Abstract: A distributed data store may maintain versioned hierarchical data structures. Different versions of a hierarchical data structure may be maintained consistent with a transaction log for the hierarchical data structure. When access requests directed to the hierarchical data structure are received, a version of the hierarchical data structure may be identified for processing an access request. For access requests with snapshot isolation, the identified version alone may be sufficient to consistently process the access request. For access requests with higher isolation requirements, such as serializable isolation, transactions based on the access request may be submitted to the transaction log so that access requests resulting in committed transactions may be allowed, whereas access requests resulting in conflicting transactions may be denied.

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

Abstract: A request is obtained for accessing a resource in a different region from a region indicated by a session token included with the request. The session token is re-encrypted using secret information of the second region. The request to access the resource in the different region can be fulfilled using the re-encrypted session token.

Abstract: A set of operations is performed to cause a resource accessible to a first set of entities to also be accessible to a member of a second set of entities, where the set of operations, as a result of being executed, causes a processor to create a project to associate with a set of resources, associate a policy that controls access to the set of resources with the projects, associate the resource with the set of resources of the project, and associate the member of the second set of entities with the project. A request is obtained from the member of the second set of entities to access the resource. The member of the second set of entities is determine to be authorized to access the resource based on the policy. The member of the second set of entities is allowed to obtain access to the resource.

Abstract: Techniques for determining insight are described. An exemplary method includes receiving a request to provide insight into potential abnormal behavior; receiving one or more of anomaly information and event information associated with the potential abnormal behavior; evaluating the received one or more of the anomaly information and event information associated with the abnormal behavior to determine there is insight as to what is causing the potential abnormal behavior and to add to an insight at least two of an indication of a metric involved in the abnormal behavior, a severity for the insight indication, an indication of a relevant event involved in the abnormal behavior, and a recommendation on how to cure the potential abnormal behavior; and providing an insight indication for the generated insight.

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

Abstract: A distributed data store may maintain versioned hierarchical data structures. Different versions of a hierarchical data structure may be maintained consistent with a transaction log for the hierarchical data structure. When access requests directed to the hierarchical data structure are received, a version of the hierarchical data structure may be identified for processing an access request. For access requests with snapshot isolation, the identified version alone may be sufficient to consistently process the access request. For access requests with higher isolation requirements, such as serializable isolation, transactions based on the access request may be submitted to the transaction log so that access requests resulting in committed transactions may be allowed, whereas access requests resulting in conflicting transactions may be denied.

Abstract: A distributed data store may maintain versioned hierarchical data structures. Different versions of a hierarchical data structure may be maintained consistent with a transaction log for the hierarchical data structure. When access requests directed to the hierarchical data structure are received, a version of the hierarchical data structure may be identified for processing an access request. For access requests with snapshot isolation, the identified version alone may be sufficient to consistently process the access request. For access requests with higher isolation requirements, such as serializable isolation, transactions based on the access request may be submitted to the transaction log so that access requests resulting in committed transactions may be allowed, whereas access requests resulting in conflicting transactions may be denied.

Abstract: A system and method for generating a policy entitlement map usable to provide a visualization of policies based at least in part on a set of resources of a service of a computing resource service provider, a set of actions that can be taken with the set of resources, or one or more identities. The policy entitlement map may be generated to reflect a set of actions performable by identities of the one or more identities, a set of resources accessible by the identities, or a set of actions that may be performed on the resources.

Abstract: A request is obtained for accessing a resource in a different region from a region indicated by a session token included with the request. The session token is re-encrypted using secret information of the second region. The request to access the resource in the different region can be fulfilled using the re-encrypted session token.

Abstract: A customer of a policy management service may use an interface to access a graphical composer and generate one or more graphical representations of policies that may be applicable to the customer's one or more resources. Once the customer has created a graphical representation of a policy, the policy management service may generate a permission model based at least on the graphical representation of the policy to perform one or more simulations and determine whether the requested policy includes any errors or conflicts. If the one or more simulations result in the requested policy including no errors or conflicts, the policy management service may serialize the permission model to create a representation of the policy in a policy language. This representation of the policy may then be used to control access to the customer's one or more resources in accordance with the policy.

Abstract: A request is received by a user in a second region. The request, which is digitally signed with credential associated with the user in the second region causes the generation of a session credential that includes a session key. The user in the second region can use the session credentials to access the resources in the first region.

Abstract: Techniques for using short-term credentials using asymmetric session keys are described herein. A request for a short-term credential is received that is digitally signed with a different credential. In response to the request, short-term credential data is generated and populated with a public session key corresponding to a private session key. The short-term credential data is then encrypted with a session encryption key to produce the short-term credential token, which can then be used by the requester as a short-term credential for subsequent requests.

Abstract: A customer of a computing resource service provider may use an interface to access a graphical composer and generate one or more graphical representations of applications that may be provided to a variety of users of the customer's one or more resources. Once the customer has created a graphical representation of an application, a domain specific language model based at least on the graphical representation of the application may be created such that one or more simulations may be performed to determine whether the requested application includes any errors or conflicts. If the one or more simulations result in the application including no errors or conflicts, the domain specific language model may be compiled in an executable programming language to create the application. The application may then be provided to users who may utilize devices capable of understanding the executable programming language to install the application.

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

Abstract: Techniques for using short-term session credentials across regions are described herein. A first request for resources generated using a short-term session credentials and digitally signed with a digital signature. The request is generated in a first region and received in a second region. In response to the request, a second request is generated in the second region to validate the first request. A new session token that is usable in the second region is generated and returned to the second region. The new session token can then be used in the second region to fulfill the first request.

Abstract: A method and apparatus for the evaluation and remediation of an access control policy is disclosed. In the method and apparatus, an intermediary service may make access request, on behalf of a customer, to one or more computing resources and the access control policy is evaluation to determine whether the request is authorized. Further, remediation options for the access control policy are offered for the request to be authorized.

Abstract: Techniques for personalizing short-term session credentials are described herein. A global session key is provided to a plurality of regions of a computing resource service provider and an account key is also provided to one or more of the plurality of regions based at least in part on those regions being trusted by a customer of the computing resource service provider. When a request for short-term session credentials is received at the trusted region by that customer, a session token is generated and encrypted with a combination of the global session key and the account key, thereby creating a session token that can be uniquely associated with the customer and that may only be used in regions that that customer has designated as trusted regions.

Abstract: A request is received by a user in a second region. The request, which is digitally signed with credential associated with the user in the second region causes the generation of a session credential that includes a session key. The user in the second region can use the session credentials to access the resources in the first region.