Abstract: With the advent of virtualization technologies, networks and routing for those networks can now be simulated using commodity hardware. For example, virtualization technologies can be adapted to allow a single physical computing machine to be shared among multiple virtual networks by providing one or more virtual machines simulated in software by the single physical computing machine, with each virtual machine acting as a distinct logical computing system. In addition, as routing can be accomplished through software, additional network setup flexibility can be provided to the virtual network in comparison with hardware-based routing. In some implementations, virtual network setup can be abstracted through the use of resource placement templates, allowing users to create virtual networks compliant with a customer's networking policies without necessarily having knowledge of what those policies are.

Abstract: Techniques are described for facilitating use of software components by software applications in a configurable manner. In some situations, the software components are fee-based components that are made available by providers of the components for use by others in exchange for fees defined by the components providers, and in at least some situations, the software components may have various associated restrictions or other non-price conditions related to their use. The described techniques facilitate use of such software components by software applications in a configured manner. Furthermore, in at least some situation, the execution of such software applications is managed by an application deployment system that controls and tracks the execution of the software application on one or more computing nodes, including to manage the execution of any software components that are part of the software application.

Abstract: The deployment of content and computing resources for implementing a distributed software application can be optimized based upon customer location. The volume and geographic origin of incoming requests for a distributed software application are determined. Based upon the volume and geographic origin of the incoming requests, content and/or one or more instances of the distributed software application may be deployed to a geographic region generating a significant volume of requests for the distributed software application. Content and/or instances of a distributed software application might also be speculatively deployed to a geographic region in an attempt to optimize the performance, cost, or other attribute of a distributed software application.

Abstract: Systems and methods are provided for managing objects. In one implementation, a computer-implemented method is provided. The method includes receiving a query comprising a tag and executing the query. An object identifier is retrieved from a data table, based on the tag. The method further returns a result of the query. The result includes the object identifier that was retrieved from the data table. The method further performing an action related to an object having the retrieved object identifier.

Abstract: Client requests may be directed through a secret holding proxy system such that the secret holding proxy system may insert a secret into a client request before arriving at the destination. The insertion of a secret may include inserting a digital signature, token or other information that includes a secret or information based upon a secret, which may include secret exchange or authentication protocols. The secret holding proxy system may also remove secrets and/or transform incoming messages such that the client may transparently receive the underlying content of the message.

Abstract: In certain embodiments, a system comprises a memory and a processor communicatively coupled to the memory. The memory includes executable instructions that upon execution cause the system to generate, at a first time, a first snapshot capturing data stored in storage units of a storage device. The executable instructions upon execution cause the system to receive an indication to delete at least a portion of the data in the storage units and captured by the first snapshot, and to mark, in response to receiving the indication, the one or more storage units that store the at least a first portion of the data as available. The executable instructions upon execution cause the system to generate, at a second time subsequent to the first time, a second snapshot that omits the one or more storage units marked as available.

Abstract: Techniques are described for facilitating use of software components by software applications in a configurable manner. In some situations, the software components are fee-based components that are made available by providers of the components for use by others in exchange for fees defined by the components providers, and in at least some situations, the software components may have various associated restrictions or other non-price conditions related to their use. The described techniques facilitate use of such software components by software applications in a configured manner. Furthermore, in at least some situation, the execution of such software applications is managed by an application deployment system that controls and tracks the execution of the software application on one or more computing nodes, including to manage the execution of any software components that are part of the software application.

Abstract: The deployment of content and computing resources for implementing a distributed software application can be optimized based upon customer location. The volume and geographic origin of incoming requests for a distributed software application are determined. Based upon the volume and geographic origin of the incoming requests, content and/or one or more instances of the distributed software application may be deployed to a geographic region generating a significant volume of requests for the distributed software application. Content and/or instances of a distributed software application might also be speculatively deployed to a geographic region in an attempt to optimize the performance, cost, or other attribute of a distributed software application.

Abstract: In a resource-on-demand environment, dynamically created server instances are allowed to boot from encrypted boot volumes. Access keys to the boot volumes are provided from a key provider that authenticates new instances based on possession of a security token that has been previously shared between the key provider and the new instance through an out-of-band communication.

Abstract: The deployment of content and computing resources for implementing a distributed software application can be optimized based upon customer location. The volume and geographic origin of incoming requests for a distributed software application are determined. Based upon the volume and geographic origin of the incoming requests, content and/or one or more instances of the distributed software application may be deployed to a geographic region generating a significant volume of requests for the distributed software application. Content and/or instances of a distributed software application might also be speculatively deployed to a geographic region in an attempt to optimize the performance, cost, or other attribute of a distributed software application.

