Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.

Abstract: A method of restricting data access based on properties of at least one of a process and a machine executing the process includes receiving, by an access control management system, from a first computing device, information associated with an encrypted data object. The method includes requesting, by the access control management system, from a verifier, verification that a second computing device executes a process in accordance with a process attribute identified in the information associated with the encrypted data object. The method includes sending, by the access control management system, to the second computing device, the received information associated with the encrypted data object, responsive to the verification of the process attribute.

Abstract: A method of restricting data access based on properties of at least one of a process and a machine executing the process includes receiving, by an access control management system, from a first computing device, information associated with an encrypted data object. The method includes requesting, by the access control management system, from a verifier, verification that a second computing device executes a process in accordance with a process attribute identified in the information associated with the encrypted data object. The method includes sending, by the access control management system, to the second computing device, the received information associated with the encrypted data object, responsive to the verification of the process attribute.

Abstract: Devices and methods are provided for using an identity-aware proxy to filter transmissions for virtual networks. The device may receive an encrypted application programming interface (API) call from a second device, wherein the encrypted API call is associated with a remote network resource, and wherein the device is included in a remote network which includes the remote network resource. The device may determine, based on the encrypted API call, an account associated with the remote network resource. The device may determine that the account is not authorized to access the remote network resource using the remote network. The device may send an error notification to the second device.

Abstract: Techniques are described for enabling software applications to obtain temporary security credentials used to interact with a cloud provider network and, upon the revocation of an active set of temporary security credentials used by an application (e.g., due to concerns about the temporary credential's potential exposure to one or more unauthorized third parties), to readily obtain new temporary security credentials that the application can use to continue operation with minimal interruption. The temporary security credentials can be used, for example, to enable the cloud provider network to authenticate requests sent by software applications or users to various services or other components of the cloud provider network. An operator of a cloud provider network may provide a software development kit (SDK) that application developers can use to incorporate functionality related to the management of temporary security credentials.

Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.

Abstract: A customer in a computing resource provider environment, running an application on a VM instance, uses role credentials to request access to one or more web services. The request is forwarded to an enclave associated with the VM instance such that the enclave digitally signs the request and access to the one or more web services is provided.

Abstract: Techniques are described for enabling software applications to obtain temporary security credentials used to interact with a cloud provider network and, upon the revocation of an active set of temporary security credentials used by an application (e.g., due to concerns about the temporary credential's potential exposure to one or more unauthorized third parties), to readily obtain new temporary security credentials that the application can use to continue operation with minimal interruption. The temporary security credentials can be used, for example, to enable the cloud provider network to authenticate requests sent by software applications or users to various services or other components of the cloud provider network. An operator of a cloud provider network may provide a software development kit (SDK) that application developers can use to incorporate functionality related to the management of temporary security credentials.

Abstract: A first network namespace and second network namespace are created in a computing instance of a computer system, with the second network namespace being accessible to the first network namespace via an interface. A service is executed in the first namespace and an encoder is executed in the second namespace, with the encoder transforming media from one format to another format. Communication from the encoder to the service is regulated via the interface.

Abstract: A collection of fault categories, including faults associated with internal resources at a provider network, is presented via an interface of a fault injection service. A fault injection mode, selected from a set which comprises a non-randomized mode, to be used to inject faults into a target environment is determined. Fault injection agents introduce faults into the target environment in accordance with the fault injection mode.

Abstract: A computing resource service provider grants a first set of security permissions to a principal (e.g., a user) which may be used to access a plurality of computing resources. The permissions may be associated with a first security token. The principal may access resources using the first set of security permissions, and a system (e.g., a service provider) may identify a subset of security permissions that are sufficient to provide access to the computing resources accessed by the principal using the first set of permissions. The subset may be associated with the principal. In some cases, the principal operating under the subset of permissions may be denied access to a computing resource and may be granted access to the computing resource by operating under the first set of permissions.

