Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

Abstract: Data can be processed in parallel across a cluster of nodes using a parallel processing framework. Using Web services calls between components allows the number of nodes to be scaled as necessary, and allows developers to build applications on the framework using a Web services interface. A job scheduler works together with a queuing service to distribute jobs to nodes as the nodes have capacity, such that jobs can be performed in parallel as quickly as the nodes are able to process the jobs. Data can be loaded efficiently across the cluster, and levels of nodes can be determined dynamically to process queries and other requests on the system.

Abstract: Methods and apparatus for a client account versioning metadata manager for cloud computing environments are disclosed. A system includes a plurality of resources, a plurality of service managers coordinating respective multitenant network-accessible services, and a metadata manager. The metadata manager receives a multi-service account state view request. The metadata manager generates a representation of an administrative state of a client account indicated by the request with respect a plurality of services accessible by the client account, as of a time indicated in the request. The administrative state with respect to a particular service comprises an indication of an assignment to the client account of resources participating in implementation of the particular service.

Abstract: Data can be processed in parallel across a cluster of nodes using a parallel processing framework. Using Web services calls between components allows the number of nodes to be scaled as necessary, and allows developers to build applications on the framework using a Web services interface. A job scheduler works together with a queuing service to distribute jobs to nodes as the nodes have capacity, such that jobs can be performed in parallel as quickly as the nodes are able to process the jobs. Data can be loaded efficiently across the cluster, and levels of nodes can be determined dynamically to process queries and other requests on the system.

Abstract: Methods and apparatus for a client account versioning metadata manager for cloud computing environments are disclosed. A system includes a plurality of resources, a plurality of service managers coordinating respective multitenant network-accessible services, and a metadata manager. The metadata manager receives a multi-service account state view request. The metadata manager generates a representation of an administrative state of a client account indicated by the request with respect a plurality of services accessible by the client account, as of a time indicated in the request. The administrative state with respect to a particular service comprises an indication of an assignment to the client account of resources participating in implementation of the particular service.

Abstract: Data can be processed in parallel across a cluster of nodes using a parallel processing framework. Using Web services calls between components allows the number of nodes to be scaled as necessary, and allows developers to build applications on the framework using a Web services interface. A job scheduler works together with a queuing service to distribute jobs to nodes as the nodes have capacity, such that jobs can be performed in parallel as quickly as the nodes are able to process the jobs. Data can be loaded efficiently across the cluster, and levels of nodes can be determined dynamically to process queries and other requests on the system.

Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

Abstract: Techniques for self-learning access control policies are disclosed herein. A set of security policy modification recommendations is produced based on set of effective permissions and also based on a set of requests for access subject to that set of effective permission. Each policy modification recommendation is configured to alter the set of effective permissions by performing one or more actions altering one or more of the effective permissions. A selected policy modification recommendation is provided that is configured to produce a modified set of effective permissions.

Abstract: Data can be processed in parallel across a cluster of nodes using a parallel processing framework. Using Web services calls between components allows the number of nodes to be scaled as necessary, and allows developers to build applications on the framework using a Web services interface. A job scheduler works together with a queuing service to distribute jobs to nodes as the nodes have capacity, such that jobs can be performed in parallel as quickly as the nodes are able to process the jobs. Data can be loaded efficiently across the cluster, and levels of nodes can be determined dynamically to process queries and other requests on the system.

Abstract: Systems and methods provide a storage media on a portable physical object associated with a set of credentials that enables access to a set of computing resources associated with a set of Web services. In some embodiments, information including a set of credentials is prepackaged onto the storage media of the portable physical object. A pre-activated subscription to the set of Web services in a distributed system is provisioned. Access to the set of Web services is enabled when the portable physical object is coupled with a computing device and the set of credentials is authenticated. In some embodiments, the portable physical object is purchased by a user on a prepaid basis without requiring the user to register an account with the set of Web services, allowing the user to remain anonymous with respect to interaction with the set of Web services.

Abstract: Methods and apparatus for an account state simulation service for cloud computing environments are disclosed. A system includes a plurality of service managers coordinating respective distributed network-accessible services, and a metadata manager. The metadata manager receives an account state change simulation request, indicating (a) an initial account state of a client account and (b) a collection of operations to be simulated. The metadata manager generates a response to the account change state simulation request, comprising at least one of (a) a representation of an expected end state of the client account reachable as a result of performing the collection of operations (b) an indication of an expected failure of a particular operation of the collection of operations or (c) an estimate of an expected billing amount associated with an implementation of the collection of operations.

