Abstract: A computer system may receive one or more requests for access to one or more cloud services and may store the one or more requests in a request log. The computer system may receive one or more access rules applicable to cloud service access rights. The computer system may aggregate the one or more requests of the request log to determine access requirements for a container, the container being configured to store one or more applications. The computer system may generate and store container access policies that define access of a container and the one or more cloud services, the container access policies based at least in part on the aggregated one or more requests and the one or more access rules. The computer system may send the container access policies to a request forwarder of a compute instance in a production environment.

Abstract: In some aspects, a server device may identify one or more services of a cloud infrastructure via a management layer. The server device may determine service information and configuration information for the one or more services. The server device may generate an environment model based at least in part on the service information and the configuration information, the environment model providing information on relationship between one or more components of the cloud infrastructure. The server device may determine one or more threats to the one or more services based at least in part on analyzing the environment model and accessing a threat information database. The server device may generate a threat model that lists the one or more threats to the one or more services. The server device may generate one or more recommendations for the cloud infrastructure based at least on the threat model.

Abstract: Techniques are disclosed for automatically inferring software-defined network policies from the observed workload in a computing environment. The disclosed techniques include monitoring network traffic flow originating from network interfaces corresponding to containers that execute components of an application, recording details of a new network connection or a change in the existing network connection, obtaining information concerning the components of the application, identifying metadata for a component involved in the new network connection or the change in an existing network connection based on a comparison of the details of the new network connection or a change in the existing network connection and the information concerning the components of the application, generating a network policy for the component using at least the metadata for the component, and integrating the network policy for the component into a deployment package for the application.

Abstract: A system for analyzing security threat changes of proposed changes to an infrastructure environment. For example, system and approaches for determining actions to be performed based on security threat changes corresponding to proposed changes to the infrastructure environment is disclosed.

Abstract: A framework for determining capabilities for execution of a system call a container and/or process within a computing system. For example, techniques for determining capabilities prerequisite for execution of a system call and determining whether the system call has been assigned the capabilities prerequisite for execution of the system call.

Abstract: The present disclosure describes an anomaly detection system that generates a resource group including a plurality of resources of a monitored environment based on a grouping property. The values of the grouping property associated with the plurality of resources satisfy a first condition. A first invariance identifying property is selected from a set of invariance identifying properties. It is determined whether values of the first invariance identifying property associated with the plurality of resources satisfy a second condition. Responsive to a successful determination, a first invariant is incorporated in a baseline, wherein the first invariant is defined by the grouping property and the first invariance identifying property. The baseline is used by the anomaly detection system for performing anomaly detection of the monitored environment.

Abstract: Techniques are disclosed for automatically inferring software-defined network policies from the observed workload in a computing environment. The disclosed techniques include monitoring network traffic flow originating from network interfaces corresponding to containers that execute components of an application, recording details of a new network connection or a change in the existing network connection, obtaining information concerning the components of the application, identifying metadata for a component involved in the new network connection or the change in an existing network connection based on a comparison of the details of the new network connection or a change in the existing network connection and the information concerning the components of the application, generating a network policy for the component using at least the metadata for the component, and integrating the network policy for the component into a deployment package for the application.

Abstract: A system and technique for a Request Forwarder as for a computer network architecture is disclosed to provide selective access to one or more cloud services. In some implementations, a computer system may receive a request for access to a cloud service, the request including a container credential. The computer system may determine an identification of the container using the container credential. The computer system may verify that the container requesting access to the cloud service is authorized based at least in part on stored policies. Based at least in part on the determination that the container requesting access to the cloud service is authorized: receiving instance credential from a metadata service. The computer system may include the instance credential with the request. The computer system may send the request to the cloud service. In various examples, the Request Forwarder can be provided as a service.

Abstract: Techniques are disclosed for associating environmental condition information with a software component so that the environmental conditions can be automatically verified when a software package containing the software component is deployed. As a result, environmental conditions can be established when a software component is initially developed by the operators who may be best-suited to determine appropriate environmental conditions. Further, environmental condition enforcement can be performed automatically at the time of deployment, without human intervention. For example, when the software component is about to deployed, a deployment system can automatically examine the information about the target environment to verify that target environment satisfies the encoded environmental conditions.

Abstract: A computer system may receive one or more requests for access to one or more cloud services and may store the one or more requests in a request log. The computer system may receive one or more access rules applicable to cloud service access rights. The computer system may aggregate the one or more requests of the request log to determine access requirements for a container, the container being configured to store one or more applications. The computer system may generate and store container access policies that define access of a container and the one or more cloud services, the container access policies based at least in part on the aggregated one or more requests and the one or more access rules. The computer system may send the container access policies to a request forwarder of a compute instance in a production environment.

Abstract: Techniques are described for assessing container images for vulnerabilities without actually scanning the container images. A vulnerability assessment system (VAS) is described that is configured to perform vulnerabilities assessment for container images. The VAS is configured to perform the vulnerability assessment without scanning the container images. In certain embodiments, the VAS calculates a vulnerability score for the container image where the vulnerability score is indicative of a probability that the container image contains a vulnerability.

