Abstract: In certain embodiments, a system having a memory and a processor. The memory is operable to store a credential verifier associated with a user account and a counter. The processor is coupled to the memory and the memory includes executable instructions that cause the system to receive a first authentication attempt and increment the counter if validation of the first authentication attempt against the credential verifier fails. The instructions also cause the system to receive a second authentication attempt and increment the counter only if validation of the second authentication attempt against the credential verifier fails and the second authentication attempt is distinct from the first authentication attempt.

Abstract: Update preferences might be utilized to specify that an update to an application should not be applied until the demand for the application falls below a certain threshold. Demand for the application is monitored. The update to the application is applied when the actual demand for the application falls below the specified threshold. The threshold might be set such that updates are deployed during the off-peak periods of demand encountered during a regular demand cycle, such as a diurnal, monthly, or yearly cycle.

Abstract: In certain embodiments, a system comprises a memory and a processor communicatively coupled to the memory. The memory includes executable instructions that upon execution cause the system to generate, at a first time, a first snapshot capturing data stored in storage units of a storage device. The executable instructions upon execution cause the system to receive an indication to delete at least a portion of the data in the storage units and captured by the first snapshot, and to mark, in response to receiving the indication, the one or more storage units that store the at least a first portion of the data as available. The executable instructions upon execution cause the system to generate, at a second time subsequent to the first time, a second snapshot that omits the one or more storage units marked as available.

Abstract: A support system negotiates secure connections on behalf of multiple guest systems using a set of credentials associated with the guest systems. The operation of the secure connection may be transparent to the guest system such that guest system may send and receive messages that are encrypted or decrypted by the support system, such as a hypervisor. As the support system is in between the guest system and a destination, the support system may act as a local endpoint to the secure connection. Messages may be altered by the support system to indicate to a guest system which communications were secured. The credentials may be managed by the support system such that the guest system does not require access to the credentials.

Abstract: Methods and apparatus for providing network traffic monitoring such as intrusion detection to clients of a provider network. An interface and methods are provided via which a client can select traffic monitoring as a functionality to be added to their configuration on the provider network, for example as part of a load balancer layer. Via the interface, the client can configure new or existing components and specify that traffic monitoring be added on or at the components. Traffic monitoring technology is automatically and transparently added to the client's configuration on or at the components. By adding traffic monitoring functionality to an existing layer, the client does not have to separately manage traffic monitoring on the client's configuration. Traffic monitoring technology may be added at a network substrate level rather than at an overlay network level to insure that all traffic is available to the traffic monitoring technology.

Abstract: Network computing systems may implement data loss prevention (DLP) techniques to reduce or prevent unauthorized use or transmission of confidential information or to implement information controls mandated by statute, regulation, or industry standard. Implementations of network data transmission analysis systems and methods are disclosed that can use contextual information in a DLP policy to monitor data transmitted via the network. The contextual information may include information based on a network user's organizational structure or services or network infrastructure. Some implementations may detect bank card information in network data transmissions. Some of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network.

Abstract: A support system negotiates secure connections on behalf of multiple guest systems using a set of credentials associated with the guest systems. The operation of the secure connection may be transparent to the guest system such that guest system may send and receive messages that are encrypted or decrypted by the support system, such as a hypervisor. As the support system is in between the guest system and a destination, the support system may act as a local endpoint to the secure connection. Messages may be altered by the support system to indicate to a guest system which communications were secured. The credentials may be managed by the support system such that the guest system does not require access to the credentials.

Abstract: Methods and apparatus for providing inline network traffic monitoring such as intrusion detection to clients of a provider network. A client can configure new or existing components and specify that traffic monitoring be added on or at the components in the client's configuration on the provider network. Traffic monitoring is automatically and transparently added to the client's configuration on or at the components. Traffic to the client's configuration passes through the traffic monitoring technology. Traffic monitoring technology may be implemented on a resource in the client's configuration that implements other technology, such as a load balancer component. Alternatively, traffic monitoring technology may be implemented on separate components upstream or downstream of a resource that implements other technology. Traffic monitoring may be implemented at a network substrate level rather than at an overlay network level.

Abstract: Methods and apparatus for providing out-of-band network traffic monitoring such as intrusion detection to clients on a provider network. A client can configure new or existing components and specify that traffic monitoring be added on or at the components in the client's configuration on the provider network. Traffic monitoring is provided for the client's configuration via replication technology on the provider network. In response to the client specifying that traffic monitoring is to be added on or at a component, traffic to the client's configuration is routed to replication technology, which may be implemented at a network substrate level, that passes one copy to the client's configuration and sends another copy to a destination that handles traffic monitoring such as an intrusion detection handler. The destination may be anywhere on the provider network or on an external network.

