Abstract: Methods, systems, and computer-readable media for local-to-remote migration for virtualized graphics processing are disclosed. A virtual compute instance comprising a local GPU is provisioned from a provider network. The provider network comprises a plurality of computing devices configured to implement a plurality of virtual compute instances with multi-tenancy. A virtual GPU is attached to the virtual compute instance. The virtual GPU is implemented using a physical GPU, and the physical GPU is accessible to the virtual compute instance over a network. Graphics processing for the virtual compute instance is migrated from the local GPU to the virtual GPU. An application is executed using the virtual GPU on the virtual compute instance.

Abstract: Systems and methods for managing credentials distribute the credentials to subsets of a set of collectively managed computing resources. The collectively managed computing resources may include one or more virtual machine instances. The credentials distributed to the computing resources may be used by the computing resources to perform one or more actions. Actions may include performing one or more functions in connection with configuration, management, and/or operation of the one or more resources, and/or access of other computing resources. The ability to use credentials may be changed based at least in part on the occurrence of one or more events.

Abstract: Systems for providing a threat intelligence system differentiate between network activity that is a mass scan, or is an accidental or otherwise benign abnormality, or is a directed attack. All of the network activity of a computing resource service provider is logged, and the logs are parsed to include the activity of a particular activity source. The activity is stored in an activity profile, and is updated on a rolling window basis. The systems then use the activity profiles of activity sources that have communicated with a user's computing resources to determine whether the activity and/or activity source is a potential threat against the user's virtual computing environment(s) and/or the computing resources executing therein. The system computes a threat level score based on parameters identified in the activity profiles.

Abstract: Host systems for resuming operation of a virtual compute instance may be identified that support features enabled for the virtual compute instance. Virtual compute instance features may be enabled at runtime prior to a virtual compute instance being stopped. When a virtual compute instance is started again, these features may be used to identify a host system that supports at least these features so that when the virtual compute instance resumes operation on the identified host, the features can be enabled.

Abstract: A virtualized system that is capable of executing a computation that has been identified as a repeatable computation and recording various representations of the state of the computing environment throughout the execution of the repeatable computation, where the state of the computing environment can be cryptographically signed and/or verified using a trusted platform module (TPM), or other cryptographic module. For example, a TPM embedded in the host computing device may generate a hash measurement that captures the state of the repeatable computation at the time of the computation. This measurement can be digitally signed using one or more cryptographic keys of the TPM and recorded for future use. The recorded state can subsequently be used to repeat the computation and/or determine whether the computation was repeated successfully according to certain defined criteria.

Abstract: Techniques for preserving the state of virtual machine instances during a migration from a source location to a target location are described herein. A set of credentials configured to provide access to a storage device by a virtual machine instance at the source location is provided to the virtual machine instance. When the migration from the source location to the target location starts, a second set of credentials configured to provide access to a storage device by a virtual machine instance at the source location is provided to the virtual machine instance. During the migration, a response to an input-output request is provided to one or more of the locations using the set of credentials and based at least in part on the state of the migration.

Abstract: Implementation resources are operated in a manner furthering a particular purpose while excluding use of the implementation resources for other purposes. At least some of the implementation resources have capacity that is usable to implement multiple other resources. The capacity of the implementation resources is allocated in a manner that satisfies one or more conditions on the capacity of the implementation resources that is used. Generally, the capacity is allocated in a manner that reduces the likelihood that resources initiated close in time will fail together should underlying implementation resources fail. The implementation resources may be hardware devices that implement virtual computer systems.

Abstract: A component executing within a programmable execution system (PES) receives a request to launch a virtual machine instance, such as from a customer of the PES. In response to receiving such a request, the component computes an expected cost of executing the virtual machine instance over its lifetime based upon one or more cost factors. The component also computes an expected value of executing the virtual machine instance over its lifetime based upon one or more value factors. Based upon the computed expected cost and the computed expected value associated with executing the virtual machine instance, the component determines whether or not to launch the virtual machine instance. The component might utilize a similar mechanism to determine whether to instantiate other types of computing resources.

Abstract: A virtual private cloud (VPC) that includes one or more computing devices (e.g., a physical computing device, a virtual computing device, etc.) that each implement a service present in an actual production environment is provided herein. For example, at the request of a user, an instance deployment manager may replicate one or more of the services provided by an actual production environment such that the services can be executed by the computing devices within the VPC. The computing devices within the VPC may be configured to communicate with each other. However, the computing devices may not communicate with devices outside the VPC. Thus, the VPC may represent a sandboxed or isolated test stack that allows a user to independently test code within a replicated production environment.

Abstract: Embodiments of the present disclosure are directed to, among other things, providing resource allocation advice, configuration recommendations, and/or migration advice regarding data storage, access, placement, and/or related web services. In some examples, a web service may utilize or otherwise control a client instance to control, access, or otherwise manage resources of a distributed system. Based at least in part on one or more resource usage checks and/or configuration checks, resource usage information and/or configuration information of an account utilizing a web service, and/or user preferences and/or settings, resource allocation advice, system configuration recommendations, and/or migration advice may be provided to a user of an account. Additionally, in some examples, one or more remediation operations may be performed automatically.