Abstract: A method of restricting data access based on properties of at least one of a process and a machine executing the process includes receiving, by an access control management system, from a first computing device, information associated with an encrypted data object. The method includes requesting, by the access control management system, from a verifier, verification that a second computing device executes a process in accordance with a process attribute identified in the information associated with the encrypted data object. The method includes sending, by the access control management system, to the second computing device, the received information associated with the encrypted data object, responsive to the verification of the process attribute.

Abstract: A customer may request a service endpoint for a service in their virtual network on a provider network. In response, a service endpoint is generated in the customer's virtual network, a local IP address in the IP address range of the customer's virtual network is assigned to the service endpoint, and a DNS name is assigned to the service endpoint. Resources on the customer's virtual network resolve the DNS name of the service endpoint to obtain the local IP address of the service endpoint and send service requests for the service to the local IP address of the service endpoint. The service endpoint adds routing information to the service requests and sends the service requests over the network substrate to be routed to the service.

Abstract: Systems and methods are described to enable adaptive handling of domain resolution requests originating from a virtual private cloud (VPC) networking environment. An administrator of the VPC can provide a set of rules specific to the VPC that designates how requests for a domain name should be handled. The rules may specify, for example, that a request for a given domain name should be routed to a particular domain name server, which may include a private domain name server, should be dropped, or should be routed according to a default behavior (e.g., a public domain name system). Resolution requests originating in the VPC can be associated with a VPC identifier. When an adaptive resolution system receives the request, it can retrieve rules associated with the VPC identifier, and apply the rules to determine further routing for the request.

Abstract: A customer may request a service endpoint for a service in their virtual network on a provider network. In response, a service endpoint is generated in the customer's virtual network, a local IP address in the IP address range of the customer's virtual network is assigned to the service endpoint, and a DNS name is assigned to the service endpoint. Resources on the customer's virtual network resolve the DNS name of the service endpoint to obtain the local IP address of the service endpoint and send service requests for the service to the local IP address of the service endpoint. The service endpoint adds routing information to the service requests and sends the service requests over the network substrate to be routed to the service.

Abstract: Systems and methods are described to enable adaptive handling of domain resolution requests originating from a virtual private cloud (VPC) networking environment. An administrator of the VPC can provide a set of rules specific to the VPC that designates how requests for a domain name should be handled. The rules may specify, for example, that a request for a given domain name should be routed to a particular domain name server, which may include a private domain name server, should be dropped, or should be routed according to a default behavior (e.g., a public domain name system). Resolution requests originating in the VPC can be associated with a VPC identifier. When an adaptive resolution system receives the request, it can retrieve rules associated with the VPC identifier, and apply the rules to determine further routing for the request.

Abstract: A system for propagating network configuration changes in a distributed computing system includes one or more processors and memory that includes instructions, that when executed by the one or more processors, cause the processors to receive a configuration propagation instructions from a client, receive a network configuration change request from the client, generate a first command instruction, and transmit the first command instruction to one or more of a plurality of network devices in accordance with the configuration propagation instruction. The first command instruction instructs the plurality of network devices to change state from a first state to a second state. The second state corresponds with a network configuration contained in the network configuration change request.

Abstract: Systems and methods are described to enable adaptive handling of domain resolution requests originating from a virtual private cloud (VPC) networking environment. An administrator of the VPC can provide a set of rules specific to the VPC that designates how requests for a domain name should be handled. The rules may specify, for example, that a request for a given domain name should be routed to a particular domain name server, which may include a private domain name server, should be dropped, or should be routed according to a default behavior (e.g., a public domain name system). Resolution requests originating in the VPC can be associated with a VPC identifier. When an adaptive resolution system receives the request, it can retrieve rules associated with the VPC identifier, and apply the rules to determine further routing for the request.

Abstract: Systems and methods for providing a protected computing environment comprising separating out a protected environment management component from a kernel of a computing device, providing identification information as a part of the protected environment management component, and providing individualization information as part of the protected environment management component.