Abstract: At a virtualization host, an isolated run-time environment is established within a compute instance. The configuration of the isolated run-time environment is analyzed by a security manager of the hypervisor of the host. After the analysis, computations are performed at the isolated run-time environment.

Abstract: Techniques for deperimeterized access control are described. A method of deperimeterized access control may include receiving, by a controller of a deperimeterized access control service, a single packet authorization (SPA) request for a session ticket from an agent on a electronic device, wherein the agent sends the request for the session ticket in response to intercepting traffic destined for a service associated with the deperimeterized access control service and determining that the agent does not have a session ticket for the service, authorizing the SPA request, providing a session ticket to the agent based on the request, receiving, by a gateway of the deperimeterized access control service, a request to initiate a session with a service, the request including the session ticket, validating the session ticket, and providing session parameters to the agent to be used to initiate the session between the electronic device and the service.

Abstract: A service provider provides virtual computing services using a fleet of one or more host computer systems. Each of the host computer systems may be equipped with a trusted platform module (“TPM”). The service provider, the host computer systems, and the virtual computing environments generate attestations that prove the integrity of the system. The attestations are signed with a one-time-use cryptographic key that is verifiable against the public keys of the service provider, a host computer system, and a virtual computing environment. The public key of the host computer system is integrated into a hash tree that links the public key of the host computer system to the public key of the service provider. The public key of the virtual computing environment is signed using a one-time-use graphic key issued to the host computer system that hosts the virtual computing environment.

Abstract: Techniques are described for managing communications between multiple computing nodes, such as for computing nodes that are part of managed virtual computer networks provided on behalf of users or other entities. In some situations, one or more of the computing nodes of a managed virtual computer network is configured to perform actions to extend capabilities of the managed virtual computer network to other computing nodes that are not part of the managed virtual computer network, such as by forwarding communications between computing nodes of the managed virtual computer network and the other external computing nodes so as to enable the other external computing nodes to participate in the managed virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

Abstract: A connected device at a client network implements a local data classification service for classifying data based on a data classification service of a remote provider network. The local data classification service receives a request to classify data at one or more data sources of the client network. The request is initiated from a client device of the client network according to a management interface for a data classification service of a remote provider network (e.g., using the same API request used by the remote classification service). The local data classification service obtains at least some of the data from the one or more data sources of the client network. The local data classification service classifies the obtained data according to different types of sensitivity using the data classification engine in the execution environment without the data being exposed outside of a data isolation boundary of the client network.

Abstract: Techniques are described for providing logical networking functionality for managed computer networks, such as for virtual computer networks provided on behalf of users or other entities. In some situations, a user may configure or otherwise specify a network topology for a virtual computer network, such as a logical network topology that separates multiple computing nodes of the virtual computer network into multiple logical sub-networks and/or that specifies one or more logical networking devices for the virtual computer network. After a network topology is specified for a virtual computer network, logical networking functionality corresponding to the network topology may be provided in various manners, such as without physically implementing the network topology for the virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

Abstract: Techniques are described for providing managed computer networks, such as for managed virtual computer networks overlaid on one or more other underlying computer networks. In some situations, the techniques include facilitating replication of a primary computing node that is actively participating in a managed computer network, such as by maintaining one or more other computing nodes in the managed computer network as replicas, and using such replica computing nodes in various manners. For example, a particular managed virtual computer network may span multiple broadcast domains of an underlying computer network, and a particular primary computing node and a corresponding remote replica computing node of the managed virtual computer network may be implemented in distinct broadcast domains of the underlying computer network, with the replica computing node being used to transparently replace the primary computing node in the virtual computer network if the primary computing node becomes unavailable.

Abstract: Techniques are described for managing communications for a managed virtual computer network overlaid on a distinct substrate computer network, including for communications involving computing nodes of the managed virtual computer network that use an alternative addressing scheme to direct network packets and other network communications to intended destination locations by using textual network node monikers instead of numeric IP addresses to represent computing nodes at a layer 3 or “network layer” of a corresponding computer networking stack in use by the computing nodes. The techniques are provided without modifying or configuring the network devices of the substrate computer network, by using configured modules to manage and modify communications from the logical edge of the substrate network.

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement an extension manager of a virtualized computing service. The extension manager establishes a secure network channel for communications between the peripheral device, which is located at a premise external to a provider network, and a data center of the provider network. The extension manager assigns a network address of the substrate network of the service to a hardware server at the external premise. The substrate address is also assigned to an extension traffic intermediary at the data center. In response to a command directed to the virtualized computing service, one or more compute instance configuration operations are performed at the hardware server.

