Patents by Inventor Daniel George Peebles
Daniel George Peebles has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11777995Abstract: Resource state validation may be performed for access management policies by an identity and access management system. An access management policy associated with an account for network-based services may be received and validated according to resource state obtained for resources associated with the account. A correction for a portion of the access management policy may be identified according to the validation and provided via an interface for the identity and access management system.Type: GrantFiled: January 3, 2022Date of Patent: October 3, 2023Assignee: Amazon Technologies, Inc.Inventors: Ujjwal Rajkumar Pugalia, Sean McLaughlin, Neha Rungta, Andrew Jude Gacek, Matthias Schlaipfer, John Michael Renner, Jihong Chen, Alex Li, Erin Westfall, Daniel George Peebles, Himanshu Gupta
-
Patent number: 11757886Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.Type: GrantFiled: December 11, 2020Date of Patent: September 12, 2023Assignee: Amazon Technologies, Inc.Inventors: John Byron Cook, Neha Rungta, Carsten Varming, Daniel George Peebles, Daniel Kroening, Alejandro Naser Pastoriza
-
Patent number: 11736525Abstract: Methods, systems, and computer-readable media for generating access control policies using static analysis are disclosed. An access control policy generator performs static analysis of program code of a software product. The static analysis identifies one or more calls to one or more external components in the program code. The access control policy generator determines a mapping of the one or more calls to one or more actions. The one or more actions are selected from a plurality of known actions supported by an access control policy manager. The access control policy generator generates an access control policy associated with the software product. The access control policy comprises one or more permissions with respect to the one or more external components. The access control policy permits the software product to access the plurality of external components using the access control policy manager during execution of the software product.Type: GrantFiled: June 17, 2020Date of Patent: August 22, 2023Assignee: Amazon Technologies, Inc.Inventors: Neha Rungta, Willem Conradie Visser, Daniel George Peebles
-
Patent number: 11677789Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.Type: GrantFiled: December 11, 2020Date of Patent: June 13, 2023Assignee: Amazon Technologies, Inc.Inventors: Neha Rungta, Daniel George Peebles, Andrew Jude Gacek, Marvin Theimer, Rebecca Claire Weiss, Brigid Ann Johnson
-
Patent number: 11509730Abstract: Techniques are described for generating a specification of security-relevant behavior associated with web services of a cloud provider network. Source code or software development artifacts associated with an implementation of a web service is obtained, where the source code of software development artifacts include an implementation of a request handler for an action of the service. The request handler includes a request authorization component, e.g., which may involve interaction with an identity and access management service of the cloud provider network to authenticate and authorize requests and may further rely upon one or more authorization contexts included in the requests received by the request handler. An interprocedural data flow analyzer is used to analyze a model representation of the bytecode to identify and generate specifications of authorization patterns associated with the request handler.Type: GrantFiled: December 11, 2020Date of Patent: November 22, 2022Assignee: Amazon Technologies, Inc.Inventors: Daniel George Peebles, Carsten Varming, Neha Rungta, Zhen Zhang
-
Patent number: 11483353Abstract: Access management policies may be generated from example requests. An access management policy may be received. One or more example requests that have expected results when evaluated with respect to the access management policy may be received. Updates to the access management policy may be determined that cause the expected results to occur when a new version of the access management policy based on the updates is enforced. The new version of the access management policy may be generated based on the updates.Type: GrantFiled: December 4, 2020Date of Patent: October 25, 2022Assignee: Amazon Technologies, Inc.Inventors: Jiasi Shen, Homer Strong, Daniel George Peebles, Neha Rungta
-
