Resource access control for virtual machines
Abstract
To provide enhanced operation of virtualized computing systems, various systems, apparatuses, methods, and software are provided herein. In a first example, a method of operating a computing system to control access to data resources by virtual machines is provided. The method includes receiving an access token and an instantiation command from an end user system. Responsive to the instantiation command, the method includes instantiating a virtual machine identified by the instantiation command using the access token as user data for the virtual machine during instantiation. The method also includes, in the virtual machine, executing a security module responsive to instantiation that transfers the access token for delivery to an authorization system, receiving credentials responsive to the access token, and accessing a data resource using the credentials.
Claims
exact text as granted — not AI-modified1 - 20 . (canceled)
21 . A computing system in a cloud computing environment for providing individualized secure access to instantiated virtual machines, the system comprising:
a memory device storing a shared virtual machine image and a set of instructions; and a processor configured to execute the set of instructions to:
instantiate on demand, based on the shared virtual machine image, a plurality of instances of virtual machines in the cloud computing environment; and
execute, from the shared virtual machine image, a security application as a shared executable to execute on an instantiated virtual machine in response to instantiation of the instantiated virtual machine;
wherein the security application is configurable, when executing on the instantiated virtual machine, to establish, based on a token sent from an end user system, credentials that are unique to the instantiated virtual machine for allowing the instantiated virtual machine individualized and secure access to an access-controlled resource in the cloud computing environment.
22 . The computing system of claim 21 , wherein the credentials are established based on a communication with an authorization system in the cloud computing environment and the token.
23 . The computing system of claim 21 , wherein the token comprises identification information that is unique to the end user system.
24 . The computing system of claim 21 , wherein the security application is configurable, when executing on the plurality of instances of virtual machines, to establish a plurality of credentials that are unique to each of the plurality of instances of virtual machines for allowing the plurality of instances of virtual machines individualized and secure access to the access-controlled resource in the cloud computing environment.
25 . The computing system of claim 21 , wherein the security application comprises at least one of a startup script, executable code, and a user application.
26 . The computing system of claim 21 , wherein the security application is automatically executed upon instantiation of the instantiated virtual machine.
27 . The computing system of claim 21 , wherein the security application is automatically executed upon detecting that the instantiated virtual machine requested access to the access-controlled resource in the cloud computing environment.
28 . The computing system of claim 21 , wherein the security application is configured to request audit credentials from an audit system in the cloud computing environment for use by the instantiated virtual machine, the audit credentials being effective for allowing the security application to store audit information associated with the instantiated virtual machine in the audit system.
29 . The computing system of claim 28 , wherein the audit credentials are unique to the instantiated virtual machine.
30 . The computing system of claim 28 , wherein the audit credentials are based on the token.
31 . A method for providing individualized secure access to instantiated virtual machines in a cloud computing environment, the method comprising:
accessing a memory device storing a shared virtual machine image; instantiating on demand, based on the shared virtual machine image, a plurality of instances of virtual machines in the cloud computing environment; and executing, from the shared virtual machine image, a security application as a shared executable to execute on an instantiated virtual machine in response to instantiation of the instantiated virtual machine; wherein the security application is configurable, when executing on the instantiated virtual machine, to establish, based on a token sent from an end user system, credentials that are unique to the instantiated virtual machine for allowing the instantiated virtual machine individualized and secure access to an access-controlled resource in the cloud computing environment.
32 . The method of claim 31 , wherein the security application is configurable, when executing on the plurality of instances of virtual machines, to establish a plurality of credentials that are unique to each of the plurality of instances of virtual machines for allowing the plurality of instances of virtual machines individualized and secure access to the access-controlled resource in the cloud computing environment.
33 . The method of claim 31 , wherein the security application is automatically executed upon instantiation of the instantiated virtual machine.
34 . The method of claim 31 , wherein the security application is configured to request audit credentials from an audit system in the cloud computing environment for use by the instantiated virtual machine, the audit credentials being effective for allowing the security application to store audit information associated with the instantiated virtual machine in the audit system.
35 . The method of claim 34 , wherein the audit credentials are unique to the instantiated virtual machine.
36 . The method of claim 34 , wherein the audit credentials are based on the token.
37 . A computing system for auditing activity of instantiated virtual machines in a cloud computing environment, the system comprising:
a memory device storing a set of instructions; and a processor configured to execute the set of instructions to:
receive, from an instantiated virtual machine among a plurality of instantiated virtual machines that have been instantiated from a shared virtual machine image, a prompt for transfer of audit data associated with operation of the instantiated virtual machine, the prompt comprising individualized audit credentials that are unique to the instantiated virtual machine and are based at least in part on a unique identity of the instantiated virtual machine; and
responsive to the prompt, selectively authorize storage, in the memory device, of the audit data transferred by the instantiated virtual machine based at least in part on the individualized audit credentials.
38 . The computing system of claim 37 , wherein the individualized audit credentials are provided by an authorization system in the cloud computing environment.
39 . The computing system of claim 37 , wherein each of the plurality of instantiated virtual machines has different individualized audit credentials.
40 . The computing system of claim 37 , wherein the processor is further configured to execute the set of instructions to verify the individualized audit credentials of the instantiated virtual machine.
41 . The computing system of claim 37 , wherein the processor is further configured to execute the set of instructions to revoke the individualized audit credentials of the instantiated virtual machine.
42 . The computing system of claim 41 , wherein the processor is further configured to execute the set of instructions to selectively deny storage, in the memory device, of the audit data transferred by the instantiated virtual machine based at least in part on the revoked individualized audit credentials.
43 . The computing system of claim 37 , wherein the audit data associated with operation of the instantiated virtual machine indicates at least one of user access, a network session, a timestamp of activity, an instantiation time, a load condition, network activity, a processor event, and an operating system event.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.