Abstract: Data tags, such as may be used to classify data, can be automatically applied at appropriate times in a resource environment. A customer can provide an auto-tagging configuration file that can be used to determine tags to be applied to specific data objects based upon properties of those objects. The customer can also provide policies that indicate which actions can be performed for those objects based at least in part upon the applied tags. The tags can be automatically applied at any appropriate time, such as upon storage into the environment, upon modification of the auto-tagging configuration, or upon modification or the data object. In some embodiments, an auto-tagging process can also be performed in response to a request for access to the data object in order to ensure that the correct tags are applied before determining the permitted actions.

Abstract: Information for a data object can be prevented from loss for import and export operations across a trust boundary, such as may exist between environments under control of different legal entities. A set of dependencies, including information such as data tags and identifiers for applicable policies, can be embedded in a data object, such as directly in a header or in a digest or token of the data object. When the data object is transmitted across a trust boundary, such as to a destination bucket, the destination bucket can ensure that all dependencies are available and able to be enforced in the destination environment. If not, the request can be denied or the destination environment can contact the source environment to attempt to obtain and enforce the missing dependencies. At least some of the dependencies may also need to be transformed in the second environment.

Abstract: A customer of a resource provider environment can apply policies at the data object level that will live with a data object during its lifecycle, even as the object moves across trusted boundaries. A customer can classify data, causing tags and/or predicates to be applied to the corresponding data object. Each tag corresponds to a policy, with predicates relating to various actions that can be performed on the data. A chain of custody is maintained for each data object, such that any changes to the object, tags, or policies for the data can be determined, as may be required for various audit processes. The support of such policies also enables the resource provider environment to function as an intermediary, whereby a third party can receive the data along with the tags, policies, and chain of custody as long as the environment trusts the third party to receive the data object.

Abstract: A customer of a resource provider environment can apply policies at the data object level that will live with a data object during its lifecycle, even as the object moves across trusted boundaries. A customer can classify data, causing tags and/or predicates to be applied to the corresponding data object. Each tag corresponds to a policy, with predicates relating to various actions that can be performed on the data. A chain of custody is maintained for each data object, such that any changes to the object, tags, or policies for the data can be determined, as may be required for various audit processes. The support of such policies also enables the resource provider environment to function as an intermediary, whereby a third party can receive the data along with the tags, policies, and chain of custody as long as the environment trusts the third party to receive the data object.

Abstract: Data tags, such as may be used to classify data, can be automatically applied at appropriate times in a resource environment. A customer can provide an auto-tagging configuration file that can be used to determine tags to be applied to specific data objects based upon properties of those objects. The customer can also provide policies that indicate which actions can be performed for those objects based at least in part upon the applied tags. The tags can be automatically applied at any appropriate time, such as upon storage into the environment, upon modification of the auto-tagging configuration, or upon modification or the data object. In some embodiments, an auto-tagging process can also be performed in response to a request for access to the data object in order to ensure that the correct tags are applied before determining the permitted actions.

Abstract: Information for a data object can be prevented from loss for import and export operations across a trust boundary, such as may exist between environments under control of different legal entities. A set of dependencies, including information such as data tags and identifiers for applicable policies, can be embedded in a data object, such as directly in a header or in a digest or token of the data object. When the data object is transmitted across a trust boundary, such as to a destination bucket, the destination bucket can ensure that all dependencies are available and able to be enforced in the destination environment. If not, the request can be denied or the destination environment can contact the source environment to attempt to obtain and enforce the missing dependencies. At least some of the dependencies may also need to be transformed in the second environment.

Abstract: A customer of a resource provider environment can apply policies at the data object level that will live with a data object during its lifecycle, even as the object moves across trusted boundaries. A customer can classify data, causing tags and/or predicates to be applied to the corresponding data object. Each tag corresponds to a policy, with predicates relating to various actions that can be performed on the data. A chain of custody is maintained for each data object, such that any changes to the object, tags, or policies for the data can be determined, as may be required for various audit processes. The support of such policies also enables the resource provider environment to function as an intermediary, whereby a third party can receive the data along with the tags, policies, and chain of custody as long as the environment trusts the third party to receive the data object.