Abstract: Techniques are described for enabling users of a cloud provider network to create policies used to control the use of temporary security credentials by computing resources other than a computing resource to which the credentials were issued. An identity and access management service encodes, into temporary security credentials, information about the virtual private network to which the credentials are issued. When a computing resource subsequently issues requests to perform actions and uses the temporary security credentials to sign the request, the cloud provider network further adds, to the network traffic, information associated with the virtual private network from which the request originates. A user can then create a policy with a statement indicating that request are to be permitted only if, e.g., the identity of the virtual private network as encoded in the temporary security credentials matches the identity of the virtual private network identified by the information included in the request.

Abstract: Quorum-based access control management may be implemented. Quorum controls may be created for determining whether to perform or deny access control operations to perform privileged tasks. When an access control operation is received, approval of the operation may be requested from members for the quorum control. If a policy for the quorum control is satisfied by approval responses, then approval to perform the access control operation may be provided.

Abstract: A secure containment enclosure such as an equipment rack is disclosed that includes an electronic locking system. The electronic locking system locks and, upon receipt of a valid credential to a credential input device, unlocks an access door to the secure containment enclosure. The electronic locking system locks the access door during normal operation, and is prevented from unlocking the access door during normal operation and for a predetermined period of time after the secure containment enclosure is powered off to ensure that all data on electronic devices in the secure containment enclosure is erased. Other security features include storage encryption, network encryption, preventing administrative logon access to customers' compute nodes, and dedicated instances in which only virtual machines from specified customer accounts can be located on the same electronic device.

Abstract: A compute cluster including multiple compute nodes may implement distributed lock management using conditional updates to a distributed key value data store. It may be determined, at one or more compute nodes of a compute cluster, that particular lock is available based on a respective lock entry for the particular lock maintained in a lock manager table at a key value data store. The key value data store may be configured to perform conditional write requests for updates to data store at the key value, and may maintain data according to a distributed durability scheme. Compute nodes that determine that a lock is available may send a conditional write request to the key value data store in order to acquire the particular lock. The compute node that acquired the particular lock may be identified based on the successfully completed conditional write request to the respective lock entry.

Abstract: Methods and apparatus for providing identity and access management-based access control for connections between entities in virtual (overlay) network environments. At the encapsulation layer of the overlay network, an out-of-band connection creation process may be leveraged to enforce access control and thus allow or deny overlay network connections between sources and targets according to policies. For example, resources may be given identities, identified resources may assume roles, and policies may be defined for the roles that include permissions regarding establishing connections to other resources. When a given resource (the source) attempts to establish a connection to another resource (the target), role(s) may be determined, policies for the role(s) may be identified, and permission(s) checked to determine if a connection from the source to the target over the overlay network is to be allowed or denied.

Abstract: Methods and apparatus for providing identity and access management-based access control for connections between entities in virtual (overlay) network environments. At the encapsulation layer of the overlay network, an out-of-band connection creation process may be leveraged to enforce access control and thus allow or deny overlay network connections between sources and targets according to policies. For example, resources may be given identities, identified resources may assume roles, and policies may be defined for the roles that include permissions regarding establishing connections to other resources. When a given resource (the source) attempts to establish a connection to another resource (the target), role(s) may be determined, policies for the role(s) may be identified, and permission(s) checked to determine if a connection from the source to the target over the overlay network is to be allowed or denied.

Abstract: A flexible authentication system is described herein that fluidly switches between a federated authentication model and a local short-lived token model that does not require sophisticated authentication infrastructure at the relying party site. Upon detecting an event that causes the identity provider to be unavailable for authentication, the relying party switches to a temporary token model. The system generates a bearer token or challenge associated with the user's identity and (optionally) associated with time data that limits the period during which the token is valid. The relying party communicates the short-lived token to the user using contact information associated with the user and already stored by the relying party. Upon receiving the short-lived token, the user provides the short-lived token to the relying party, and the relying party processes the token to validate the user's identity and then allows the user to access the relying party's online services.

Abstract: A flexible authentication system is described herein that fluidly switches between a federated authentication model and a local short-lived token model that does not require sophisticated authentication infrastructure at the relying party site. Upon detecting an event that causes the identity provider to be unavailable for authentication, the relying party switches to a temporary token model. The system generates a bearer token or challenge associated with the user's identity and (optionally) associated with time data that limits the period during which the token is valid. The relying party communicates the short-lived token to the user using contact information associated with the user and already stored by the relying party. Upon receiving the short-lived token, the user provides the short-lived token to the relying party, and the relying party processes the token to validate the user's identity and then allows the user to access the relying party's online services.

Abstract: A device is provided which comprises (a) a portable computer (13) having first and second major opposing surfaces and having a display (31) disposed on the first major surface, and (b) a protective cover (11) adapted to releasably engage the computer in a first orientation in which it covers the display. The cover has a removable battery pack (37) disposed therein.

Abstract: The present invention provides an ultra thin tablet computer battery and docking station system. The system comprises of an ultra thin tablet computer system providing an ultra thin tablet computer (339) with edge mounted main battery (347) with an optional extended battery (310) and a docking system (501) for presenting the tablet computer (339) as a monitor to the user in an articulatable manner with or without the extended battery (310) while simultaneously charging the tablets main battery (347) and the extended battery (301) if it is mounted to the tablet computer while docked.

Abstract: A device is provided for employing batteries for mobile computing system to provide separate power sources for peripherals for mobile computing systems. A device is provided for charging batteries for mobile computing devices which can also be used to power peripherals for mobile computing systems.

Abstract: A device is provided which comprises an ultra thin extended battery pack (301). A incorporating a functional peripheral device (321) such as a DVD player, card reader, receiver and/or transmitter, or extended memory.

Abstract: The present invention provides a docking station (501) for a tablet computer (339) with or without an extended battery (301). This docking station (501) comprises a docking assembly for positioning with three degrees of freedom and having a data connector for mechanically supporting and interfacing with the tablet computer (339). A support member (505) couples the cradle (507) assembly to an expansion base (503). The base (503) includes a number of ports (54, 56, 60, 62) for interfacing with a variety of peripheral devices or power supplies. These varieties of ports mount to a printed circuit board contained within the expansion base (503). A flexible printed circuit (FPC) (64) combines the signal pathways for the variety of ports, allowing the signal pathways to travel from the printed circuit board (64) and to the data connector (519).

Abstract: A modular keyboard (100) for a tablet personal computer (200) provides a cover for covering the display screen of the tablet computer (200). A key array (102) for key-based data entry into the tablet computer (200) which mounts integrally to the cover (100) via a hinge mount (120) which supports the tablet computer (200) in a raised position relative to the key array (102) and presents the tablet computer display for monitoring data entry from the key array (102). The hinge mount (120) is retractable to a recess 128 for using the modular cover (100) as a protective cover.

Abstract: A device is provided which comprises (a) a portable computer (13) having first and second major opposing surfaces and having a display (31) disposed on the first major surface, and (b) a protective cover (11) adapted to releasably engage the computer in a first orientation in which it covers the display. The cover has a removable battery pack (37) disposed therein.