Abstract: Techniques are described for enabling users of a cloud provider network to create policies used to control the use of temporary security credentials by computing resources other than a computing resource to which the credentials were issued. An identity and access management service encodes, into temporary security credentials, information about the virtual private network to which the credentials are issued. When a computing resource subsequently issues requests to perform actions and uses the temporary security credentials to sign the request, the cloud provider network further adds, to the network traffic, information associated with the virtual private network from which the request originates. A user can then create a policy with a statement indicating that request are to be permitted only if, e.g., the identity of the virtual private network as encoded in the temporary security credentials matches the identity of the virtual private network identified by the information included in the request.

Abstract: An instance secrets management isolated runtime environment is launched at a virtualization server, and utilizes a subset of memory assigned to a compute instance. The subset of memory is inaccessible from entities external to the runtime environment. A secrets manager of the runtime environment provides a security artifact to an application, running at the compute instance, which has requested access to a resource. The artifact is generated by the secrets manager using a security secret associated with the compute instance; the secret is not accessible to programs external to the runtime environment. In response to a determination that the artifact is valid, the application obtains access to the resource.

Abstract: Various embodiments of apparatuses and methods for multi-cast, multiple unicast, and unicast distribution of messages with time synchronized delivery are described. In some embodiments, the disclosed system and methods include a reference timekeeper providing a reference clock to one or more host computing devices. The one or more host computing devices host compute instances, and also contain respective isolated timing hardware outside the control of the compute instances. The isolated timing hardware of the one or more host computing devices then receive respective packets, and obtain the same time to deliver the respective packets. Each isolated timing hardware provides either the packet, or information to access the packet, to its respective destination compute instance subsequent to determining that the same specified time to deliver the packet has occurred. Thus, the respective packets are delivered near simultaneously to the one or more destination compute instances.

Abstract: Systems and methods are provided for highly accurate synchronization of machine instances in a distributed, hosted computing environment to a reference timekeeper. In addition to a general communication network accessible to machine instances, the distributed environment includes a second network dedicated to carrying time information, such as a pulse-per-second (PPS) signal to isolated timing hardware within host computing devices. The isolated timing hardware can use the PPS signal, along with a reference time, to set a hardware clock. The isolated timing hardware can further provide an interface to machine instances that enables the instances to read the time of the hardware clock. This configuration enables many instances can share access to a single reference timekeeper, thus synchronizing those instances to a much higher accuracy than in traditional network-based time protocols.

Abstract: Systems and methods are provided for highly accurate synchronization of machine instances in a distributed, hosted computing environment to a reference timekeeper. In addition to a general communication network accessible to machine instances, the distributed environment includes a second network dedicated to carrying time information, such as a pulse-per-second (PPS) signal to isolated timing hardware within host computing devices. The isolated timing hardware can use the PPS signal, along with a reference time, to set a hardware clock. The isolated timing hardware can further provide an interface to machine instances that enables the instances to read the time of the hardware clock. This configuration enables many instances can share access to a single reference timekeeper, thus synchronizing those instances to a much higher accuracy than in traditional network-based time protocols.

Abstract: Various embodiments of apparatuses and methods for multi-cast, multiple unicast, and unicast distribution of messages with time synchronized delivery are described. In some embodiments, the disclosed system and methods include a reference timekeeper providing a reference clock to one or more host computing devices. The one or more host computing devices host compute instances, and also contain respective isolated timing hardware outside the control of the compute instances. The isolated timing hardware of the one or more host computing devices then receive respective packets, and obtain the same time to deliver the respective packets. Each isolated timing hardware provides either the packet, or information to access the packet, to its respective destination compute instance subsequent to determining that the same specified time to deliver the packet has occurred. Thus, the respective packets are delivered near simultaneously to the one or more destination compute instances.

Abstract: Various embodiments of apparatuses and methods for trusted and/or attested packet timestamping are described. In some embodiments, the disclosed system and methods include a reference timekeeper providing a reference clock to host computing devices. The host computing devices host compute instances using a first set of computing resources, and also contain isolated timing hardware utilizing a different set of computing resources. The isolated timing hardware sets a hardware clock based on a signal corresponding to the reference clock from the reference timekeeper. The isolated timing hardware then receives a packet from a particular compute instance, creates a timestamp for the packet based at least in part on the hardware clock, where the timestamp is outside the control of the compute instances, and sends the packet and the timestamp through a data network to transmit to a packet destination.