Abstract: An emulated hardware security device is configured for a compute instance. A state descriptor of the compute instance comprising software identification metadata prepared using the emulated hardware security device is provided to a resource verifier. The metadata identifies a program to be executed at the compute instance. In response to a response received from the resource verifier, a decision is made as to whether to execute the software program at the compute instance.

Abstract: Systems and methods are provided for creating a secure database execution environment. The system generates, by a database system executing on a secure enclave, attestation information. The system transmits the attestation information to a remote entity. The system obtains, by the database system executing on the secure enclave, one or more encryption keys in response to the remote entity authenticating the attestation information. The system performs, by the database system executing on the secure enclave, one or more database operations on encrypted data stored on the database system using the one or more encryption keys.

Abstract: An attestation service is configured to receive a request to enable attestation for a compute instance according to an attestation policy indicating one or more baseline health measurement values for validating compute instances. The attestation service provides a network endpoint for the compute instance to request attestation. The attestation service receives, via the network endpoint from a compute instance, one or more health measurement values of the compute instance. The attestation service validates the compute instance based at least on a comparison of the one or more current health measurement values and the one or more baseline health measurement values. The attestation service, in response to validating the compute instance, generates an attestation token indicating that the compute instance is authorized to access a secured resource of the provider network.

Abstract: Systems and methods are provided for generating personalized service disruption notifications. The system allocates resources of a database system to a plurality of entities, the resources of the database system being distributed in a cloud environment and analyzes a plurality of signals on the database system. The system, in response to analyzing the plurality of signals, detects a likelihood of a service availability disruption on the database system for a first entity of the plurality of entities. The system notifies the first entity of the service availability disruption in response to detecting the likelihood of the service availability disruption.

Abstract: Techniques for providing adaptive warehouses in a multi-tenant data system are described. The workloads for the account can be multiplexed in the adaptive warehouse environment. Warehouse endpoints in a warehouse layer can be defined for an account in the multi-tenant data system. A compute layer for the account can be divided into workload regions, where each workload region corresponds to a different workload type.

Abstract: An emulated hardware security device is configured for a compute instance. A state descriptor of the compute instance comprising software identification metadata prepared using the emulated hardware security device is provided to a resource verifier. The metadata identifies a program to be executed at the compute instance. In response to a response received from the resource verifier, a decision is made as to whether to execute the software program at the compute instance.

Abstract: An attestation service is configured to receive a request to enable attestation for a compute instance according to an attestation policy indicating one or more baseline health measurement values for validating compute instances. The attestation service provides a network endpoint for the compute instance to request attestation. The attestation service receives, via the network endpoint from a compute instance, one or more health measurement values of the compute instance. The attestation service validates the compute instance based at least on a comparison of the one or more current health measurement values and the one or more baseline health measurement values. The attestation service, in response to validating the compute instance, generates an attestation token indicating that the compute instance is authorized to access a secured resource of the provider network.

Abstract: A virtualization host is identified for an isolated run-time environment. One or more records generated at a security module of the host, which indicate that a first phase of a multi-phase establishment of an isolated run-time environment has been completed by a virtualization management component of the host, is transmitted to a resource verifier. In response to a host approval indicator from the resource verifier, the multi-phase establishment is completed at the virtualization host.

Abstract: Methods, systems, and computer-readable media for automated management of machine images are disclosed. A machine image management system determines that a trigger for a machine image build process has occurred. The machine image management system performs the machine image build process responsive to the trigger. The machine image build process generates a machine image, and the machine image comprises a plurality of operating system components associated with an application. The machine image is validated by the machine image management system for compliance with one or more policies. The machine image management system provides the machine image to one or more recipients. One or more compute resources are launched using the machine image, and the application is executed on the compute resource(s) launched using the machine image.

Abstract: In accordance with input received via a programmatic interface, a level of isolation at which a software container is to be executed is determined. Based on the level of isolation, a category of virtual machines of a virtualized computing service is selected for executing the software containers. The selected category differs from other categories in at least the number of devices emulated for virtual machines of the categories. The software container is run within a virtual machine of the selected category.

Abstract: Techniques are described for identifying resource bottlenecks in decomposing monolithic software applications as part of software modernization processes. An application modernization system constructs a graph model of a software application based on an analysis of application artifacts associated with the software application. The graph model includes nodes representing independent application components, and further includes edges representing identified dependency relationships among the application components. An application modernization system further generates application profile metrics associated with the identified dependencies, and weights derived from the metrics are applied to the nodes and/or the edges of the graph model to generate a weighted graph model that identifies the resource bottlenecks among the application components and the identified dependency relationships. The weighted graph model is transmitted to a computing device for display to a user.

