Patents by Inventor Kevin Ross O'Neill

Kevin Ross O'Neill has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20170012958
    Abstract: A plurality of virtual computing resources is detected to have been provisioned. Credentials are distributed to the plurality of virtual computing resources. A credentials map that maps the credentials to the plurality of virtual computing resources is updated. The credentials for the plurality of virtual computing resources are activated to enable the plurality of virtual computing resources to use the credentials to authenticate to a second computer system that manages a resource service, with the credentials being inaccessible to resources of the resource service. A virtual computing resource of the plurality of virtual computing resources is detected to been deprovisioned, and the credentials for the virtual computing resource are deactivated.
    Type: Application
    Filed: September 26, 2016
    Publication date: January 12, 2017
    Inventors: Marc J. Brooker, Mark Joseph Cavage, David Brown, Kevin Ross O'Neill, Eric Jason Brandwine, Christopher Richard Jacques de Kadt
  • Patent number: 9479492
    Abstract: Techniques are described for enabling principals to inject context information into a credential (e.g. session credential). Once the credential has been issued, any arbitrary principal is allowed to inject context information into the existing credential. The injected context is scoped to the principal that made the injection. Subsequently, at authentication time, when the credential is used to request access to a particular resource, the system can verify whether the principal that made the injection is trusted and if the principal is deemed trusted, the context information can be applied to a policy that controls access to one or more resources, or can alternatively be translated into some context residing in a different namespace which can then be applied to the policy. In addition, the system enables arbitrary users to insert additional deny statements into an existing credential, which further restrict the scope of permissions granted by the credential.
    Type: Grant
    Filed: December 31, 2013
    Date of Patent: October 25, 2016
    Assignee: Amazon Technologies, Inc.
    Inventors: Gregory Branchek Roth, Kevin Ross O'Neill
  • Patent number: 9455975
    Abstract: Systems and methods for managing credentials distribute the credentials to subsets of a set of collectively managed computing resources. The collectively managed computing resources may include one or more virtual machine instances. The credentials distributed to the computing resources may be used by the computing resources to perform one or more actions. Actions may include performing one or more functions in connection with configuration, management, and/or operation of the one or more resources, and/or access of other computing resources. The ability to use credentials may be changed based at least in part on the occurrence of one or more events.
    Type: Grant
    Filed: March 11, 2014
    Date of Patent: September 27, 2016
    Assignee: Amazon Technologies, Inc.
    Inventors: Marc J. Brooker, Mark Joseph Cavage, David Brown, Kevin Ross O'Neill, Eric Jason Brandwine, Christopher Richard Jacques de Kadt
  • Patent number: 9443074
    Abstract: Systems and methods for attesting to information about a computing resource involve electronically signed documents. For a computing resource, a document containing information about the resource is generated and electronically signed. The document may be provided to one or more entities as an attestation to at least some of the information contained in the document. Attestation to information in the document may be a prerequisite for performance of one or more actions that may be taken in connection with the computing resource.
    Type: Grant
    Filed: December 6, 2013
    Date of Patent: September 13, 2016
    Assignee: Amazon Technologies, Inc.
    Inventors: Cornelle Christiaan Pretorius Janse Van Rensburg, Mark Joseph Cavage, Marc John Brooker, David Everard Brown, Abhinav Agrawal, Matthew S. Garman, Kevin Ross O'Neill, Eric Jason Brandwine, Christopher Richard Jacques de Kadt
  • Patent number: 9197409
    Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key's use.
    Type: Grant
    Filed: September 29, 2011
    Date of Patent: November 24, 2015
    Assignee: Amazon Technologies, Inc.
    Inventors: Gregory B. Roth, Bradley Jeffery Behm, Eric D. Crahen, Cristian M. Ilac, Nathan R. Fitch, Eric Jason Brandwine, Kevin Ross O'Neill
  • Patent number: 9178701
    Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key's use.
    Type: Grant
    Filed: September 29, 2011
    Date of Patent: November 3, 2015
    Assignee: Amazon Technologies, Inc.
    Inventors: Gregory B. Roth, Bradley Jeffery Behm, Eric D. Crahen, Cristian M. Ilac, Nathan R. Fitch, Eric Jason Brandwine, Kevin Ross O'Neill
  • Publication number: 20150304294
    Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.
