Abstract: Techniques for managing network-accessible infrastructure metadata are provided. A method includes receiving a resource request comprising resource metadata corresponding to a network-accessible infrastructure resource, determining whether to commit the resource request based at least in part on a constraint associated with the network-accessible infrastructure resource, and, in accordance with a determination to commit the resource request: generating, by the computer system, a resource identifier describing resource metadata in accordance with the resource request, storing, by the computer system, the resource metadata in a data store in communication with the computer system, receiving, by the computer system, a data request to provide the resource metadata described by the resource identifier, and providing, by the computer system, the resource metadata described by the resource identifier in accordance with the data request.

Abstract: A cloud-based security solution that provides a robust and secure framework for managing and enforcing security policies related to various resources managed in the cloud is disclosed. The cloud-based security solution is implemented by a security zone policy enforcement system in a cloud service provider infrastructure. The system receives a request to perform an operation on a resource and determines a compartment associated with the resource. The system determines that the compartment is associated with a security zone and determines a set of one or more security zone policies applicable to the resource. The system then determines that the operation on the resource is permitted based on the set of one or more security zone policies and responsive to determining that the operation on the resource is permitted, allows the operation to be performed on the resource.

Abstract: A cloud-based security solution that provides a robust and secure framework for managing and enforcing security policies related to various resources managed in the cloud is disclosed. The cloud-based security solution is implemented by a security zone policy enforcement system in a cloud service provider infrastructure. The system receives a request to perform an operation on a resource and determines a compartment associated with the resource. The system determines that the compartment is associated with a security zone and determines a set of one or more security zone policies applicable to the resource. The system then determines that the operation on the resource is permitted based on the set of one or more security zone policies and responsive to determining that the operation on the resource is permitted, allows the operation to be performed on the resource.

Abstract: Techniques discussed herein monitoring for and identifying failures in a cloud-computing environment. Proxy devices can be communicatively disposed between services of the cloud-computing environment. The proxy devices can capture call stack data corresponding to function calls between services. A directional graph can be generated based on that call stack data that represents the communication paths between cloud-computing resources (e.g., the services). Ingress paths to a service can be evaluated by calculating various metrics for each path. Using these metrics, failures can be isolated to a particular communication path and/or a particular, and potentially relatively distant, upstream service.

Abstract: A method and apparatus for criterion-based retention of data object versions are disclosed. In the method and apparatus, a plurality of keys are sorted in accordance with an ordering scheme, whereby a key of the plurality of keys has an associated version of a data object and a timestamp. The key is inspected in accordance with the ordering scheme to determine based at least in part on the timestamp whether a criterion for performing an action on the associated version of the data object is satisfied. If the criterion is satisfied, a marker key is added to the plurality of keys, whereby the marker key precedes the inspected key according to the ordering scheme and indicates that the criterion is satisfied.

Abstract: Data tags, such as may be used to classify data, can be automatically applied at appropriate times in a resource environment. A customer can provide an auto-tagging configuration file that can be used to determine tags to be applied to specific data objects based upon properties of those objects. The customer can also provide policies that indicate which actions can be performed for those objects based at least in part upon the applied tags. The tags can be automatically applied at any appropriate time, such as upon storage into the environment, upon modification of the auto-tagging configuration, or upon modification or the data object. In some embodiments, an auto-tagging process can also be performed in response to a request for access to the data object in order to ensure that the correct tags are applied before determining the permitted actions.

Abstract: Techniques for managing network-accessible infrastructure metadata are provided. A method includes receiving a resource request comprising resource metadata corresponding to a network-accessible infrastructure resource, determining whether to commit the resource request based at least in part on a constraint associated with the network-accessible infrastructure resource, and, in accordance with a determination to commit the resource request: generating, by the computer system, a resource identifier describing resource metadata in accordance with the resource request, storing, by the computer system, the resource metadata in a data store in communication with the computer system, receiving, by the computer system, a data request to provide the resource metadata described by the resource identifier, and providing, by the computer system, the resource metadata described by the resource identifier in accordance with the data request.