Abstract: Methods and apparatus for profile-guided preloading for virtualized resources are described. A block-level storage volume whose contents are to be populated via data transfers from a repository service is programmatically attached to a compute instance. An indication of data transfers from the repository to a block storage service implementing the volume is obtained, corresponding to a particular phase of program execution at the compute instance. A storage profile is generated, based at least in part on the indication of data transfers. The storage profile is subsequently used to pre-load data from the repository service on behalf of other compute instances.

Abstract: A workflow orchestration service coordinates the performance of a workflow. The workflow is accomplished by performing a task on each resource in a set of resources. In an embodiment, the resources are virtual computer system instances and the task is a set of commands to be run on each of the virtual computer system instances. As a result of a request, the workflow orchestration service initiates a task instance for each resource in the set of resources in accordance with a set of workflow parameters. In an embodiment, the workflow parameters include a parameter that limits the number of concurrent active task instances. In an embodiment, the workflow parameters identify condition that aborts the performance of the workflow. In an embodiment, upon failure of a task instance, the workflow orchestration service rolls back the state of an associated resource to a state before the task was initiated.

Abstract: A virtualized system that is capable of executing a computation that has been identified as a repeatable computation and recording various representations of the state of the computing environment throughout the execution of the repeatable computation, where the state of the computing environment can be cryptographically signed and/or verified using a trusted platform module (TPM), or other cryptographic module. For example, a TPM embedded in the host computing device may generate a hash measurement that captures the state of the repeatable computation at the time of the computation. This measurement can be digitally signed using one or more cryptographic keys of the TPM and recorded for future use. The recorded state can subsequently be used to repeat the computation and/or determine whether the computation was repeated successfully according to certain defined criteria.

Abstract: Technologies are described herein for ensuring data in long-term storage will be accessible at a future date. Upon storing the data in long-term storage, a well-defined instance of data processing resources is created on a host computing platform for the installation and testing of a related application that is capable of accessing the stored data. Once testing of the related application is complete, a machine image is generated from the instance and stored with the data in the long-term storage. If access to the data stored in the long-term storage is required at a future date, the data and associated machine image may be retrieved, and a compatible instance of data processing resources created in which the machine image may be restored. The data in the long-term storage may then be accessed by the related applications executing in the newly created instance.

Abstract: Disclosed herein are techniques for enabling device communication in a secure environment. In one example, a system comprises a storage in a server, a first component in the server, the first component being isolated in a secure environment in the server, and an entry point device authorized to access the first component via the secure environment. The entry point device may receive a request to access the first component. The entry point device may store a notification in a region of the storage accessible by the first component, wherein the notification is to be read by the first component from the storage to set the first component to an operation mode. The entry point device may store operation data in the storage, wherein the operation data is to be acquired by the first component from the storage to control an operation of the first component in the operation mode.

Abstract: In a multi-tenant environment, separate virtual machines can be used for configuring and operating different subsets of programmable integrated circuits, such as a Field Programmable Gate Array (FPGA). The programmable integrated circuits can communicate directly with each other within a subset, but cannot communicate between subsets. Generally, all of the subsets of programmable ICs are within a same host server computer within the multi-tenant environment, and are sandboxed or otherwise isolated from each other so that multiple customers can share the resources of the host server computer without knowledge or interference with other customers.

Abstract: Methods and apparatus for receiving uploaded data from a sender at a receiver. A data deduplication technique is described that may reduce the bandwidth used in uploading data from the sender to the receiver. In the technique, the receiver, rather than the sender, maintains a fingerprint dictionary for previously uploaded data. When a sender has additional data to be uploaded, the sender extracts fingerprints for units of the data and sends the fingerprints to the receiver. The receiver checks its fingerprint dictionary to determine the data units to be uploaded and notifies the sender of the identified units, which then sends the identified units of data to the receiver. The technique may, for example, be applied in virtualized data store systems to reduce bandwidth usage in uploading data.

Abstract: Operating profiles for consumers of computing resources may be automatically determined based on an analysis of actual resource usage measurements and other operating metrics. Measurements may be taken while a consumer, such as a virtual machine instance, uses computing resources, such as those provided by a host. A profile may be dynamically determined based on those measurements. Profiles may be generalized such that groups of consumers with similar usage profiles are associated with a single profile. Assignment decisions may be made based on the profiles, and computing resources may be reallocated or oversubscribed if the profiles indicate that the consumers are unlikely to fully utilize the resources reserved for them. Oversubscribed resources may be monitored, and consumers may be transferred to different resource providers if contention for resources is too high.

Abstract: Methods, systems, and computer-readable media for automated management of machine images are disclosed. A machine image management system determines that a trigger for a machine image build process has occurred. The machine image management system performs the machine image build process responsive to the trigger. The machine image build process generates a machine image, and the machine image comprises a plurality of operating system components associated with an application. The machine image is validated by the machine image management system for compliance with one or more policies. The machine image management system provides the machine image to one or more recipients. One or more compute resources are launched using the machine image, and the application is executed on the compute resource(s) launched using the machine image.

Abstract: Methods and apparatus for profile-guided preloading for virtualized resources are described. A block-level storage volume whose contents are to be populated via data transfers from a repository service is programmatically attached to a compute instance. An indication of data transfers from the repository to a block storage service implementing the volume is obtained, corresponding to a particular phase of program execution at the compute instance. A storage profile is generated, based at least in part on the indication of data transfers. The storage profile is subsequently used to pre-load data from the repository service on behalf of other compute instances.