Abstract: In some aspects, a server device may identify one or more services of a cloud infrastructure via a management layer. The server device may determine service information and configuration information for the one or more services. The server device may generate an environment model based at least in part on the service information and the configuration information, the environment model providing information on relationship between one or more components of the cloud infrastructure. The server device may determine one or more threats to the one or more services based at least in part on analyzing the environment model and accessing a threat information database. The server device may generate a threat model that lists the one or more threats to the one or more services. The server device may generate one or more recommendations for the cloud infrastructure based at least on the threat model.

Abstract: A computer system may receive one or more requests for access to one or more cloud services and may store the one or more requests in a request log. The computer system may receive one or more access rules applicable to cloud service access rights. The computer system may aggregate the one or more requests of the request log to determine access requirements for a container, the container being configured to store one or more applications. The computer system may generate and store container access policies that define access of a container and the one or more cloud services, the container access policies based at least in part on the aggregated one or more requests and the one or more access rules. The computer system may send the container access policies to a request forwarder of a compute instance in a production environment.

Abstract: A system and technique for a Request Forwarder as for a computer network architecture is disclosed to provide selective access to one or more cloud services. In some implementations, a computer system may receive a request for access to a cloud service, the request including a container credential. The computer system may determine an identification of the container using the container credential. The computer system may verify that the container requesting access to the cloud service is authorized based at least in part on stored policies. Based at least in part on the determination that the container requesting access to the cloud service is authorized: receiving instance credential from a metadata service. The computer system may include the instance credential with the request. The computer system may send the request to the cloud service. In various examples, the Request Forwarder can be provided as a service.

Abstract: Techniques are disclosed for generating network security policies for different versions of a component of an application deployed in a computing environment where the different versions have potentially different network requirements and the different versions operate together at the same time in the computing environment. The disclosed techniques include capabilities for enabling different versions of a component of a containerized application to co-exist at the same time on different computing nodes in a cluster of nodes in a containerized environment that deploys and executes the application. The techniques additionally include capabilities for enabling different network policies to be generated for the different versions of the component, where each component has potentially different network requirements. The techniques provide a mechanism to create precise, per-component network policies, while respecting the overall coarse-grained policies of the containerized application.

Abstract: Techniques are disclosed for automatically inferring software-defined network policies from the observed workload in a computing environment. The disclosed techniques include monitoring network traffic flow originating from network interfaces corresponding to containers that execute components of an application, recording details of a new network connection or a change in the existing network connection, obtaining information concerning the components of the application, identifying metadata for a component involved in the new network connection or the change in an existing network connection based on a comparison of the details of the new network connection or a change in the existing network connection and the information concerning the components of the application, generating a network policy for the component using at least the metadata for the component, and integrating the network policy for the component into a deployment package for the application.

Abstract: Techniques are disclosed for automatically inferring software-defined network policies from the observed workload in a computing environment. The disclosed techniques include monitoring network traffic flow originating from network interfaces corresponding to containers that execute components of an application, recording details of a new network connection or a change in the existing network connection, obtaining information concerning the components of the application, identifying metadata for a component involved in the new network connection or the change in an existing network connection based on a comparison of the details of the new network connection or a change in the existing network connection and the information concerning the components of the application, generating a network policy for the component using at least the metadata for the component, and integrating the network policy for the component into a deployment package for the application.

Abstract: Techniques are disclosed for network policy verification system that can obtain a set of connectivity paths of a containerized environment that individually indicate connections between pairs of containers. Identify a first container and a second container of a pair based at least in part on a connectivity path. Determine a network policy corresponding to the connectivity path that indicates an expected result of that particular connection. A connection can be initiated between the two containers. The result may be presented at a user device based at least in part on identifying that the result is different from the expected result indicated by the network policy corresponding to the connectivity path.

Abstract: Techniques are disclosed for query processing system that can, when queried, generate a result related to one or more connectivity paths and/or one or more network security rules. Network security rules and connectivity paths may be stored in corresponding data structures (e.g., sets of attributes) that may be utilized with a number of set operations. The user may issue a query requesting the system to apply a rule to a path, a set of rules to a set of paths, to identify if one set of rule(s) are equivalent to another set of rule(s), and the like. Utilizing this query processing system can enable a user to identify effects of one or more network rules with respect to traffic being allowed or restricted along particular connectivity paths between components of the system.

Abstract: Techniques are disclosed for network policy verification system that can obtain a set of connectivity paths of a containerized environment that individually indicate connections between pairs of containers. Identify a first container and a second container of a pair based at least in part on a connectivity path. Determine a network policy corresponding to the connectivity path that indicates an expected result of that particular connection. A connection can be initiated between the two containers. The result may be presented at a user device based at least in part on identifying that the result is different from the expected result indicated by the network policy corresponding to the connectivity path.