Abstract: A first identity claim and a first attempt to prove password possession are received. As a result of determining that the first attempt to prove password possession is a match to a password in a set of passwords, but that the first identity claim is a mismatch to an identity that corresponds to the password, an authentication process that includes incrementing a counter associated with the password is performed. A second identity claim and a second attempt to prove password possession is received. As a result of determining that the second attempt to prove password possession is a match to the password, an authentication process that includes incrementing the counter associated with the password only if the second identity claim is a mismatch to the first identity claim is performed.

Abstract: Update preferences might be utilized to specify that an update to an application should not be applied until the demand for the application falls below a certain threshold. Demand for the application is monitored. The update to the application is applied when the actual demand for the application falls below the specified threshold. The threshold might be set such that updates are deployed during the off-peak periods of demand encountered during a regular demand cycle, such as a diurnal, monthly, or yearly cycle.

Abstract: Disclosed are various embodiments for allocating computing resources. A request to allocate a computing resource in a collection of networked computing devices is obtained. It is determined whether the request can be fulfilled according to a current configuration of the networked computing devices. A reconfiguration of one or more of the networked computing devices to a different configuration is initiated in order to fulfill the request. The reconfiguration is initiated when a value associated with the request exceeds a cost associated with fulfilling the request. The reconfiguration is initiated in response to determining that the request cannot be fulfilled according to the current configuration.

Abstract: When requesting network services, clients often supply authentication information such as digital signatures. A network provider may from time to time change its authentication scheme. Clients are notified of the change and are provided with an updated authentication specification. Upon receiving the updated authentication specification, a client updates its authentication logic accordingly, and subsequently prepares and provides authentication information in accordance with the new authentication scheme.

Abstract: In certain embodiments, a system includes one or more memory units and one or more processing units. The memory units store blocks that each include a number of identifiers. The memory units include executable instructions that upon execution by the processing units cause the system to receive a request to allocate an identifier to an entity. The request includes data identifying the entity. A target block of identifiers is identified. The target block includes more unallocated identifiers than any other block. The target block is split into first and second blocks. The identifiers of the second block are each higher than any identifier of the first block. The second block is assigned to the entity, and a lowest identifier of the second block is allocated to the entity.

Abstract: Identity certificates such as SSL certificates can be issued in such a way that their use can be disabled upon short notice. In one embodiment, private signing information associated with a certificate is used by an infrastructure service on behalf of an entity, without making the private signing information accessible to the entity. In another embodiment, short-term certificates are dynamically issued to an application based on a previous certificate authorization.

Abstract: Client requests may be directed through a secret holding proxy system such that the secret holding proxy system may insert a secret into a client request before arriving at the destination. The insertion of a secret may include inserting a digital signature, token or other information that includes a secret or information based upon a secret, which may include secret exchange or authentication protocols. The secret holding proxy system may also remove secrets and/or transform incoming messages such that the client may transparently receive the underlying content of the message.

Abstract: Functionality is disclosed herein for providing a resource monitoring environment that restricts access to computing resource data in a service provider network. The resource monitoring environment processes requests to access computing resource data, and denies requests not signed or authorized by a customer of a service provider network or other entity. Access to the computing resource data includes access to non-obfuscated data and/or access to encrypted computing resource data encrypted by way of a public encryption key held by a customer of the service provider network or other entity instead of a requestor of the computing resource data.

Abstract: Systems and methods are provided for managing objects. In one implementation, a computer-implemented method is provided. The method includes receiving a query comprising a tag and executing the query. An object identifier is retrieved from a data table, based on the tag. The method further returns a result of the query. The result includes the object identifier that was retrieved from the data table. The method further performing an action related to an object having the retrieved object identifier.

Abstract: A test environment is created for optimizing the execution of a programmable execution service (“PES”) application. The test environment is created in one embodiment by replicating a production network and one or more production virtual machine instances executing the PES application. Once the test environment has been created, the test environment is utilized to identify optimized values for one or more application parameters consumed by the PES application. The optimized values may be selected to optimize the output of a fitness function that is based upon one or more direct and/or indirect performance metrics associated with the PES application. Once the optimized values for the application parameters have been identified, the generated values are applied to production virtual machine instances executing the PES application.