    Type: Application
    Filed: February 23, 2015
    Publication date: October 22, 2015
    Inventors: Gregory B. Roth, Nathan R. Fitch, Kevin Ross O'Neill, Graeme D. Baer, Bradley Jeffery Behm, Brian Irl Pratt
  • Patent number: 9083749
    Abstract: Customers accessing resources or services in a distributed environment can obtain assurance that a provider of that environment will only allow requests to access those resources or services when those requests satisfy at least one security policy associated with the customer. A customer can provide a security policy update that might be written in a different representation (e.g., version) than is supported by all relevant policy evaluation engines across the distributed environment. A component or service such as an access management service can evaluate the representation of the policy, as well as the representations supported by the evaluation engines, and can determine if the features of the policy update are supported by the representations of the engines. If so, the policy update can be translated to express the policy document in the supported representation(s), such that the policy can be utilized without having to update the relevant engines.
    Type: Grant
    Filed: October 17, 2012
    Date of Patent: July 14, 2015
    Assignee: Amazon Technologies, Inc.
    Inventors: Gregory Branchek Roth, Kevin Ross O'Neill, Brian Irl Pratt
  • Patent number: 8973108
    Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.
    Type: Grant
    Filed: May 31, 2011
    Date of Patent: March 3, 2015
    Assignee: Amazon Technologies, Inc.
    Inventors: Gregory B. Roth, Kevin Ross O'Neill, Eric Jason Brandwine, Brian Irl Pratt, Bradley Jeffery Behm, Nathan R. Fitch
  • Patent number: 8966570
    Abstract: Systems and methods are described for delegating permissions to enable account access. The systems utilize a delegation profile that can be created within a secured account of at least one user. The delegation profile includes a name, a validation policy that specifies principals which may be external to the account and which are permitted to assume the delegation profile, and an authorization policy that indicates the permitted actions within the account for those principals which are acting within the delegation profile. Once the delegation profile is created, it can be provided to external principals or services. These external principals or services can use the delegation profile to obtain credentials for performing various actions in the account using the credentials of the delegation profile.
    Type: Grant
    Filed: March 22, 2012
    Date of Patent: February 24, 2015
    Assignee: Amazon Technologies, Inc.
    Inventors: Gregory B. Roth, Nathan R. Fitch, Kevin Ross O'Neill, Graeme D. Baer, Bradley Jeffery Behm, Brian Irl Pratt
  • Patent number: 8904511
    Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.
    Type: Grant
    Filed: August 23, 2010
    Date of Patent: December 2, 2014
    Assignee: Amazon Technologies, Inc.
    Inventors: Kevin Ross O'Neill, Mark Joseph Cavage, Nathan R. Fitch, Anders Samuelsson, Brian Irl Pratt, Yunong Jeff Xiao, Bradley Jeffery Behm, James E. Scharf, Jr.
  • Patent number: 8881256
    Abstract: Systems and methods provide a storage media on a portable physical object associated with a set of credentials that enables access to a set of computing resources associated with a set of Web services. In some embodiments, information including a set of credentials is prepackaged onto the storage media of the portable physical object. A pre-activated subscription to the set of Web services in a distributed system is provisioned. Access to the set of Web services is enabled when the portable physical object is coupled with a computing device and the set of credentials is authenticated. In some embodiments, the portable physical object is purchased by a user on a prepaid basis without requiring the user to register an account with the set of Web services, allowing the user to remain anonymous with respect to interaction with the set of Web services.
    Type: Grant
    Filed: December 21, 2011
    Date of Patent: November 4, 2014
    Assignee: Amazon Technologies, Inc.
    Inventors: Gregory B. Roth, Cristian M. Ilac, James E. Scharf, Jr., Nathan R. Fitch, Graeme D. Baer, Brian Irl Pratt, Kevin Ross O'Neill
  • Publication number: 20140310769
    Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.
    Type: Application
    Filed: June 26, 2014
    Publication date: October 16, 2014
    Inventors: Kevin Ross O'Neill, Gregory B. Roth, Eric Jason Brandwine, Brian Irl Pratt, Bradley Jeffery Behm, Nathan R. Fitch
  • Patent number: 8856957
    Abstract: A federated identity system is described. A federated identity broker registers a first customer as an identity provider and a second customer as an identity consumer. The federated identity broker acts as an intermediary between the first customer and the second customer, to broker an identity request from the first customer that is fulfilled by the second customer.
    Type: Grant
    Filed: December 22, 2011
    Date of Patent: October 7, 2014
    Assignee: Amazon Technologies, Inc.
