Request filtering and data redaction for access control
Abstract
Approaches provide for mandatory access controls and account identification masking controls in an electronic environment. For example, a customer can configure a client device to access an API gateway which acts as a proxy for a resource in a resource provider environment. Requests for resources or services can be redirected to the API gateway. A registered function may be triggered when the request is received and may filter the request. After filtering, the request can be forwarded on to the actual API endpoint to access the requested resource. From the client's perspective, the resource is being accessed directly, and from the resource's perspective, it is being accessed by the proxy. This layer of indirection enables data to be protected preemptively, rather than waiting for an undesirable condition to exist and then reactively attending to the issue. Additionally, log data may be redacted and/or masked automatically as it is created, protecting sensitive data before it is accessible to administrators or other users.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A system, comprising:
at least one processor; and memory storing instructions that, when executed by the at least one processor, cause the system to:
receive a request at a gateway serving as a proxy to at least one resource in a resource provider environment, the request received from a client device and intended for an endpoint associated with the at least one resource;
determine a role associated with a first registered function, the role granting access to the at least one resource in the resource provider environment, the gateway and the first registered function associated with a first account, the at least one resource associated with a second account and accessible via the endpoint by the first registered function;
determine, by the first registered function using an access control list, to provide the request to the endpoint;
provide the request to the endpoint to access to the at least one resource;
store log data associated with the request in a first data store;
execute a second registered function on the log data, the second registered function triggered by the storing of the log data in the first data store;
redact the log data by the second registered function to generate redacted log data; and
store the redacted log data in a second data store accessible to the client device.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.