Abstract: A cloud-based security solution that provides a robust and secure framework for managing and enforcing security policies related to various resources managed in the cloud is disclosed. The cloud-based security solution is implemented by a centralized application programming Interface (API) system and a security zone policy enforcement system in a cloud service provider infrastructure. The centralized API system receives an API request that identifies an operation to be performed on a resource in the CSPI. The system determines, from the API request, compartment information and context information associated with the resource. Responsive to determining the compartment information and the context information associated with the resource, the system determines that the resource resides in a compartment that is associated with a security zone. The system then processes the API request and transmits a result of processing of the API request to a user of the centralized API processing system.

Abstract: A cloud-based security solution that provides a robust and secure framework for managing and enforcing security policies related to various resources managed in the cloud is disclosed. The cloud-based security solution is implemented by a security zone policy enforcement system in a cloud service provider infrastructure. The system receives a request to perform an operation on a resource and determines a compartment associated with the resource. The system determines that the compartment is associated with a security zone and determines a set of one or more security zone policies applicable to the resource. The system then determines that the operation on the resource is permitted based on the set of one or more security zone policies and responsive to determining that the operation on the resource is permitted, allows the operation to be performed on the resource.

Abstract: Techniques for managing network-accessible infrastructure metadata are provided. A method includes receiving a resource request comprising resource metadata corresponding to a network-accessible infrastructure resource, determining whether to commit the resource request based at least in part on a constraint associated with the network-accessible infrastructure resource, and, in accordance with a determination to commit the resource request: generating, by the computer system, a resource identifier describing resource metadata in accordance with the resource request, storing, by the computer system, the resource metadata in a data store in communication with the computer system, receiving, by the computer system, a data request to provide the resource metadata described by the resource identifier, and providing, by the computer system, the resource metadata described by the resource identifier in accordance with the data request.

Abstract: Techniques for managing network-accessible infrastructure metadata are provided. A method includes receiving a resource request comprising resource metadata corresponding to a network-accessible infrastructure resource, determining whether to commit the resource request based at least in part on a constraint associated with the network-accessible infrastructure resource, and, in accordance with a determination to commit the resource request: generating, by the computer system, a resource identifier describing resource metadata in accordance with the resource request, storing, by the computer system, the resource metadata in a data store in communication with the computer system, receiving, by the computer system, a data request to provide the resource metadata described by the resource identifier, and providing, by the computer system, the resource metadata described by the resource identifier in accordance with the data request.

Abstract: Information for a data object can be prevented from loss for import and export operations across a trust boundary, such as may exist between environments under control of different legal entities. A set of dependencies, including information such as data tags and identifiers for applicable policies, can be embedded in a data object, such as directly in a header or in a digest or token of the data object. When the data object is transmitted across a trust boundary, such as to a destination bucket, the destination bucket can ensure that all dependencies are available and able to be enforced in the destination environment. If not, the request can be denied or the destination environment can contact the source environment to attempt to obtain and enforce the missing dependencies. At least some of the dependencies may also need to be transformed in the second environment.

Abstract: A customer of a resource provider environment can apply policies at the data object level that will live with a data object during its lifecycle, even as the object moves across trusted boundaries. A customer can classify data, causing tags and/or predicates to be applied to the corresponding data object. Each tag corresponds to a policy, with predicates relating to various actions that can be performed on the data. A chain of custody is maintained for each data object, such that any changes to the object, tags, or policies for the data can be determined, as may be required for various audit processes. The support of such policies also enables the resource provider environment to function as an intermediary, whereby a third party can receive the data along with the tags, policies, and chain of custody as long as the environment trusts the third party to receive the data object.

