Abstract: A decoy network-based service uses a decoy credential to lure an attacker to access the decoy network-based service, and monitors the attacker's activity with respect to the decoy network-based service to determine the attacker's motivation. In various examples, a decoy credential is published on an Internet-accessible site, and a system that provides a network-based service (e.g., a service provider network) subsequently receives an access request from a computing device that includes the decoy credential. Based on the decoy credential, the computing device may be provided access to a decoy network-based service, and application programming interface (API) calls made by the computing device may be routed through a decoy control plane. The data relating to the API calls may be stored and analyzed to determine a motivation of the attacker, which may be used in various downstream applications to improve security for customers of the network-based service.

Abstract: Techniques are described for managing data storage using defined data storage management policies. In some situations, data storage may be managed using multiple supported storage mechanisms, such as different storage mechanisms of different types and/or in different locations. As one example, the described techniques may be performed to manage data that is available to a software program executing on a computer system, such as by caching a subset of the available data on one or more storage mechanisms to enhance later retrieval times of that data subset by the software program. In this example, the multiple supported storage mechanisms may include one or more storage mechanisms local to the computer system and one or more storage mechanisms remote from the computer system, and a defined data storage management policy for the software program may define particular types of data to store on particular storage mechanisms in particular manners.

Abstract: Techniques are described for managing data storage using defined data storage management policies. In some situations, data storage may be managed using multiple supported storage mechanisms, such as different storage mechanisms of different types and/or in different locations. As one example, the described techniques may be performed to manage data that is available to a software program executing on a computer system, such as by caching a subset of the available data on one or more storage mechanisms to enhance later retrieval times of that data subset by the software program. In this example, the multiple supported storage mechanisms may include one or more storage mechanisms local to the computer system and one or more storage mechanisms remote from the computer system, and a defined data storage management policy for the software program may define particular types of data to store on particular storage mechanisms in particular manners.

Abstract: A licensing service is disclosed that can be used in a virtual environment. A master license can be used by the licensing service to maintain a pool of licenses associated with a customer number. Multiple ephemeral licenses can be issued from the pool. The ephemeral licenses can have a short duration to ensure periodic renewal of the ephemeral licenses during the life of the master license. Tighter control of the licenses ensures that the ephemeral licenses are only used during the life of the master license. Additionally, autoscaling is promoted through the use of the license pool, which can adapt according to actual use.

Abstract: An information processing system provisions a client account for a user to enable a client computer associated with the user to store information in an elastic storage system and to prohibit the client computer, the information processing system, and the elastic storage system from altering and from deleting the stored information during an authorized retention period. Data messages are received from one or more client computers and include information that is required to be stored for the authorized retention period. That information is transmitted via one or more data communications networks to the elastic storage system for storage so that the stored information is non-rewriteable and non-erasable during the authorized retention period. The secure data center receives the retrieved copy and provides it to the user device.

Abstract: Remote file archiving is provided using package files. A request can be sent for a raw file stored within a package file. The request can be sent by a computing device to a remote storage service. The requests can comprise a location of the raw file within the package file. The raw file can be received and unmarshaled. Unmarshalling the raw file can comprise uncompressing and/or decrypting the raw file. Meta-data can be requested and used to determine a location of the raw file. Raw files can be extracted and provided. For example, a request for a raw file can be received. The raw file can be extracted from a package file and provided for download. The raw file can be in an archived state, such as compressed and/or encrypted.

Abstract: Methods and apparatus for providing network traffic monitoring such as intrusion detection to clients of a provider network. An interface and methods are provided via which a client can select traffic monitoring as a functionality to be added to their configuration on the provider network, for example as part of a load balancer layer. Via the interface, the client can configure new or existing components and specify that traffic monitoring be added on or at the components. Traffic monitoring technology is automatically and transparently added to the client's configuration on or at the components. By adding traffic monitoring functionality to an existing layer, the client does not have to separately manage traffic monitoring on the client's configuration. Traffic monitoring technology may be added at a network substrate level rather than at an overlay network level to insure that all traffic is available to the traffic monitoring technology.

Abstract: Methods and apparatus for providing inline network traffic monitoring such as intrusion detection to clients of a provider network. A client can configure new or existing components and specify that traffic monitoring be added on or at the components in the client's configuration on the provider network. Traffic monitoring is automatically and transparently added to the client's configuration on or at the components. Traffic to the client's configuration passes through the traffic monitoring technology. Traffic monitoring technology may be implemented on a resource in the client's configuration that implements other technology, such as a load balancer component. Alternatively, traffic monitoring technology may be implemented on separate components upstream or downstream of a resource that implements other technology. Traffic monitoring may be implemented at a network substrate level rather than at an overlay network level.

Abstract: In a resource-on-demand environment, virtual machine images are validated before use. A provider or source of a virtual machine image may generate a manifest, indicating executable components of the machine image. Before use, a created virtual machine may compare its executable components with those specified by the manifest. To ensure authenticity, the manifest may be associated with a signature, and the virtual machine may use the signature to verify the manifest and the source of the machine image.

Abstract: Methods and apparatus for providing out-of-band network traffic monitoring such as intrusion detection to clients on a provider network. A client can configure new or existing components and specify that traffic monitoring be added on or at the components in the client's configuration on the provider network. Traffic monitoring is provided for the client's configuration via replication technology on the provider network. In response to the client specifying that traffic monitoring is to be added on or at a component, traffic to the client's configuration is routed to replication technology, which may be implemented at a network substrate level, that passes one copy to the client's configuration and sends another copy to a destination that handles traffic monitoring such as an intrusion detection handler. The destination may be anywhere on the provider network or on an external network.

Abstract: An information processing system provisions a client account for a user to enable a client computer associated with the user to store information in an elastic storage system and to prohibit the client computer, the information processing system, and the elastic storage system from altering and from deleting the stored information during an authorized retention period. Data messages are received from one or more client computers and include information that is required to be stored for the authorized retention period. That information is transmitted via one or more data communications networks to the elastic storage system for storage so that the stored information is non-rewriteable and non-erasable during the authorized retention period. The secure data center receives the retrieved copy and provides it to the user device.

Abstract: A network appliance that runs both C and Java integrated software to provide a flexible architecture for rapid prototyping of XML security functionality, including SSL acceleration, XML encryption, XML decryption, XML signature, and XML verification, while the network appliance continues to provide high-speed performance.