Abstract: A system receives a replication credential associated with a request to replicate a dataset to a destination partition of a cloud environment. The replication credential includes a destination identifier that identifies the destination partition as a destination for replicating the dataset. The system accesses a replication tag associated with the dataset that defines a replication policy for the dataset. The replication tag includes a destination key that identifies the destination as being a permissible destination for replicating the dataset in accordance with the replication policy. The system determines that replication is permissible based on successfully validating that the destination key corresponds to the destination partition identified by the destination identifier of the replication credential. Responsive to determining that replication is permissible, the system initiates a set of one or more operations to replicate the dataset to the destination partition.

Abstract: A system determines a trigger condition for executing a security protocol transition with respect to an execution environment of a virtual cloud network. In response to determining the trigger condition, the system executes the security protocol transition while executing the execution environment. The security protocol transition includes terminating execution of a first security protocol and initiating execution of a second security protocol. The first security protocol includes utilizing a first authorization process to authorize a set of network entities to access a set of target resources. The second security protocol includes utilizing a second authorization process to authorize the set of network entities to access the set of target resources. The trigger condition indicates that one or more parameters associated with the virtual cloud network meets a set of transition criteria for executing the security protocol transition.

Abstract: Operations of a certificate bundle distribution service may include: detecting a trigger condition to distribute a certificate bundle that includes a set of one or more certificate authority certificates; partitioning each particular network entity of a plurality of network entities associated with a computer network into one of a plurality of certificate distribution groups based on an entity identifier of the particular network entity, in which each particular certificate distribution group includes a particular subset of network entities from the plurality of network entities; selecting a particular certificate distribution group, of the plurality of certificate distribution groups, for distribution of the certificate bundle; and transmitting the certificate bundle to the particular subset of network entities in the particular certificate distribution group.

Abstract: A system executes an authorization process for initiating a session with a computing entity. Executing the authorization process includes determining an identity associated with the computing entity, identifying a current set of access policies associated with the identity, and determining, based on the current set of access policies, a first set of actions that the computing entity is authorized to perform. While executing the session, the system executes a first action in accordance with the current set of access policies. Subsequent to executing the first action, the set of access policies is modified. The system detects an occurrence of a trigger condition, and in response, re-executes the authorization process for the session, including determining, based on the modified set of access policies, a second set of actions the computing entity is authorized to perform that differs from the first set of actions.

Abstract: Operations of a certificate authority (CA) service may include aggregating in a certificate repository, a plurality of sets of CA certificates, in which each set of CA certificates is issued by a particular CA that is associated with a particular trust zone and that is trusted by a particular set of network entities located in the particular trust zone. The operations may further include distributing for access by an additional set of network entities, an aggregate set of CA certificates that includes the plurality of sets of CA certificates. The additional set of network entities may utilize the plurality of sets of CA certificates to authenticate network entities located in different trust zones.

Abstract: Operations of a certificate bundle validation service may include receiving a first certificate bundle that includes a first set of one or more digital certificates, and a digital signature, associated with the first certificate bundle; determining, using a public key of an asymmetric key pair associated with a second set of one or more digital certificates, that the digital signature is generated using a private key of the asymmetric key pair; and responsive to determining that the digital signature is generated using the private key, storing the first certificate bundle in a certificate repository as a trusted certificate bundle.

Abstract: Operations of a certificate bundle distribution service may include: detecting a trigger condition to distribute a certificate bundle that includes a set of one or more certificate authority certificates; partitioning each particular network entity of a plurality of network entities associated with a computer network into one of a plurality of certificate distribution groups based on a network address of the particular network entity, in which each particular certificate distribution group includes a particular subset of network entities from the plurality of network entities; selecting a particular certificate distribution group, of the plurality of certificate distribution groups, for distribution of the certificate bundle; and transmitting the certificate bundle to the particular subset of network entities in the particular certificate distribution group.

Abstract: Operations may include receiving, from a first network entity, a first request for a first certificate revocation list (CRL) that identifies a first CRL distribution point (CDP) corresponding to the first CRL; mapping the first CDP to a first CRL identifier of a set of available CRL identifiers; locating, in a CRL repository, a first CRL based on the first CRL identifier; and transmitting the first CRL to the first network entity.

Abstract: Operations of a digital signature manager may include detecting, in a certificate repository on a first virtual cloud network, set of one or more new certificate authority (CA) certificates; transmitting, to a key management service hosted on a second virtual cloud network, a CA dataset that includes the set of one or more new CA certificates; receiving, from the key management service, a digital signature of the CA dataset generated based at least on a global private key stored on the second virtual cloud network in a private key repository associated with the key management service; and storing the digital signature in the certificate repository in a data structure that associates the digital signature with the CA dataset.

Abstract: Techniques for updating certificate bundles may include receiving, at an entity associated with a virtual cloud network, a certificate bundle that includes an updated set of certificate authority (CA) certificates. The techniques may include applying a validation process to an entity certificate based on the certificate bundle, with the entity certificate having been issued to the entity prior to the entity receiving the certificate bundle. The validation process may include validating, by the entity, a certificate chain that includes the entity certificate and a CA certificate included in the updated set of CA certificates. The techniques may include, responsive to validating the certificate chain, installing the certificate bundle in a storage medium associated with the entity, and utilizing, by the entity, the certificate bundle to authenticate at least one additional entity associated with the virtual cloud network.