Abstract: A test environment is created for optimizing the execution of a programmable execution service (“PES”) application. The test environment is created in one embodiment by replicating a production network and one or more production virtual machine instances executing the PES application. Once the test environment has been created, the test environment is utilized to identify optimized values for one or more application parameters consumed by the PES application. The optimized values may be selected to optimize the output of a fitness function that is based upon one or more direct and/or indirect performance metrics associated with the PES application. Once the optimized values for the application parameters have been identified, the generated values are applied to production virtual machine instances executing the PES application.

Abstract: In an resource-on-demand environment, dynamically created server instances are allowed to boot from encrypted boot volumes. Access keys to the boot volumes are provided from a key provider that authenticates new instances based on possession of a security token that has been previously shared between the key provider and the new instance through an out-of-band communication.

Abstract: With the advent of virtualization technologies, networks and routing for those networks can now be simulated using commodity hardware. For example, virtualization technologies can be adapted to allow a single physical computing machine to be shared among multiple virtual networks by providing one or more virtual machines simulated in software by the single physical computing machine, with each virtual machine acting as a distinct logical computing system. In addition, as routing can be accomplished through software, additional network setup flexibility can be provided to the virtual network in comparison with hardware-based routing. In some implementations, virtual network setup can be abstracted through the use of resource placement templates, allowing users to create virtual networks compliant with a customer's networking policies without necessarily having knowledge of what those policies are.

Abstract: Systems and methods are provided for managing objects. In one implementation, a computer-implemented method is provided. The method includes receiving a query comprising a tag and executing the query. An object identifier is retrieved from a data table, based on the tag. The method further returns a result of the query. The result includes the object identifier that was retrieved from the data table. The method further performing an action related to an object having the retrieved object identifier.

Abstract: Identity certificates such as SSL certificates can be issued in such a way that their use can be disabled upon short notice. In one embodiment, private signing information associated with a certificate is used by an infrastructure service on behalf of an entity, without making the private signing information accessible to the entity. In another embodiment, short-term certificates are dynamically issued to an application based on a previous certificate authorization.

Abstract: In certain embodiments, a system includes one or more memory units and one or more processing units. The memory units store blocks that each include a number of identifiers. The memory units include executable instructions that upon execution by the processing units cause the system to receive a request to allocate an identifier to an entity. The request includes data identifying the entity. A target block of identifiers is identified. The target block includes more unallocated identifiers than any other block. The target block is split into first and second blocks. The identifiers of the second block are each higher than any identifier of the first block. The second block is assigned to the entity, and a lowest identifier of the second block is allocated to the entity.

Abstract: With the advent of virtualization technologies, networks and routing for those networks can now be simulated using commodity hardware. For example, virtualization technologies can be adapted to allow a single physical computing machine to be shared among multiple virtual networks by providing one or more virtual machines simulated in software by the single physical computing machine, with each virtual machine acting as a distinct logical computing system. In addition, as routing can be accomplished through software, additional network setup flexibility can be provided to the virtual network in comparison with hardware-based routing. In some implementations, virtual network setup can be abstracted through the use of resource placement templates, allowing users to create virtual networks compliant with a customer's networking policies without necessarily having knowledge of what those policies are.

Abstract: Methods and apparatus for remapping IP addresses of a network to endpoints within a different network. A provider network may allocate IP addresses and resources to a customer. The provider network may allow the customer to remap an IP address to an endpoint on the customer's network. When a packet is received from a client addressed to the IP address, the provider network may determine that the IP address has been remapped to the endpoint. The provider network may translate the source and destination addresses of the packet and encode the packet for transmission over a private communications channel. The encoded packet may be sent to the endpoint via the private communications channel over an intermediate network. Response traffic may be routed to the client through the provider network, or may be directly routed to the client by the customer network.

Abstract: Systems and methods are provided for configuring and monitoring computing resources of an entity for compliance with one or more standards. In one implementation, a server receives one or more identifiers of one or more standards and determines a plurality of configuration settings for the computing resources of the entity, based on the received one or more identifiers. The plurality of configuration settings comply with the one or more standards. The computing resources of the entity are configured according to the plurality of configuration settings. The server detects an event related to the computing resources. The detected event and the plurality of configuration settings are evaluated for compliance with the one or more standards. A determination is made whether the entity is compliant with the one or more standards, based on the evaluation, and an action is taken, based on the determination.

Abstract: A support system negotiates secure connections on behalf of multiple guest systems using a set of credentials associated with the guest systems. The operation of the secure connection may be transparent to the guest system such that guest system may send and receive messages that are encrypted or decrypted by the support system, such as a hypervisor. As the support system is in between the guest system and a destination, the support system may act as a local endpoint to the secure connection. Messages may be altered by the support system to indicate to a guest system which communications were secured. The credentials may be managed by the support system such that the guest system does not require access to the credentials.

