Abstract: Techniques are described for providing logical networking functionality for managed computer networks, such as for virtual computer networks provided on behalf of users or other entities. In some situations, a user may configure or otherwise specify a network topology for a virtual computer network, such as a logical network topology that separates multiple computing nodes of the virtual computer network into multiple logical sub-networks and/or that specifies one or more logical networking devices for the virtual computer network. After a network topology is specified for a virtual computer network, logical networking functionality corresponding to the network topology may be provided in various manners, such as without physically implementing the network topology for the virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

Abstract: Techniques are described for enabling a Kerberos-based authentication system to provide a client with access to a plurality of unmodifiable components that require plain text passwords. Such an approach enables a user to sign into a distributed computer system using a single password, and access multiple components that require different passwords without the need to enter a second password. By using Kerberos based authentication, passwords are not unnecessarily sent throughout distributed computing system where they may be vulnerable. A proxy key distribution center can be used to manage passwords or other credentials on behalf of various clients, which can be used with various processes discussed herein.

Abstract: At an authorization manager, an indication is obtained that a request pre-processing tool has been designated as a validator for a category of requests directed to a network-accessible service. The authorization manager determines, based at least in part on a validation result set indicated in a request of the category, that the request pre-processing tool has verified that the request meets an authorization requirement. The authorization manager approves one or more operations indicated in the request.

Abstract: A computing resource service provides flexible configuration of authorization rules. A set of authorization rules which define whether fulfillment of requests. The set of authorization rules are applied to a request of a first type which is mapped to a request of a second type. The request of the second type is used for fulfillment of the request of the first type when the authorization rules so allow.

Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order authorize and authenticate requests sent to a virtualization later. The interfaces can be invoked to perform security monitoring, forensic capture, and/or patch software systems at runtime. In addition to the foregoing, other aspects are described in the claims, detailed description, and figures.

Abstract: Techniques are described for the creation and use of input/output (I/O) filters used to perform actions relative to I/O requests passing through an I/O proxy device of a computer system. A computer system includes one or more hardware processing elements (for example, one or more central processing units (CPUs), graphics processing units (GPUs), or other types of processing elements), one or more data storage devices (for example, hard-disk drives, solid-state drives (SSDs), network-accessible block storage devices, and so forth), and an I/O proxy device that is interposed between at least one of the hardware processing elements and at least one of the one or more data storage devices. The interposition of an I/O proxy device between hardware processing elements and data storage devices enables the I/O proxy device to participate in the I/O data path, for example, to receive I/O messages and to perform various actions relative to such messages.

Abstract: Techniques are described for providing virtual networking functionality for managed computer networks. In some situations, a user may configure or otherwise specify one or more virtual local area networks (“VLANs”) for a managed computer network being provided for the user, such as with each VLAN including multiple computing nodes of the managed computer network. Networking functionality corresponding to the specified VLAN(s) may then be provided in various manners, such as if the managed computer network itself is a distinct virtual computer network overlaid on one or more other computer networks, and communications between computing nodes of the managed virtual computer network are handled in accordance with the specified VLAN(s) of the managed virtual computer network by emulating functionality that would be provided by networking devices of the managed virtual computer network if they were physically present and configured to support the specified VLAN(s).

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement an extension manager of a virtualized computing service. The extension manager establishes a secure network channel for communications between the peripheral device, which is located at a premise external to a provider network, and a data center of the provider network. The extension manager assigns a network address of the substrate network of the service to a hardware server at the external premise. The substrate address is also assigned to an extension traffic intermediary at the data center. In response to a command directed to the virtualized computing service, one or more compute instance configuration operations are performed at the hardware server.

Abstract: Customers of a computing resource service provider may operate computing resources provided by the computing resource service provider. Operational information from customer operated computing resources may be correlated with operational information from computing resources operated by the computing resource service provider or other entities, and correlated threat information may be generated.

Abstract: A service provider provides virtual computing services using a fleet of one or more host computer systems. Each of the host computer systems may be equipped with a trusted platform module (“TPM”). The service provider, the host computer systems, and the virtual computing environments generate attestations that prove the integrity of the system. The attestations are signed with a one-time-use cryptographic key that is verifiable against the public keys of the service provider, a host computer system, and a virtual computing environment. The public key of the host computer system is integrated into a hash tree that links the public key of the host computer system to the public key of the service provider. The public key of the virtual computing environment is signed using a one-time-use graphic key issued to the host computer system that hosts the virtual computing environment.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: Requests are pre-generated to include a cryptographic key to be used in fulfilling the requests. The requests may be encoded in uniform resource locators and may include authentication information to enable a service provider to whom the requests are submitted to determine whether the requests are authorized. The requests may be passed to various entities who can then submit the requests to the service provider. The service provider, upon receipt of a request, can verify the authentication information and fulfill the request using a cryptographic key encoded in the request.

