Abstract: A vendor of virtual machine images accesses a virtual computer system service to upload a digitally signed virtual machine image to a data store usable by customers of the virtual computer system service to select an image for creating a virtual machine instance. If a digital certificate is uploaded along with the virtual machine image, the virtual computer system service may determine whether the digital certificate has been trusted for use. If the digital certificate has been trusted for use, the virtual computer system service may use a public cryptographic key to decrypt a hash signature included with the image to obtain a first hash value. The service may additionally apply a hash function to the image itself to obtain a second hash value. If the two hash values match, then the virtual machine image may be deemed to be authentic.

Abstract: Methods and apparatus for a computing infrastructure for configurable-quality random data are disclosed. A storage medium stores program instructions that when executed on a processor designate some servers of a provider network as members of a pool of producers of random data usable by random data consumers. The instructions, when executed, determine a subset of the pool to be used to supply a collection of random data intended for a random data consumer, and one or more sources of random phenomena to be used to generate the collection of random data. The instructions, when executed, initiate a transmission of the collection of random data directed to the random data consumer.

Abstract: A vendor of virtual machine images accesses a virtual computer system service to upload a digitally signed virtual machine image to a data store usable by customers of the virtual computer system service to select an image for creating a virtual machine instance. If a digital certificate is uploaded along with the virtual machine image, the virtual computer system service may determine whether the digital certificate has been trusted for use. If the digital certificate has been trusted for use, the virtual computer system service may use a public cryptographic key to decrypt a hash signature included with the image to obtain a first hash value. The service may additionally apply a hash function to the image itself to obtain a second hash value. If the two hash values match, then the virtual machine image may be deemed to be authentic.

Abstract: Techniques for configurable event-based compute instance security assessments are described. A security assessment service receives one or more configuration messages, sent on behalf of a user, indicating a request to perform a security assessment of one or more computing resources managed by a service provider system responsive to any of one or more events being determined to have occurred. The security assessment is to include attempting to identify security vulnerabilities of the one or more computing resources. The security assessment service determines that an event of the one or more events has occurred subsequent to event data being reported that is indicative of the event, and performs the security assessment of the one or more computing resources responsive to the determining that the event has occurred.

Abstract: A user-promotion process allows a service provider to grant the security roles associated with a target user account to a requester by obtaining approvals from a quorum of approving users. The quorum requirements and the identity of the approving users may be established by the target user or an account manager. Upon receiving, from a promotion candidate, a request to assume security roles of a target user, the service provider identifies the approving users from the target user's account record. Approvals are requested from the approving users, and if a quorum of approvals is received by the service provider, the promotion candidate is allowed to assume the roles of the target user. If a quorum of approvals is not received, then substitute approving users may be identified based at least in part on those approving users that did not respond to the approval request.

Abstract: Digital certificates include pointers to remote certificate information stores that maintain usage information associated with digital certificates. The pointers provide a mechanism for enabling the remote certificate information stores to be queried for usage information associated with a particular digital certificate. The usage information can be used to determine a validity of the digital certificate.

Abstract: Customers of a computing resource service provider may operate computing resources provided by the computing resource service provider. Operational information from customer operated computing resources may be correlated with operational information from computing resources operated by the computing resource service provider or other entities, and correlated threat information may be generated.

Abstract: A method and apparatus for distributing cryptographic material are disclosed. In the method and apparatus, cryptographic material is obtained and it is determined that the cryptographic material is to be made available for use by one or more computing resources. The cryptographic material is then sent to one or more secure modules, whereby a secure module of the one or more secure modules is programmatically accessible to a computing resource of the one or more computing resources and programmatic access enables the computing resource to request performance of one or more cryptographic operations using the cryptographic material while exporting the cryptographic material to the computing resource is denied.

Abstract: A vendor of virtual machine images accesses a virtual computer system service to upload a digitally signed virtual machine image to a data store usable by customers of the virtual computer system service to select an image for creating a virtual machine instance. If a digital certificate is uploaded along with the virtual machine image, the virtual computer system service may determine whether the digital certificate has been trusted for use. If the digital certificate has been trusted for use, the virtual computer system service may use a public cryptographic key to decrypt a hash signature included with the image to obtain a first hash value. The service may additionally apply a hash function to the image itself to obtain a second hash value. If the two hash values match, then the virtual machine image may be deemed to be authentic.

Abstract: A security service of a computing resource service provider provides security scores for application program interfaces (APIs) and other security information to an API marketplace or other endpoints. The security score may be based at least in part on component information associated with computing resources implementing the API. The security service may obtain access to the computing resources and collect various components from the computing resources. The components may then be used to determine a security score of an API offered from consumption on the API marketplace. The security service may then publish the security score to the API marketplace or other endpoint.

