Abstract: A set of operations is performed to cause a resource accessible to a first set of entities to also be accessible to a member of a second set of entities, where the set of operations, as a result of being executed, causes a processor to create a project to associate with a set of resources, associate a policy that controls access to the set of resources with the projects, associate the resource with the set of resources of the project, and associate the member of the second set of entities with the project. A request is obtained from the member of the second set of entities to access the resource. The member of the second set of entities is determine to be authorized to access the resource based on the policy. The member of the second set of entities is allowed to obtain access to the resource.

Abstract: Techniques for determining insight are described. An exemplary method includes receiving a request to provide insight into potential abnormal behavior; receiving one or more of anomaly information and event information associated with the potential abnormal behavior; evaluating the received one or more of the anomaly information and event information associated with the abnormal behavior to determine there is insight as to what is causing the potential abnormal behavior and to add to an insight at least two of an indication of a metric involved in the abnormal behavior, a severity for the insight indication, an indication of a relevant event involved in the abnormal behavior, and a recommendation on how to cure the potential abnormal behavior; and providing an insight indication for the generated insight.

Abstract: User identities can managed at an organization level, instead of across multiple individual resource accounts. In a resource provider environment, access to various resources and services may require users to have identities with specific resource accounts. Users can instead be associated with organization accounts, or virtual accounts that are not associated with specific resources or services. The organization accounts are attached at the appropriate location(s) in an organizational hierarchy. A user having an organization account can project the identity in any sub-account in the organization hierarchy. This can include any lower-level resource account, or can child accounts under a relevant branch of the hierarchy. A user can validate against the organization account, and receive access to the relevant service or resources using the identity projected in the corresponding resource account.

Abstract: A key distribution host determines a trust level of a user authentication server, wherein the trust level is based, at least in part, on one or more attributes of the user authentication server and provides one or more authentication keys to the user authentication server only if the trust level of the user authentication server is above a threshold value.

Abstract: A communication system may include a plurality of geographically proximate nodes that communicate via one or more range-limited wireless technologies such as BLUETOOTH® low energy (BLE). An origin node may generate and communicate a first message responsive to detecting an event occurrence. The message may include an identifier associated with the origin node, data indicative of the event occurrence, a hop count, a maximum hop count, and a number of designated recipient nodes within the communication system. A first designated recipient node may, upon receiving the first message, attempt to confirm the event occurrence included in the first message. Upon confirming the event occurrence, the first designated recipient node may communicate a notification to an external third party. If unable to confirm the event occurrence, the first designated recipient node may generate and communicate a second message to a second designated recipient node included in the first message.

Abstract: Techniques for determining causality are described. An exemplary method includes receiving a request to determine a cause of an unhealthy system; receiving one or more of anomaly information and event information associated with the unhealthy system; evaluating the received one or more of the anomaly information and event information associated with the unhealthy system to determine there is a known causality between anomalies or events leading to the unhealthy system; and providing a causality indication for the known causality, the causality indication including an identification of a causality source and a causality target.

Abstract: User identities can managed at an organization level, instead of across multiple individual resource accounts. In a resource provider environment, access to various resources and services may require users to have identities with specific resource accounts. Users can instead be associated with organization accounts, or virtual accounts that are not associated with specific resources or services. The organization accounts are attached at the appropriate location(s) in an organizational hierarchy. A user having an organization account can project the identity in any sub-account in the organization hierarchy. This can include any lower-level resource account, or can child accounts under a relevant branch of the hierarchy. A user can validate against the organization account, and receive access to the relevant service or resources using the identity projected in the corresponding resource account.

Abstract: Techniques for a code reviewer service to provide recommendations on source code are described. A code reviewer service may run rules and/or machine learning models to provide the recommendations. A machine learning model may identify one or more predicted issues of source code, and the code reviewer service may provide one or more recommendations based at least in part on the one or more predicted issues. Code reviewer service may allow a pull request for a code repository to trigger the generation of recommendations for the source code in the repository. The recommendations may be posted on the pull request.

Abstract: Tags may be used in decisions by an access management service regarding access of computing resources (“resources”) by principals (e.g., users, roles, etc.). The tags may also be used to determine cost information, for grouping resources and/or principals, and for other reasons. The tags may be assigned to principals, to resources, or both. The resource may be a virtual or physical type of computing resource. Tags may be metadata, which may include a key-value pair. Tags may include email addresses, cost centers, project identifiers, location, team name, etc. The value may be a number, letters, or a combination of both. In some embodiments, the values may be limited to certain numbers or bytes, and some numbers and/or letter combinations may be excluded for special use.

Abstract: A customer in a computing resource provider environment, running an application on a VM instance, uses role credentials to request access to one or more web services. The request is forwarded to an enclave associated with the VM instance such that the enclave digitally signs the request and access to the one or more web services is provided.