Abstract: Data can be processed in parallel across a cluster of nodes using a parallel processing framework. Using Web services calls between components allows the number of nodes to be scaled as necessary, and allows developers to build applications on the framework using a Web services interface. A job scheduler works together with a queuing service to distribute jobs to nodes as the nodes have capacity, such that jobs can be performed in parallel as quickly as the nodes are able to process the jobs. Data can be loaded efficiently across the cluster, and levels of nodes can be determined dynamically to process queries and other requests on the system.

Abstract: Methods and apparatus for a mixed-mode authorization metadata manager for cloud computing environments are disclosed. A system includes a plurality of service managers coordinating respective distributed multitenant services, and a metadata manager. In response to a metadata request for an authorization entity, the metadata manager identifies a first and a second service manager coordinating services in use by a client account with which the authorization entity is affiliated. The first and second service managers implement respective authorization APIs. The metadata manager provides composite authorization metadata of the authorization entity based at least in part on (a) service authorization metadata provided by each of the first and second service managers and (b) identity authorization metadata provided by an identity manager.

Abstract: Methods and apparatus for an account state simulation service for cloud computing environments are disclosed. A system includes a plurality of service managers coordinating respective distributed network-accessible services, and a metadata manager. The metadata manager receives an account state change simulation request, indicating (a) an initial account state of a client account and (b) a collection of operations to be simulated. The metadata manager generates a response to the account change state simulation request, comprising at least one of (a) a representation of an expected end state of the client account reachable as a result of performing the collection of operations (b) an indication of an expected failure of a particular operation of the collection of operations or (c) an estimate of an expected billing amount associated with an implementation of the collection of operations.

Abstract: Methods and apparatus for an account state simulation service for cloud computing environments are disclosed. A system includes a plurality of service managers coordinating respective distributed network-accessible services, and a metadata manager. The metadata manager receives an account state change simulation request, indicating (a) an initial account state of a client account and (b) a collection of operations to be simulated. The metadata manager generates a response to the account change state simulation request, comprising at least one of (a) a representation of an expected end state of the client account reachable as a result of performing the collection of operations (b) an indication of an expected failure of a particular operation of the collection of operations or (c) an estimate of an expected billing amount associated with an implementation of the collection of operations.

Abstract: Data can be processed in parallel across a cluster of nodes using a parallel processing framework. Using Web services calls between components allows the number of nodes to be scaled as necessary, and allows developers to build applications on the framework using a Web services interface. A job scheduler works together with a queuing service to distribute jobs to nodes as the nodes have capacity, such that jobs can be performed in parallel as quickly as the nodes are able to process the jobs. Data can be loaded efficiently across the cluster, and levels of nodes can be determined dynamically to process queries and other requests on the system.

Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

Abstract: Systems and methods provide a storage media on a portable physical object associated with a set of credentials that enables access to a set of computing resources associated with a set of Web services. In some embodiments, information including a set of credentials is prepackaged onto the storage media of the portable physical object. A pre-activated subscription to the set of Web services in a distributed system is provisioned. Access to the set of Web services is enabled when the portable physical object is coupled with a computing device and the set of credentials is authenticated. In some embodiments, the portable physical object is purchased by a user on a prepaid basis without requiring the user to register an account with the set of Web services, allowing the user to remain anonymous with respect to interaction with the set of Web services.

Abstract: Methods and apparatus for an account cloning service for cloud computing environments are disclosed. A system includes a plurality of resources, a plurality of service managers coordinating respective distributed network-accessible services, and a metadata manager. The metadata manager receives an account cloning request specifying a source client account. The metadata manager identifies a representation of an administrative state of the source client account with respect to a plurality of services, including configuration settings of an original set of resources of the plurality of resources providing functionality of the set of services. The metadata manager stores a record of an association of a clone client account of the particular source client account with the representation of the administrative state.

Abstract: Methods and apparatus for client-specified schema extensions in cloud computing environments are disclosed. A system includes a plurality of service managers coordinating respective multitenant network-accessible services, and one or more computer servers. In response to a schema extension request specifying a client account, a client attribute set, and a client data source, the one or more computer servers generate a composite schema customized for the client account comprising (a) attributes of a plurality of resources implementing the functionality of at least one service to which the client account has access and (b) the client attribute set. In response to an account state view request specifying the client account, the one or more computer servers provide a state representation comprising (a) at least one value of a particular client attribute and (b) at least one attribute value of a resource.