    Inventors: Gregory B. Roth, Kevin Ross O'Neill, Eric Jason Brandwine, Eric D. Crahen, Cristian M. Ilac
  • Publication number: 20140196130
    Abstract: Systems and methods for managing credentials distribute the credentials to subsets of a set of collectively managed computing resources. The collectively managed computing resources may include one or more virtual machine instances. The credentials distributed to the computing resources may be used by the computing resources to perform one or more actions. Actions may include performing one or more functions in connection with configuration, management, and/or operation of the one or more resources, and/or access of other computing resources. The ability to use credentials may be changed based at least in part on the occurrence of one or more events.
    Type: Application
    Filed: March 11, 2014
    Publication date: July 10, 2014
    Applicant: Amazon Technologies, Inc.
    Inventors: Marc J. Brooker, Mark Joseph Cavage, David Brown, Kevin Ross O'Neill, Eric Jason Brandwine, Christopher Richard Jacques de Kadt
  • Patent number: 8769642
    Abstract: Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.
    Type: Grant
    Filed: May 31, 2011
    Date of Patent: July 1, 2014
    Assignee: Amazon Technologies, Inc.
    Inventors: Kevin Ross O'Neill, Gregory B. Roth, Eric Jason Brandwine, Brian Irl Pratt, Bradley Jeffery Behm, Nathan R. Fitch
  • Patent number: 8724815
    Abstract: Secure information is managed for each host or machine in an electronic environment using cryptographic keys. In some embodiments, a globally distributed system manage and rotate keys across various nodes within the system based on a predetermined schedule of each key's lifecycle. The predetermined schedule decides when keys are created, distributed, and used with respect to each key's pre-assigned time (e.g., an expiration time, a creation time). The schedule of the key's lifecycle may be predetermined and adjusted based on various system requirements. The keys may be automatically rotated throughout the various nodes in the system in a way such that the keys are not unnecessarily exposed for too long but are accessible to the ciphertext producers and the ciphertext consumers when needed. Further, the keys are created and rotated in a way to ensure robustness of the system in the event of a global WAN outage or network partition.
    Type: Grant
    Filed: September 29, 2011
    Date of Patent: May 13, 2014
    Assignee: Amazon Technologies, Inc.
    Inventors: Gregory B. Roth, Kevin Ross O'Neill, Nathan R. Fitch
  • Patent number: 8683560
    Abstract: Systems and methods for managing credentials distribute the credentials to subsets of a set of collectively managed computing resources. The collectively managed computing resources may include one or more virtual machine instances. The credentials distributed to the computing resources may be used by the computing resources to perform one or more actions. Actions may include performing one or more functions in connection with configuration, management, and/or operation of the one or more resources, and/or access of other computing resources. The ability to use credentials may be changed based at least in part on the occurrence of one or more events.
    Type: Grant
    Filed: December 29, 2010
    Date of Patent: March 25, 2014
    Assignee: Amazon Technologies, Inc.
    Inventors: Marc J. Brooker, Mark Joseph Cavage, David Brown, Kevin Ross O'Neill, Eric Jason Brandwine, Christopher Richard Jacques de Kadt
  • Patent number: 8640200
    Abstract: Techniques are described for enabling principals to inject context information into a credential (e.g. session credential). Once the credential has been issued, any arbitrary principal is allowed to inject context information into the existing credential. The injected context is scoped to the principal that made the injection. Subsequently, at authentication time, when the credential is used to request access to a particular resource, the system can verify whether the principal that made the injection is trusted and if the principal is deemed trusted, the context information can be applied to a policy that controls access to one or more resources, or can alternatively be translated into some context residing in a different namespace which can then be applied to the policy. In addition, the system enables arbitrary users to insert additional deny statements into an existing credential, which further restrict the scope of permissions granted by the credential.
    Type: Grant
    Filed: March 23, 2012
    Date of Patent: January 28, 2014
    Assignee: Amazon Technologies, Inc.
    Inventors: Gregory B. Roth, Kevin Ross O'Neill
  • Patent number: 8607067
    Abstract: Systems and methods for attesting to information about a computing resource involve electronically signed documents. For a computing resource, a document containing information about the resource is generated and electronically signed. The document may be provided to one or more entities as an attestation to at least some of the information contained in the document. Attestation to information in the document may be a prerequisite for performance of one or more actions that may be taken in connection with the computing resource.
    Type: Grant
    Filed: March 1, 2011
    Date of Patent: December 10, 2013
    Assignee: Amazon Technologies, Inc.
    Inventors: Cornelle Christiaan Pretorius Janse van Rensburg, Marc J. Brooker, David Brown, Abhinav Agrawal, Matthew S. Garman, Kevin Ross O'Neill, Eric Jason Brandwine, Christopher Richard Jacques de Kadt, Mark Joseph Cavage