US2023370473A1PendingUtilityA1

Policy scope management

Assignee: AMAZON TECH INCPriority: Mar 16, 2018Filed: Jul 26, 2023Published: Nov 16, 2023
Est. expiryMar 16, 2038(~11.7 yrs left)· nominal 20-yr term from priority
H04L 63/105H04L 63/20H04L 63/102
63
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

The appropriate scoping of an access policy can be determined using the observed access and usage of various resources covered under that policy. Information about access requests received over a period of time can be logged, and actions represented in the log data can be mapped to the permissions of the access policy. A new access policy can be generated that includes grant permissions only for those actions that were received and/or granted during the monitored period of time. The new policy can be processed using policy logic to ensure that changes in permission comply with rules or policies for the target resources. The new policy can be at least partially implemented, or can be provided to an authorized user, who can choose to adopt or deny the new policy, or to accept some of the recommendations for modifying the current policy.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computer-implemented method comprising:
 receiving a first set of permissions relating to a set of resources in a multi-tenant environment;   receiving a request to access one or more resources of the set of resources;   determining at least one type of access corresponding to the received request;   determining that the at least one type of access is associated with the first set of permissions;   adjusting at least one scope associated with the first set of permissions based on the at least one type of access; and   generating, based at least in part on the adjusted scope, a second set of permissions, the second set of permissions maintaining permissions granted using the first set of permissions.   
     
     
         2 . The computer-implemented method of  claim 1 , further comprising:
 accessing, based at least in part on at least one scope associated with the second set of permissions, one or more resources of the set of resources.   
     
     
         3 . The computer-implemented method of  claim 1 , further comprising:
 determining the at least one scope, associated with the first set of permissions, based at least in part on at least one previous request to access at least one of the one or more resources of the set of resources.   
     
     
         4 . The computer-implemented method of  claim 1 , wherein the first set of permissions include permissions associated with at least one access request or at least one authentication request, the permissions defining a set of actions associated with at least one of the one or more resources of the set of resources. 
     
     
         5 . The computer-implemented method of  claim 1 , further comprising:
 analyzing the second set of permissions to ensure that any changes in permissions either result in a narrowing of the at least one scope, associated with the first set of permissions, or do not violate other permissions of the second set of permissions.   
     
     
         6 . A computer-implemented method, comprising:
 obtaining a first set of permissions applied to a set of resources in a multi-tenant environment;   receiving a request to access one or more resources of the set of resources;   determining at least one type of access corresponding to the received request;   determining that the at least one type of access corresponds to at least one scope associated with the first set of permissions;   adjusting, based at least in part on the at least one type of access, the at least one scope; and   generating, based at least in part on the adjusted scope, a second set of permissions, the second set of permissions maintaining permissions granted using the first set of permissions.   
     
     
         7 . The computer-implemented method of  claim 6 , further comprising:
 accessing, based at least in part on at least one scope associated with the second set of permissions, one or more resources of the set of resources.   
     
     
         8 . The computer-implemented method of  claim 6 , further comprising:
 obtaining a policy template for the set of electronic resources for use in generating the second set of permissions.   
     
     
         9 . The computer-implemented method of  claim 6 , further comprising:
 determining, based at least in part on the at least one scope associated with the first set of permissions, that the type of access is a least privileged access; and   analyzing the second set of permissions to ensure that at least one scope associated with the second set of permissions is reduced.   
     
     
         10 . The computer-implemented method of  claim 6 , further comprising:
 determining at least one event executed for at least one resource of the one or more resources of the set of resources, wherein the at least one event is mapped to at least one permission of the first set of permissions to determine the permission under which the at least one event was granted access.   
     
     
         11 . The computer-implemented method of  claim 10 , further comprising:
 determining at least one scope associated with the second set of permissions, wherein the at least one scope associated with the second set of permissions is narrower than the at least one scope associated with the first set of permissions.   
     
     
         12 . The computer-implemented method of  claim 6 , further comprising:
 wherein the second set of permissions does not remove denied permissions from the first set of permissions and maintains access that was previously granted in the first set of permissions.   
     
     
         13 . The computer-implemented method of  claim 6 , further comprising:
 determining that the second set of permissions applies to a specific task, the task performed on behalf of a user; and   wherein at least one scope of the second set of permissions is based at least in part on the user.   
     
     
         14 . The computer-implemented method of  claim 6 , further comprising:
 validating the first set of permissions against permissible actions granted to at least one user associated with a customer account to ensure that the first set of permissions reflect the appropriate permissions.   
     
     
         15 . The computer-implemented method of  claim 6 , further comprising:
 wherein a scope of the second set of permissions grants only permissions granted in the first set of permissions.   
     
     
         16 . The computer-implemented method of  claim 6 , further comprising:
 detecting at least one suspicious request;   generating an alert for the at least one suspicious request; and   providing a recommendation to change at least one permission of the first set of permissions to deny access corresponding to the at least one suspicious request.   
     
     
         17 . A system, comprising:
 at least one processor; and   memory including instructions that, when executed by the at least one processor, cause the system to:
 obtain a first set of permissions applied to a set of resources in a multi-tenant environment; 
 receive a request to access one or more resources of the set of resources; 
 determine at least one type of access corresponding to the received request; 
 determine that the at least one type of access corresponds to at least one scope associated with the first set of permissions; 
 adjust, based at least in part on the at least one type of access, the at least one scope; and 
 generate, based at least in part on the adjusted scope, a second set of permissions, the second set of permissions maintaining permissions granted using the first set of permissions. 
   
     
     
         18 . The system of  claim 17 , wherein the instructions when executed further cause the system to:
 access, based at least in part on at least one scope associated with the second set of permissions, one or more resources of the set of resources.   
     
     
         19 . The system of  claim 17 , wherein the instructions when executed further cause the system to:
 generate the second set of permissions to only grant permission for access corresponding to a set of actions performed with respect to the first set of permissions.   
     
     
         20 . The system of  claim 17 , wherein the instructions when executed further cause the system to:
 analyze the second set of permissions to ensure that any changes in permissions either result in a narrowing of the at least one scope associated with the first set of permissions, or do not violate other permissions of the second set of permissions.

Join the waitlist — get patent alerts

Track US2023370473A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.