Abstract: Methods and systems for detecting personally identifiable information in data associated with a cloud computing system are described. An example method includes ingesting the data associated with the cloud computing system to generate source data. The method includes processing the source data by: performing cell-based de-duplication to generate cell-based de-duplicated data, subjecting the cell-based de-duplicated data to regular expression classification to generate a first subset of initial results, tokenizing the cell-based de-duplicated data to generate tokenized data, and de-duplicating the tokenized data and subjecting de-duplicated tokenized data to a first named entity recognition classification to generate a second subset of the initial results. The method includes cross-referencing the cell-based de-duplicated data and the initial results and subjecting output of the cross-referencing to a second named entity recognition classification to generate final results.

Abstract: Methods and systems for detecting personally identifiable information in data associated with a cloud computing system are described. An example method includes ingesting the data associated with the cloud computing system to generate source data. The method includes processing the source data by: performing cell-based de-duplication to generate cell-based de-duplicated data, subjecting the cell-based de-duplicated data to regular expression classification to generate a first subset of initial results, tokenizing the cell-based de-duplicated data to generate tokenized data, and de-duplicating the tokenized data and subjecting de-duplicated tokenized data to a first named entity recognition classification to generate a second subset of the initial results. The method includes cross-referencing the cell-based de-duplicated data and the initial results and subjecting output of the cross-referencing to a second named entity recognition classification to generate final results.

Abstract: Techniques for generating an identifier index table (IIT) and for executing queries are disclosed. The IIT maps different labels used among different data sources to a commonly defined data type. The IIT is used to generate a set of queries that are executable based on selection of the commonly defined data type and that are executable against the different data sources to search for an indicator of compromise (IOC) within the different data sources. The results from the queries are analyzed in an attempt to identify the IOC.

Abstract: A user can set or modify operational parameters of a data volume stored on a network-accessible storage device in a data center. For example, the user may be provided access to a data volume and may request a modification to the operational parameters of the data volume. Instead of modifying the existing data volume, the data center can provision a new data volume and migrate data stored on the existing data volume to the new data volume. While the data migration takes place, the existing data volume may block input/output (I/O) requests and the new data volume may handle such requests instead. Once the data migration is complete, the data center may deallocate the data blocks of the existing data volume such that the data blocks can be reused by other data volumes.

Abstract: Techniques are described for using in-band communication channels to exchange state information between components of a distributed storage environment, including between client computing devices and storage servers hosting network-connected block storage volumes. The exchange of the state information can be used, for example, to inform client computing devices of relevant events involving one or more storage volumes attached to compute instances (for example, virtual machines (VMs)) running on the client computing devices, involving one or more failover servers storing backup copies of one or more storage volumes, or involving any other relevant system components.

Abstract: Generally described, one or more aspects of the present application correspond to techniques for automatic recovery from dual isolation in which both the primary and secondary replicas of a volume are stored on isolating servers. The disclosed techniques use handshakes between the client and the replicas to determine which has a better health score. The replica with the better health score becomes the primary replica, and confirms that it and the secondary replica are both in an isolating state. In response, the primary replica seeks a solo blessing, undoes the isolating state at the volume level (the server host will still be in isolating state), and continues handling I/O and peer replication until its healthy peer is complete. These techniques can avoid availability drops when the servers hosting the primary and secondary replicas of a volume enter the isolating state at around the same time.

Abstract: A user can set or modify operational parameters of a data volume stored on a network-accessible storage device in a data center. For example, the user may be provided access to a data volume and may request a modification to the operational parameters of the data volume. Instead of modifying the existing data volume, the data center can provision a new data volume and migrate data stored on the existing data volume to the new data volume. While the data migration takes place, the existing data volume may block input/output (I/O) requests and the new data volume may handle such requests instead. Once the data migration is complete, the data center may deallocate the data blocks of the existing data volume such that the data blocks can be reused by other data volumes.

Abstract: A user can set or modify operational parameters of a data volume stored on a network-accessible storage device in a data center. For example, the user may be provided access to a data volume and may request a modification to the operational parameters of the data volume. Instead of modifying the existing data volume, the data center can provision a new data volume and migrate data stored on the existing data volume to the new data volume. While the data migration takes place, the existing data volume may block input/output (I/O) requests and the new data volume may handle such requests instead. Once the data migration is complete, the data center may deallocate the data blocks of the existing data volume such that the data blocks can be reused by other data volumes.

Abstract: Techniques for managing a critical phase of a virtual machine migration are described herein. During the critical phase, which must be kept as short as possible, a virtual machine instance is paused, network packets are rerouted to a temporary packet queue, and messages associated with managing synchronization of block storage devices are dispatched to an entity configured to manage those connections. After the block storage devices are synchronized, the network packets are released from the temporary packet queue to the new location of the virtual machine instance.

