two columns being provided by means of the thermal coupling of said two columns using a thermal coupling heat exchanger.

Abstract: Systems and methods are described to enable adaptive handling of domain resolution requests originating from a virtual private cloud (VPC) networking environment. An administrator of the VPC can provide a set of rules specific to the VPC that designates how requests for a domain name should be handled. The rules may specify, for example, that a request for a given domain name should be routed to a particular domain name server, which may include a private domain name server, should be dropped, or should be routed according to a default behavior (e.g., a public domain name system). Resolution requests originating in the VPC can be associated with a VPC identifier. When an adaptive resolution system receives the request, it can retrieve rules associated with the VPC identifier, and apply the rules to determine further routing for the request.