Abstract: A database server (e.g., a replica) generates a local checksum from a sequence of database operations and contributes the sequence of operations and the local checksum to a shared log of a distributed database. Additional database servers, similarly, generate local checksums. A checksum replica agent determines a first ordering of database operations of a first database server of a database, determines a second ordering of database operations of a second database server of the database; determines whether a third ordering of database operations that is based at least in part on the first ordering and the second ordering is valid. In an embodiment, a checksum replica agent generates a global checksum over the third ordering. Checksums, in an embodiment, are digitally signed and/or encrypted.

Abstract: Techniques for anomaly detection are described. An exemplary method includes receiving a request to detect anomalies, using an anomaly detection service, in time series data using one or more detectors; configuring the anomaly detection service by: generating a configuration for the anomaly detection service based on at least in part on one or more of the request the time series data, and metadata, wherein the configuration identifies at least one particular detector of the one or more detectors, and configuring the anomaly detection service using the generated configuration; evaluating the time series data for an anomaly using the configured anomaly detection service by: observing potentially anomalous behavior using the identified at least one particular detector of the one or more detectors, and generating an anomaly indication.

Abstract: Systems, devices, and methods are provided for unblocking a computer resource usage count. A system may receive a request for a user account and a user account policy, and may obtain a count of a first number of user accounts, wherein the count is based on an aggregation of two or more actions associated with the user account policy. The system may determine, based on the count, that the first number of user accounts is less than a threshold number of accounts. The system may obtain based on the determination that the first number of user accounts is less than the threshold number of accounts, an event history. The system may determine, based on the event history, a second number of user accounts. The system may determine that the second number of user accounts is less than the threshold number of accounts, and may update the user account policy.

Abstract: A communication system may include a plurality of geographically proximate nodes that communicate via one or more range-limited wireless technologies such as BLUETOOTH® low energy (BLE). An origin node may generate and communicate a first message responsive to detecting an event occurrence. The message may include an identifier associated with the origin node, data indicative of the event occurrence, a hop count, a maximum hop count, and a number of designated recipient nodes within the communication system. A first designated recipient node may, upon receiving the first message, attempt to confirm the event occurrence included in the first message. Upon confirming the event occurrence, the first designated recipient node may communicate a notification to an external third party. If unable to confirm the event occurrence, the first designated recipient node may generate and communicate a second message to a second designated recipient node included in the first message.

Abstract: A consistent view of associations between independently replicated data objects may be provided. Data objects may be stored in separate data stores. Copies of the data stores may also store the data objects. The copies of the data stores may independently receive the data objects to be stored as part of independently replicating data stores to one or more copies of the data stores. An association can be created between objects in the different data store. If when the association is created it is determined that a referenced object is not yet stored in a copy of a data store, then both the association and the referenced object may be stored in the same data store so that the association and the referenced object are replicated together to a copy of the same data store.

Abstract: A communication system may include a plurality of geographically proximate nodes that communicate via one or more range-limited wireless technologies such as BLUETOOTH® low energy (BLE). An origin node may generate and communicate a first message responsive to detecting an event occurrence. The message may include an identifier associated with the origin node, data indicative of the event occurrence, a hop count, a maximum hop count, and a number of designated recipient nodes within the communication system. A first designated recipient node may, upon receiving the first message, attempt to confirm the event occurrence included in the first message. Upon confirming the event occurrence, the first designated recipient node may communicate a notification to an external third party. If unable to confirm the event occurrence, the first designated recipient node may generate and communicate a second message to a second designated recipient node included in the first message.

Abstract: A provider network implements a proxy to control access to web-based resources of a provider network. The proxy receives requests to access web-based services. The proxy allows access to a web-based service only if user-configured access control rules are satisfied and credentials associated with the web-based service are authenticated. The proxy prevents access to a web-based service if user-configured access control rules are not satisfied or credentials associated with the web-based service are not authenticated. The provider network may also implement a proxy configuration service to set up and launch the proxy. The proxy configuration service receives from the client a specification of the access control rules, configures the proxy based on the access control rules, and launches the proxy.

Abstract: A method and system for generating permissions policies and permission boundary policies are described. The system receives a first request from a central administrator to create a delegated administrator, the first request specifying with one or more access permissions. The system generates a permission boundary policy that specifies the one or more access permissions and a first permissions policy that grants permissions to the delegated administrator to at least one of create an IAM principal with the permission boundary policy or attach a second permissions policy to the IAM principal. An effective permission given to the IAM principal is an intersection of access permissions specified in the first permissions policy and the one or more access permissions in the permission boundary policy. The system attaches the first permissions policy and the permission boundary policy to the delegated administrator.

Abstract: A system, such as an extension service, receives a first public key that is derivable based at least in part on a secret that is shared between at least a first device and a second device. The system, in an embodiment, derives a cryptographic key based at least in part on the first public key and transmits a second public key that enables another system to derive the cryptographic key. In an embodiment, the cryptographic key is a symmetric key and the system lacks access to a first private key that corresponds to the first public key.

Abstract: A security token service receives a request for a token. The request indicates a set of access control policies that define a set of permissions for access to a resource. The security token service generates the token to comprise a set of identifiers of the set of access control policies. The security token service provides the token in response to the request to enable the token to be used to access the resource in accordance with the set of access control policies.