Abstract: Techniques for configurable event-based compute instance security assessments are described. A security assessment service receives one or more configuration messages, sent on behalf of a user, indicating a request to perform a security assessment of one or more computing resources managed by a service provider system responsive to any of one or more events being determined to have occurred. The security assessment is to include attempting to identify security vulnerabilities of the one or more computing resources. The security assessment service determines that an event of the one or more events has occurred subsequent to event data being reported that is indicative of the event, and performs the security assessment of the one or more computing resources responsive to the determining that the event has occurred.

Abstract: A user-promotion process allows a service provider to grant the security roles associated with a target user account to a requester by obtaining approvals from a quorum of approving users. The quorum requirements and the identity of the approving users may be established by the target user or an account manager. Upon receiving, from a promotion candidate, a request to assume security roles of a target user, the service provider identifies the approving users from the target user's account record. Approvals are requested from the approving users, and if a quorum of approvals is received by the service provider, the promotion candidate is allowed to assume the roles of the target user. If a quorum of approvals is not received, then substitute approving users may be identified based at least in part on those approving users that did not respond to the approval request.

Abstract: A vendor of virtual machine images accesses a virtual computer system service to upload a digitally signed virtual machine image to a data store usable by customers of the virtual computer system service to select an image for creating a virtual machine instance. If a digital certificate is uploaded along with the virtual machine image, the virtual computer system service may determine whether the digital certificate has been trusted for use. If the digital certificate has been trusted for use, the virtual computer system service may use a public cryptographic key to decrypt a hash signature included with the image to obtain a first hash value. The service may additionally apply a hash function to the image itself to obtain a second hash value. If the two hash values match, then the virtual machine image may be deemed to be authentic.

Abstract: Techniques for configurable event-based compute instance security assessments are described. A security assessment service receives one or more configuration messages, sent on behalf of a user, indicating a request to perform a security assessment of one or more computing resources managed by a service provider system responsive to any of one or more events being determined to have occurred. The security assessment is to include attempting to identify security vulnerabilities of the one or more computing resources. The security assessment service determines that an event of the one or more events has occurred subsequent to event data being reported that is indicative of the event, and performs the security assessment of the one or more computing resources responsive to the determining that the event has occurred.

Abstract: Organizations maintain and generate large amounts of sensitive information using computer hardware resources and services of a service provider. Furthermore, there is a need to be able to delete large amounts of data securely and quickly by encrypting the data with a key and destroying the key. To ensure that information stored remotely is secured and capable of secure deletion, cryptographic keys used by the organization should be prevented from being persistently stored during serialization operations. If the keys used to encrypt the data have not been exposed during serialization operation, they may be deleted or destroyed enabling the destruction of data encrypted with the keys.

Abstract: A user-promotion process allows a service provider to grant the security roles associated with a target user account to a requester by obtaining approvals from a quorum of approving users. The quorum requirements and the identity of the approving users may be established by the target user or an account manager. Upon receiving, from a promotion candidate, a request to assume security roles of a target user, the service provider identifies the approving users from the target user's account record. Approvals are requested from the approving users, and if a quorum of approvals is received by the service provider, the promotion candidate is allowed to assume the roles of the target user. If a quorum of approvals is not received, then substitute approving users may be identified based at least in part on those approving users that did not respond to the approval request.

Abstract: Digital certificates include pointers to remote certificate information stores that maintain usage information associated with digital certificates. The pointers provide a mechanism for enabling the remote certificate information stores to be queried for usage information associated with a particular digital certificate. The usage information can be used to determine a validity of the digital certificate.

Abstract: Customers of a computing resource service provider may operate computing resources provided by the computing resource service provider. Operational information from customer operated computing resources may be correlated with operational information from computing resources operated by the computing resource service provider or other entities, and correlated threat information may be generated.

Abstract: A method and apparatus for distributing cryptographic material are disclosed. In the method and apparatus, cryptographic material is obtained and it is determined that the cryptographic material is to be made available for use by one or more computing resources. The cryptographic material is then sent to one or more secure modules, whereby a secure module of the one or more secure modules is programmatically accessible to a computing resource of the one or more computing resources and programmatic access enables the computing resource to request performance of one or more cryptographic operations using the cryptographic material while exporting the cryptographic material to the computing resource is denied.

Abstract: Techniques are disclosed for mitigating against registering a domain name that is confusingly similar to a pre-existing domain name, possibly for the purpose of fooling users. In embodiments, a domain name is presented for registration. The domain name is rendered as an image, and optical character recognition is performed on the image to extract the rendered text. This extracted text is compared against a list of domain names for which confusingly similar domain names cannot be registered, and when the extracted text matches a domain name in this list of domain names, registration of the domain name is denied.