Abstract: A system that provides responses to requests obtains a key that is used to digitally sign the request. The key is derived from information that is shared with a requestor to which the response is sent. The requestor derives, using the shared information, derives a key usable to verify the digital signature of the response, thereby enabling the requestor to operate in accordance with whether the digital signature of the response matches the response.

Abstract: Systems, methods, and interfaces for the management of virtual machine instances and other programmatically controlled networks are provided. The hosted virtual networks are configured in a manner such that a virtual machine manager of the virtual network may monitor activity such as user requests, network traffic, and the status and execution of various virtual machine instances to determine possible security assessments. Aspects of the virtual network may be assessed for vulnerabilities at varying levels of granularity and sophistication when a suspicious event or triggering activity is detected. Illustrative embodiments of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network.

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement virtualization offloading components of a virtualized computing service, including a storage manager. The offloading components establish network connectivity with a control plane of the service. Based on detecting that a hardware server, in a separate enclosure, has been linked to the peripheral device, the hardware server is presented as a virtualization host of the service. The offloading components initiate compute instance configuration operations at the server in response to commands issued to the control plane, including at least one configuration operation initiated by the storage manager to enable access to a logical storage device from a compute instance.

Abstract: Techniques are described for providing managed virtual computer networks that have a configured logical network topology with virtual networking devices, such as by a network-accessible configurable network service, with corresponding networking functionality provided for communications between multiple computing nodes of the virtual computer network by emulating functionality that would be provided by the virtual networking devices if they were physically present.

Abstract: A connected device at a client network implements a local data classification service for classifying data based on a data classification service of a remote provider network. The local data classification service receives a request to classify data at one or more data sources of the client network. The request is initiated from a client device of the client network according to a management interface for a data classification service of a remote provider network (e.g., using the same API request used by the remote classification service). The local data classification service obtains at least some of the data from the one or more data sources of the client network. The local data classification service classifies the obtained data according to different types of sensitivity using the data classification engine in the execution environment without the data being exposed outside of a data isolation boundary of the client network.

Abstract: Techniques are described for managing communications between multiple computing nodes, such as for computing nodes that are part of managed virtual computer networks provided on behalf of users or other entities. In some situations, one or more of the computing nodes of a managed virtual computer network is configured to perform actions to extend capabilities of the managed virtual computer network to other computing nodes that are not part of the managed virtual computer network, such as by forwarding communications between computing nodes of the managed virtual computer network and the other external computing nodes so as to enable the other external computing nodes to participate in the managed virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

Abstract: At a virtualization host, an isolated run-time environment is established within a compute instance. The configuration of the isolated run-time environment is analyzed by a security manager of the hypervisor of the host. After the analysis, computations are performed at the isolated run-time environment.

Abstract: Custom policies are definable for use in a system that enforces policies. A user, for example, may author a policy using a policy language and transmit the system through an application programming interface call. The custom policies may specify conditions for computing environment attestations that are provided with requests to the system. When a custom policy applies to a request, the system may determine whether information in the attestation is sufficient for the request to be fulfilled.

Abstract: Techniques are described for providing logical networking functionality for managed computer networks, such as for virtual computer networks provided on behalf of users or other entities. In some situations, a user may configure or otherwise specify a network topology for a virtual computer network, such as a logical network topology that separates multiple computing nodes of the virtual computer network into multiple logical sub-networks and/or that specifies one or more logical networking devices for the virtual computer network. After a network topology is specified for a virtual computer network, logical networking functionality corresponding to the network topology may be provided in various manners, such as without physically implementing the network topology for the virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

Abstract: Techniques are described for enabling software applications to obtain temporary security credentials used to interact with a cloud provider network and, upon the revocation of an active set of temporary security credentials used by an application (e.g., due to concerns about the temporary credential's potential exposure to one or more unauthorized third parties), to readily obtain new temporary security credentials that the application can use to continue operation with minimal interruption. The temporary security credentials can be used, for example, to enable the cloud provider network to authenticate requests sent by software applications or users to various services or other components of the cloud provider network. An operator of a cloud provider network may provide a software development kit (SDK) that application developers can use to incorporate functionality related to the management of temporary security credentials.

Abstract: A key rotation that results in a first key version associated with a key being replaced by a second key version associated with the same key, wherein the first key version remains associated with the key for decrypting a previously generated ciphertext but not for future encryption requests. The first key version may be associated with a first cryptographic key material and the second key version may be associated with a second cryptographic key material different from the first cryptographic key material.