Abstract: Systems and methods utilize network destination identifiers, such as IP addresses, that are simultaneously advertised from multiple locations. The network destination identifiers may be announced in multiple geographic regions. Network traffic routed to devices advertising the network destination identifiers may be routed to appropriate endpoints. When a device receives such traffic, it may send the traffic to an endpoint in a network served by the device. In some instances, such as when such an endpoint is not available, the network traffic may be sent to another network that is served by another device that advertises the network destination identifiers.

Abstract: Virtual resources may be provisioned in a manner that is aware of, and respects, underlying implementation resource boundaries. A customer of the virtual resource provider may specify that particular virtual resources are to be implemented with implementation resources that are dedicated to the customer. Dedicating an implementation resource to a particular customer of a virtual resource provider may establish one or more information barriers between the particular customer and other customers of the virtual resource provider. Implementation resources may require transition procedures, including custom transition procedures, to enter and exit dedicated implementation resource pools. Costs corresponding to active and inactive implementation resources in a dedicated pools associated with a particular customer may be accounted for, and presented to, the customer in a variety of ways including explicit, adjusted per customer and adjusted per type of virtual resource and/or implementation resource.

Abstract: Techniques are described for providing logical networking functionality for managed computer networks, such as for virtual computer networks provided on behalf of users or other entities. In some situations, a user may configure or otherwise specify a network topology for a virtual computer network, such as a logical network topology that separates multiple computing nodes of the virtual computer network into multiple logical sub-networks and/or that specifies one or more logical networking devices for the virtual computer network. After a network topology is specified for a virtual computer network, logical networking functionality corresponding to the network topology may be provided in various manners, such as without physically implementing the network topology for the virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.

Abstract: Users intending to launch instances or otherwise access virtual resources in a multi-tenant environment can specify a launch configuration. For each type of instance or each type of user, at least one launch configuration is created that includes parameters and values to be used in instantiating an instance of that type, the values being optimized for the current environment and type of instance. Launch configurations can be optimized for different types of users, such as to account for security credentials and access levels. Such an approach enables users to launch instances by contacting the resource provider directly without need for a proxy, which can function as a choke point under heavy load. The use of an appropriate launch configuration can be enforced for any type of user at any level, such as at the sub-net level, by modifying a request that does not specify an appropriate launch configuration.

Abstract: Techniques are described for managing communications between multiple computing nodes, such as for computing nodes that are part of managed virtual computer networks provided on behalf of users or other entities. In some situations, one or more of the computing nodes of a managed virtual computer network is configured to perform actions to extend capabilities of the managed virtual computer network to other computing nodes that are not part of the managed virtual computer network, such as by forwarding communications between computing nodes of the managed virtual computer network and the other external computing nodes so as to enable the other external computing nodes to participate in the managed virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

Abstract: Techniques are described for managing communications for a managed computer network by using a defined pool of alternative computing nodes of the managed computer network that are configured to operate as intermediate destinations to handle at least some communications that are sent by and/or directed to one or more other computing nodes of the managed computer network. For example, a manager module associated with a source computing node may select a particular alternative intermediate destination computing node from a defined pool to use for one or more particular communications from the source computing node to an indicated final destination, such as based on a configured logical network topology for the managed computer network and/or on one or more other selection criteria (e.g., to enable load balancing between the alternative computing nodes). The manager module then forwards those communications to the selected intermediate destination computing node for further handling.

Abstract: A peripheral device includes one or more processors and a memory storing program instructions that when executed implement an extension manager of a virtualized computing service. The extension manager establishes a secure network channel for communications between the peripheral device, which is located at a premise external to a provider network, and a data center of the provider network. The extension manager assigns a network address of the substrate network of the service to a hardware server at the external premise. The substrate address is also assigned to an extension traffic intermediary at the data center. In response to a command directed to the virtualized computing service, one or more compute instance configuration operations are performed at the hardware server.