Abstract: Techniques for in-place live migration of guest domain compute instances are described. A secondary host domain, which may be a patched version of an initial host domain, is launched on a computing device in a candidate host domain role or as a guest domain with escalated privileges. Existing guest domains are live migrated within the computing device to utilize the secondary host domain while the initial host domain continues to serve guest domains that have not yet been migrated. When all guest domains have been migrated, the initial host domain may be terminated, resulting in a patched computing device without network-based failures or noticeable service degradation for the guest domains, and while allowing existing guest domain workflows and network connections to continue unaffected.

Abstract: Methods, systems, and computer-readable media for automated management of machine images are disclosed. A machine image management system determines that a trigger for a machine image build process has occurred. The machine image management system performs the machine image build process responsive to the trigger. The machine image build process generates a machine image, and the machine image comprises a plurality of operating system components associated with an application. The machine image is validated by the machine image management system for compliance with one or more policies. The machine image management system provides the machine image to one or more recipients. One or more compute resources are launched using the machine image, and the application is executed on the compute resource(s) launched using the machine image.

Abstract: Techniques are described for automatically identifying monolithic software applications in users' computing environments for software modernization purposes. A monolithic patent application typically refers to a single-tiered application with self-contained functionality designed largely without modularity, although many types of applications can have monolithic characteristics. In many cases, modularity in a software application's design is desirable and thus developers may often seek to decompose monolithic applications into more modular “microservices” or other subunits when possible. A software modernization system includes a software analysis service that obtains, for one or more software applications undergoing evaluation, a collection of application artifacts, application profiling metrics, and other application profile data.

Abstract: Disclosed are various embodiments for a container execution environment. In one embodiment, a container is executed in a virtual machine instance running on a computing device. A container control plane is executed separately from the virtual machine instance in an off-load device operably coupled to the computing device via a hardware interconnect interface. The container is managed using the container control plane executing on the off-load device.

Abstract: Disclosed are various embodiments for anti-pattern detection in extraction and deployment of a microservice. A software modernization service is executed to analyze a computing application to identify various applications. When one or more of the application components are specified to be extracted as an independently deployable subunit, anti-patterns associated with deployment of the independently deployable subunit are determined prior to extraction. Anti-patterns may include increases in execution time, bandwidth, network latency, central processing unit (CPU) usage, and memory usage among other anti-patterns. The independently deployable subunit is selectively deployed separate from the computing application based on the identified anti-patterns.

Abstract: Disclosed are various embodiments for isolated code detection from application code analysis. Various application components may be identified from a source code file or a bytecode file of a computing application. A graph model representative of the computing application is generated having nodes and bridges that connect some nodes to other nodes. The graph model is generated such that at least one of the nodes is an isolated node having less than a threshold number of bridges connecting to other nodes, which is indicative that a corresponding one of the application components can be implemented as an independently deployable component of the computing application.

Abstract: Disclosed are various embodiments for the extraction of isolated nodes during source code refactoring. A graph model representative of a computing application is generated having nodes and bridges that connect some nodes to other nodes. An application component corresponding to a selected one of the nodes may be extracted from the computing application. An independently deployable component of the computing application may be generated and deployed on a network service such that the independently deployable component is accessible through a network-based call.

Abstract: Disclosed are various embodiments for the refactoring of local calls to network calls during software modernization. First and second application components are identified based on analysis of a computing application. A local call from the first application component to a process of the second application component is identified, and an independently deployable microservice is created from the computing application. The independently deployable subunit comprises the second application component having a network endpoint. The independently deployable microservice is deployed such that the process is accessible to the first application component via the network endpoint. The local call is programmatically refactored into a network call from the first application component to the process of the second application component.

Abstract: Disclosed are various embodiments for domain-driven application breakout. Application components are identified based on analysis of a computing application, where the application components are different portions of the computing application. Individual ones of the application components are associated with a category, where the category may include a business domain category. One or more of the application components associated with the category are extracted as an independently deployable subunit, which may include a microservice. The independently deployable subunit is generated for the category using the at least one of the application components and deployed separate from the computing application. A local call in the computing application to the extracted application components is refactored to a network call to the independently deployable subunit.