Abstract: Disclosed are various embodiments for granting permission to another user on a computer network to impersonate himself or herself on the network for duration of a specified period. One embodiment of such a method describes receiving instructions from a second user to grant impersonation permission to a first user to have access to user data of the second user; establishing an access policy authorizing access to the user data of the second user; and assigning the access policy to the first user.

Abstract: Update preferences might be utilized to specify that an update to an application should not be applied until the demand for the application falls below a certain threshold. Demand for the application is monitored. The update to the application is applied when the actual demand for the application falls below the specified threshold. The threshold might be set such that updates are deployed during the off-peak periods of demand encountered during a regular demand cycle, such as a diurnal, monthly, or yearly cycle.

Abstract: Methods and apparatus for providing scalable private services in service provider networking environments. A service provider that provides a large, public, multi-tenant implementation of a web service to multiple customers via a public API endpoint may allow a customer to request the establishment of a private implementation of the service. In response, a service private instance may be automatically and/or manually established for the customer that provides a private API endpoint to the service and that is at least in part implemented on single-tenant hardware that is not shared with other customers. The service private instance may initially be implemented as a relatively small scale and possibly limited implementation of the service when compared to the service public instance. As the needs of the customer grow, the service private instance may be automatically and/or manually scaled up from the initial implementation.

Abstract: Update preferences might be utilized to specify that an update to an application should not be applied until the demand for the application falls below a certain threshold. Demand for the application is monitored. The update to the application is applied when the actual demand for the application falls below the specified threshold. The threshold might be set such that updates are deployed during the off-peak periods of demand encountered during a regular demand cycle, such as a diurnal, monthly, or yearly cycle.

Abstract: Instances of computing resources might need to be de-scaled that have become unnecessary following a deployment of an update to an application. Instances might also need to be de-scaled as a result of decreased demand for the application. If de-scaling of instances of computing resources is required, the percentage of a paid-for time period for each instance is determined. Instances that have utilized the greatest percentage of their paid-for time period may then be de-scaled.

Abstract: A test environment is created for use in selecting updates for deployment to a programmable execution service (“PES”) application. The test environment is created in one embodiment by replicating a production network and one or more production virtual machine instances executing the PES application. Once the test environment has been created, the test environment is utilized to test and select updates for deployment to the PES application. The updates may be selected by deploying the updates to the test environment and using the test environment to determine whether the deployed updates are compatible with the PES application, permit the PES application to continue to operate performantly, and/or permit the PES application to meet one or more business performance metrics. Once the updates have been selected, the updates may be applied to production virtual machine instances executing the PES application.

Abstract: Methods and apparatus for provider-arbitrated mandatory access control policies in cloud computing environments are disclosed. A system includes an access manager, and a plurality of resources configurable to provide a plurality of distributed, web-accessible services. Each service has a respective service manager. The access manager determines whether a mandatory access control policy document specified by a service manager of a particular service applies to an administration request, wherein the policy indicates that a permission setting for a resource being used to implement at least a portion of the particular service cannot be modified by a client with administrative rights on the resource. In response to determining that the policy document applies, and that an evaluation of the policy document indicates that an administrative operation specified in the administration request is prohibited by the policy, the access manager rejects the administration request.

Abstract: Update preferences are specified that define factors for use in determining how and when updates to an application are to be deployed. The update preferences may include economic factors, temporal factors, operational factors, and other types of factors. The update preferences are utilized to create a deployment plan that specifies how and when the updates are to be applied to the application in view of the specified factors. The deployment plan is utilized to deploy the updates to the application.

Abstract: In certain embodiments, detecting scans may include receiving packets, where each packet has a target. The number of distinct targets of the packets may be counted using one or more Bloom counters. The number of distinct targets may satisfy a scan threshold for detecting a scan. If the scan threshold is satisfied, it is determined a scan is present.

Abstract: Methods and apparatus for remapping IP addresses of a network to endpoints within a different network. A provider network may allocate IP addresses and resources to a customer. The provider network may allow the customer to map an IP address to remap an IP address to an endpoint on the customer's network. When a packet is received from a client addressed to the IP address, the provider network may determine that the IP address has been remapped to the endpoint. The provider network may translate the source and destination addresses of the packet and modify the source address of the packet to indicate the endpoint as the destination, and send the modified packet to the endpoint via the Internetan intermediate network. Response traffic may be routed to the client through the provider network, or may be directly routed to the client by the customer network.

Abstract: The behavior of multiple users with access to a multi-tenant resource can be monitored and compliance enforced by monitoring state information for each user. The state information can be captured across a level of a network environment, such that any activity across that layer can be monitored and the data aggregated to give a global view of user behavior. If user behavior is determined to fall outside an acceptable range of behavior, any of a number of remedial actions can be taken, which can include notifying the user, billing the user for the inappropriate behavior, or modifying that behavior outside of the control of the user.