Patent number: 11394661Abstract: Techniques are described for using compositional reasoning techniques to perform role reachability analyses relative to collections of user accounts and roles of a cloud provider network. Delegated role-based resource management generally is a method for controlling access to resources in cloud provider networks and other distributed systems. Many cloud provider networks, for example, implement identity and access management subsystems using this approach, where the concept of “roles” is used to specify which resources can be accessed by people, software, or (recursively) by other roles. An abstraction of the role reachability analysis is provided that can be used as input to a model-checking application to reason about such role reachability questions (e.g., which roles of an organization are reachable from other roles).Type: GrantFiled: September 23, 2020Date of Patent: July 19, 2022Assignee: Amazon Technologies, Inc.Inventors: John Byron Cook, Neha Rungta, Andrew Jude Gacek, Daniel George Peebles, Carsten Varming
-
Publication number: 20220201043Abstract: Resource state validation may be performed for access management policies by an identity and access management system. An access management policy associated with an account for network-based services may be received and validated according to resource state obtained for resources associated with the account. A correction for a portion of the access management policy may be identified according to the validation and provided via an interface for the identity and access management system.Type: ApplicationFiled: January 3, 2022Publication date: June 23, 2022Applicant: Amazon Technologies, Inc.Inventors: Ujjwal Rajkumar Pugalia, Sean McLaughlin, Neha Rungta, Andrew Jude Gacek, Matthias Schlaipfer, John Michael Renner, Jihong Chen, Alex Li, Erin Westfall, Daniel George Peebles, Himanshu Gupta
-
Publication number: 20220191206Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.Type: ApplicationFiled: December 11, 2020Publication date: June 16, 2022Applicant: Amazon Technologies, Inc.Inventors: John Byron Cook, Neha Rungta, Carsten Varming, Daniel George Peebles, Daniel Kroening, Alejandro Naser Pastoriza
-
Publication number: 20220191253Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.Type: ApplicationFiled: December 11, 2020Publication date: June 16, 2022Inventors: Neha RUNGTA, Daniel George PEEBLES, Andrew Jude GACEK, Marvin THEIMER, Rebecca Claire WEISS, Brigid Ann JOHNSON
-
Publication number: 20220191205Abstract: Methods, systems, and computer-readable media for analysis of role reachability with transitive tags are disclosed. An access control analyzer determines a graph comprising a plurality of nodes and one or more edges. The nodes represent roles in a provider network hosting resources. The roles are associated with access control policies granting or denying access to individual resources. One or more of the access control policies grant or deny access based (at least in part) on one or more key-value attributes. The access control analyzer determines, based (at least in part) on a role reachability analysis of the graph, whether a first role can assume a second role using one or more role assumption steps for a particular state of the one or more attributes. The one or more attributes may comprise one or more transitive attributes that persist during the one or more role assumption steps.Type: ApplicationFiled: December 11, 2020Publication date: June 16, 2022Applicant: Amazon Technologies, Inc.Inventors: John Byron Cook, Neha Rungta, Carsten Varming, Daniel George Peebles, Daniel Kroening, Alejandro Naser Pastoriza
-
Publication number: 20220094643Abstract: Techniques are described for using compositional reasoning techniques to perform role reachability analyses relative to collections of user accounts and roles of a cloud provider network. Delegated role-based resource management generally is a method for controlling access to resources in cloud provider networks and other distributed systems. Many cloud provider networks, for example, implement identity and access management subsystems using this approach, where the concept of “roles” is used to specify which resources can be accessed by people, software, or (recursively) by other roles. An abstraction of the role reachability analysis is provided that can be used as input to a model-checking application to reason about such role reachability questions (e.g., which roles of an organization are reachable from other roles).Type: ApplicationFiled: September 23, 2020Publication date: March 24, 2022Inventors: John Byron COOK, Neha RUNGTA, Andrew Jude GACEK, Daniel George PEEBLES, Carsten VARMING
-
Patent number: 11218511Abstract: Resource state validation may be performed for access management policies by an identity and access management system. An access management policy associated with an account for network-based services may be received and validated according to resource state obtained for resources associated with the account. A correction for a portion of the access management policy may be identified according to the validation and provided via an interface for the identity and access management system.Type: GrantFiled: December 7, 2020Date of Patent: January 4, 2022Assignee: Amazon Technologies, Inc.Inventors: Ujjwal Rajkumar Pugalia, Sean McLaughlin, Neha Rungta, Andrew Jude Gacek, Matthias Schlaipfer, John Michael Renner, Jihong Chen, Alex Li, Erin Westfall, Daniel George Peebles, Himanshu Gupta