Abstract: Live migration may be performed for virtual computing resources utilizing network-based storage. A virtual compute instance operating at a source host may be moved to a destination host. The virtual compute instance may be a client of a network-based storage resource that stores data for the virtual compute instance. Access to the data stored for the virtual compute instance may be limited to the source host. When migration is performed, the destination host may be prepared to assume operation of the virtual compute instance. Operation of the virtual compute instance at the source host may be paused and the access to the data at the network-based storage resource may be modified to limit access to the destination host. Operation of the virtual compute instance may then resume at the destination host.

Abstract: A user can set or modify operational parameters of a data volume stored on a network-accessible storage device in a data center. For example, the user may be provided access to a data volume and may request a modification to the operational parameters of the data volume. Instead of modifying the existing data volume, the data center can provision a new data volume and migrate data stored on the existing data volume to the new data volume. While the data migration takes place, the existing data volume may block input/output (I/O) requests and the new data volume may handle such requests instead. If a request is received for data not yet migrated to the new data volume, then the new data volume prioritizes a migration of the requested data.

Abstract: A user can set or modify operational parameters of a data volume stored on a network-accessible storage device in a data center. For example, the user may be provided access to a data volume and may request a modification to the operational parameters of the data volume. Instead of modifying the existing data volume, the data center can provision a new data volume and migrate data stored on the existing data volume to the new data volume. While the data migration takes place, the existing data volume may block input/output (I/O) requests and the new data volume may handle such requests instead. If a request is received for data not yet migrated to the new data volume, then the new data volume prioritizes a migration of the requested data.

Abstract: A user can set or modify operational parameters of a data volume stored on a network-accessible storage device in a data center. For example, the user may be provided access to a data volume and may request a modification to the operational parameters of the data volume. Instead of modifying the existing data volume, the data center can provision a new data volume and migrate data stored on the existing data volume to the new data volume. While the data migration takes place, the existing data volume may block input/output (I/O) requests and the new data volume may handle such requests instead. Once the data migration is complete, the data center may deallocate the data blocks of the existing data volume such that the data blocks can be reused by other data volumes.

Abstract: A network-based storage resource may implement access control for virtual computing resources that utilize the storage resource during live migration of the virtual computing resources. A network-based storage resource may enforce an access control that limits access to a host of a virtual compute instance. Upon detecting migration of the virtual compute instance, the network-based storage resource may allow a connection to be established with a destination host for the virtual compute instance. The access control mechanism may be updated to limit access to the destination host for data stored for the virtual compute instance at the network-based storage resource.

Abstract: Techniques for preserving the state of virtual machine instances during a migration from a source location to a target location are described herein. A set of credentials configured to provide access to a storage device by a virtual machine instance at the source location is provided to the virtual machine instance. When the migration from the source location to the target location starts, a second set of credentials configured to provide access to a storage device by a virtual machine instance at the source location is provided to the virtual machine instance. During the migration, a response to an input-output request is provided to one or more of the locations using the set of credentials and based at least in part on the state of the migration.

Abstract: Live migration may be performed for virtual computing resources utilizing network-based storage. A virtual compute instance operating at a source host may be moved to a destination host. The virtual compute instance may be a client of a network-based storage resource that stores data for the virtual compute instance. Access to the data stored for the virtual compute instance may be limited to the source host. When migration is performed, the destination host may be prepared to assume operation of the virtual compute instance. Operation of the virtual compute instance at the source host may be paused and the access to the data at the network-based storage resource may be modified to limit access to the destination host. Operation of the virtual compute instance may then resume at the destination host.

Abstract: Live migration may be performed for virtual computing resources utilizing network-based storage. A virtual compute instance operating at a source host may be moved to a destination host. The virtual compute instance may be a client of a network-based storage resource that stores data for the virtual compute instance. Access to the data stored for the virtual compute instance may be limited to the source host. When migration is performed, the destination host may be prepared to assume operation of the virtual compute instance. Operation of the virtual compute instance at the source host may be paused and the access to the data at the network-based storage resource may be modified to limit access to the destination host. Operation of the virtual compute instance may then resume at the destination host.

Abstract: Techniques for preserving the state of virtual machine instances during a migration from a source location to a target location are described herein. A set of credentials configured to provide access to a storage device by a virtual machine instance at the source location is provided to the virtual machine instance. When the migration from the source location to the target location starts, a second set of credentials configured to provide access to a storage device by a virtual machine instance at the source location is provided to the virtual machine instance. During the migration, state information associated with the block storage device is copied from the source location to the target location based on the migration phase.

Abstract: Techniques for preserving the state of virtual machine instances during a migration from a source location to a target location are described herein. A set of credentials configured to provide access to a storage device by a virtual machine instance at the source location is provided to the virtual machine instance. When the migration from the source location to the target location starts, a second set of credentials configured to provide access to a storage device by a virtual machine instance at the source location is provided to the virtual machine instance. During the migration, a response to an input-output request is provided to one or more of the locations using the set of credentials and based at least in part on the state of the migration.