Abstract: A customer of a resource provider environment can apply policies at the data object level that will live with a data object during its lifecycle, even as the object moves across trusted boundaries. A customer can classify data, causing tags and/or predicates to be applied to the corresponding data object. Each tag corresponds to a policy, with predicates relating to various actions that can be performed on the data. A chain of custody is maintained for each data object, such that any changes to the object, tags, or policies for the data can be determined, as may be required for various audit processes. The support of such policies also enables the resource provider environment to function as an intermediary, whereby a third party can receive the data along with the tags, policies, and chain of custody as long as the environment trusts the third party to receive the data object.

Abstract: A method and apparatus for criterion-based retention of data object versions are disclosed. In the method and apparatus, a plurality of keys are sorted in accordance with an ordering scheme, whereby a key of the plurality of keys has an associated version of a data object and a timestamp. The key is inspected in accordance with the ordering scheme to determine based at least in part on the timestamp whether a criterion for performing an action on the associated version of the data object is satisfied. If the criterion is satisfied, a marker key is added to the plurality of keys, whereby the marker key precedes the inspected key according to the ordering scheme and indicates that the criterion is satisfied.

Abstract: Data tags, such as may be used to classify data, can be automatically applied at appropriate times in a resource environment. A customer can provide an auto-tagging configuration file that can be used to determine tags to be applied to specific data objects based upon properties of those objects. The customer can also provide policies that indicate which actions can be performed for those objects based at least in part upon the applied tags. The tags can be automatically applied at any appropriate time, such as upon storage into the environment, upon modification of the auto-tagging configuration, or upon modification or the data object. In some embodiments, an auto-tagging process can also be performed in response to a request for access to the data object in order to ensure that the correct tags are applied before determining the permitted actions.

Abstract: A method and apparatus for managing keys pertaining to data objects are disclosed. In the method and apparatus, a plurality of keys that are associated with a plurality of data objects are retained, whereby the plurality of keys are capable of being listed in accordance with an ordering scheme. The ordering scheme is used to inspect the plurality of keys to determine whether a data object associated with a key of the plurality of keys satisfies a criterion. One or more actions are taken on the key or associated data object based at least in part on determining that the criterion is satisfied, whereby an order of taking the one or more actions is a reverse of an order by which the key is listed in accordance with the ordering scheme.

Abstract: A method and apparatus for criterion-based retention of data object versions are disclosed. In the method and apparatus, a plurality of keys are sorted in accordance with an ordering scheme, whereby a key of the plurality of keys has an associated version of a data object and a timestamp. The key is inspected in accordance with the ordering scheme to determine based at least in part on the timestamp whether a criterion for performing an action on the associated version of the data object is satisfied. If the criterion is satisfied, a marker key is added to the plurality of keys, whereby the marker key precedes the inspected key according to the ordering scheme and indicates that the criterion is satisfied.

Abstract: Information for a data object can be prevented from loss for import and export operations across a trust boundary, such as may exist between environments under control of different legal entities. A set of dependencies, including information such as data tags and identifiers for applicable policies, can be embedded in a data object, such as directly in a header or in a digest or token of the data object. When the data object is transmitted across a trust boundary, such as to a destination bucket, the destination bucket can ensure that all dependencies are available and able to be enforced in the destination environment. If not, the request can be denied or the destination environment can contact the source environment to attempt to obtain and enforce the missing dependencies. At least some of the dependencies may also need to be transformed in the second environment.

Abstract: A customer of a resource provider environment can apply policies at the data object level that will live with a data object during its lifecycle, even as the object moves across trusted boundaries. A customer can classify data, causing tags and/or predicates to be applied to the corresponding data object. Each tag corresponds to a policy, with predicates relating to various actions that can be performed on the data. A chain of custody is maintained for each data object, such that any changes to the object, tags, or policies for the data can be determined, as may be required for various audit processes. The support of such policies also enables the resource provider environment to function as an intermediary, whereby a third party can receive the data along with the tags, policies, and chain of custody as long as the environment trusts the third party to receive the data object.