Abstract: In certain embodiments, a system includes one or more memory units and one or more processing units. The memory units store blocks that each include a number of identifiers. The memory units include executable instructions that upon execution by the processing units cause the system to receive a request to allocate an identifier to an entity. The request includes data identifying the entity. A target block of identifiers is identified. The target block includes more unallocated identifiers than any other block. The target block is split into first and second blocks. The identifiers of the second block are each higher than any identifier of the first block. The second block is assigned to the entity, and a lowest identifier of the second block is allocated to the entity.

Abstract: In an resource-on-demand environment, dynamically created server instances are allowed to boot from encrypted boot volumes. Access keys to the boot volumes are provided from a key provider that authenticates new instances based on possession of a security token that has been previously shared between the key provider and the new instance through an out-of-band communication.

Abstract: In a resource-on-demand environment, dynamically created server instances are allowed to boot from encrypted boot volumes. Access keys to the boot volumes are provided from a key provider that authenticates new instances based on possession of a security token that has been previously shared between the key provider and the new instance through an out-of-band communication.

Abstract: Technologies are described herein for capacity availability aware auto scaling. Capacity event auto scaling rules can be defined that specify how computing resources are to be scaled during a capacity event. The capacity event auto scaling rules can be defined to allow utilization of the computing resources to increase during a capacity event. A probability that capacity will be available for providing computing resources during a capacity event can also be computed. Standard auto scaling rules utilized by an auto scaling component can then be modified based upon the computed probability. Other types of actions might also be taken based upon the computed probability, such as reserving instances of computing resources.

Abstract: In certain embodiments, a computer-implemented method includes receiving intercepted data associated with a first entity. The intercepted data may be intercepted in response to a request for information from a second entity. The method may include converting the intercepted data from a first format to a second format, the second format compliant with a standard for providing intercepted data to the second entity. The method may include storing, in one or more memory units, the intercepted communication data in the second format. The one or more memory units may be part of a subset of a plurality of computing resources designated for use by the first entity. The method may include storing audit data providing a record of a chain of custody of the intercepted communication data. The method may include providing access to a portion of the stored intercepted communication data in the second format to the second entity.

Abstract: A first identity claim and a first attempt to prove password possession are received. As a result of determining that the first attempt to prove password possession is a match to a password in a set of passwords, but that the first identity claim is a mismatch to an identity that corresponds to the password, an authentication process that includes incrementing a counter associated with the password is performed. A second identity claim and a second attempt to prove password possession is received. As a result of determining that the second attempt to prove password possession is a match to the password, an authentication process that includes incrementing the counter associated with the password only if the second identity claim is a mismatch to the first identity claim is performed.

Abstract: Methods and apparatus for implementing anycast flow stickiness in stateful sessions are described. For the first packet from a source device to an anycast group, a destination anycast endpoint is selected from the anycast group by a routing process via an algorithm that is specified for the anycast group. A record of the mapping of the source device to the destination anycast endpoint may be stored. Additional packets in the flow are routed to the same anycast endpoint as the first packet according to the stored information. Alternatively, a hashing technique may be used to route packets to an anycast endpoint. The packets may be encapsulated in an encapsulation format that includes network substrate routing information to the destination anycast endpoint; anycast forwarding decisions are made at the overlay network level and not at the network substrate level, and thus flow stickiness can be maintained.

Abstract: Update preferences might be utilized to specify that an update to an application should not be applied until the demand for the application falls below a certain threshold. Demand for the application is monitored. The update to the application is applied when the actual demand for the application falls below the specified threshold. The threshold might be set such that updates are deployed during the off-peak periods of demand encountered during a regular demand cycle, such as a diurnal, monthly, or yearly cycle.

Abstract: In certain embodiments, a system comprises a memory and a processor communicatively coupled to the memory. The memory includes executable instructions that upon execution cause the system to generate, at a first time, a first snapshot capturing data stored in storage units of a storage device. The executable instructions upon execution cause the system to receive an indication to delete at least a portion of the data in the storage units and captured by the first snapshot, and to mark, in response to receiving the indication, the one or more storage units that store the at least a first portion of the data as available. The executable instructions upon execution cause the system to generate, at a second time subsequent to the first time, a second snapshot that omits the one or more storage units marked as available.

Abstract: Methods and apparatus that enable appliance service instances to be provisioned in a subnet of a customer's private network on a service provider network without provisioning the backend nodes in the customer's subnet. At least one front-end node instance is provisioned in the customer's subnet. Instead of provisioning the backend nodes in the customer's subnet, the appliance service provider provisions the backend node instances in the appliance service provider's subnet. In addition, at least the front-end node instance may be provided with multiple interfaces. At least two of the interfaces face different subnets, with one facing the customer subnet and the other facing the backend subnet operated by the appliance service provider in which the backend node instances are implemented. In some implementations, a third interface may face a management subnet so that the owner of the front-end node instance may manage the instance.