Invented by Jasmeet Chhabra, Amazon Technologies Inc

The market for suggesting access policies for web services based on test mode data is rapidly growing as businesses strive to enhance their security measures and protect sensitive information. With the increasing reliance on web services for various operations, it has become crucial for organizations to implement robust access policies that ensure only authorized individuals can access their systems. Test mode data, which simulates real-world scenarios and user interactions, provides valuable insights into potential vulnerabilities and loopholes in web services. By analyzing this data, businesses can identify potential security risks and develop access policies that mitigate these risks effectively. One of the key players in this market is AI-powered software that utilizes machine learning algorithms to analyze test mode data and suggest access policies. These software solutions can process large volumes of data quickly and accurately, identifying patterns and anomalies that may indicate potential security threats. By leveraging this technology, businesses can proactively identify and address vulnerabilities before they are exploited by malicious actors. The market for suggesting access policies based on test mode data is not limited to any specific industry. Organizations across sectors, including finance, healthcare, e-commerce, and government, are increasingly investing in these solutions to safeguard their systems and protect sensitive data. The potential consequences of a security breach, such as financial loss, reputational damage, and legal liabilities, have made access policy suggestions based on test mode data a top priority for businesses. In addition to enhancing security, these access policy suggestions can also improve user experience. By analyzing test mode data, businesses can gain insights into user behavior and preferences, allowing them to tailor their web services to meet customer expectations. This personalized approach not only enhances user satisfaction but also increases customer loyalty and retention. The market for suggesting access policies based on test mode data is expected to witness significant growth in the coming years. As cyber threats continue to evolve and become more sophisticated, businesses will increasingly rely on advanced technologies to protect their systems. The integration of artificial intelligence and machine learning algorithms into access policy suggestion software will further enhance the accuracy and effectiveness of these solutions. However, it is important to note that while these software solutions can provide valuable insights and suggestions, human intervention and decision-making are still crucial. Businesses should not solely rely on automated systems but should also involve cybersecurity experts and professionals to evaluate and implement the suggested access policies. In conclusion, the market for suggesting access policies for web services based on test mode data is a rapidly growing sector driven by the increasing need for enhanced security measures. AI-powered software solutions that analyze test mode data and suggest access policies are becoming essential for businesses across industries. As the threat landscape continues to evolve, these solutions will play a critical role in safeguarding sensitive information and ensuring the smooth operation of web services.

The Amazon Technologies Inc invention works as follows

A method and a system for generating suggestions on access policies are described. The system launches a test mode to allow a user to access a web service. The system records data about the access of the user to the service in test mode. The system creates a policy recommendation based on test data.

Background for Suggesting Access Policies for Web Services Based on Test Mode Data

Customers of web services are concerned about security. Access management systems control the access to web resources and services. Web services access management may include permissions for different users or types of users. Access management for web services can be complex. Some customers set up complex permissions for governing access to services and resources, but get frustrated trying to debug them. The customer might give up, and set permissions too permissive to meet their needs.

Embodiments described in this document relate to the management of access to web services and other resources by an Access Management System having a Policy Suggestion Tool (PST). Access management system is a core service which allows customers to control the security of web services and cloud resources. The embodiments described in this document are directed at running distributed web services as a test mode, recording actions and related data for test data, and analyzing test data to give policy suggestions to the users. These embodiments increase the security of policies through less permissive suggestions for policy and help users to debug complex authorization problems using test mode. In one embodiment, an access management system is notified of a request to start a test mode to access web services. Web services can include computing services such as database services or application services. The request can include the credentials of a testing user. The web services are notified of the test mode by the access management system, and then receive requests for authorization from the web service to perform an operation or access a particular resource for the user test in the test mode. The access management system records the test data and authorizes requests. The access management system analyses the test data and generates an access policy recommendation based on it. The embodiments described can also record actions and data related to them as test data for testing purposes. Instead of recommending policies for access control, test data could be analyzed in order to determine resource usages, and then provide recommendations for provisioning services or resources, taking into account factors such as bandwidth, data usage or service usage. The usage patterns, for example, may indicate to the user that they can reduce the cost of services if they provision usages based on their usage patterns.

As mentioned above, access control can be complex. Customers using access management systems can become frustrated trying to debug complex permissions in order to determine which access permissions work. Many customers are frustrated and end up setting permissions too permissive to meet their needs. In the embodiments described, a test mode is introduced to address this problem. An operator of the system can create a test user to be used in this mode. The access management system operator can use the credentials of this test user to run an application. Operators can perform many (or even all) of the actions that are performed in production mode. The access management system records the actions of the test user in the test mode. Test data are data recorded to analyze user actions and accesses in order to generate automated suggestions for access policies. This data can, for example, specify whether or not the authorization was successful, which resources were accessed or what action was taken. The access management system can include a service that analyses test data and the actions taken by a test user to suggest policies. The suggested access policies are designed to help users lock down their permissions. The service of policy analysis can also be used to analyze test data in order to help operators figure out why certain actions fail.

FIG. The block diagram 1 shows an example of a network architecture 100, in which embodiments of the policy suggestion tool 118 can operate. The network architecture 100 can include an access management system (AMS) 110 and client devices 130 that are capable of communicating via network 120 with the AMS 110. The network 120 can include any number of different communication networks including, but not limited to cable networks, public networks like the Internet, private networks like frame-relay, wireless networks, cell networks, telephone networks or any other suitable public or private packet-switched and circuit-switched communications networks. The network 120 can also be associated with any communication range that is suitable, such as public networks, metropolitan area networks, wide area networks, local area networks, or personal area networking (PANs). The network 120 can also include networking devices such as link-layer switches and routers. The network 120 may include any type of suitable medium for transmitting traffic, including but not limited, to coaxial cable (e.g. twisted pair copper wire), optical fibre, a hybrid fiber/coaxial (HFC), a microwave medium (e.g. twisted pair copper wire), a radio frequency medium (e.g. satellite communication medium), or any combination thereof.

Client device 130 can be any mobile computing device, such as a tablet computer, cellular telephone, personal digital assistant (PDA), portable media player or laptop computer. Client device 130 can be a mobile device, such as a tablet, cellular phone, personal digital assistant, portable media player (PDA), netbook, laptop, portable gaming consoles, motor vehicles (e.g. automobiles), wearable devices (e.g. smart watches), etc. Client device 130 can also be a non-portable computer such as a desktop, server, or similar device. Client device 130 can be configured to allow an application to be executed to interact with the access management system 110. This includes a client permissions manger 114, policy suggestion tool 118 or both.

Communication between the Access Management System 110 and the Client Device 130 can be enabled by any communication infrastructure such as public or private networks. A combination of wireless infrastructure and a wide-area network (WAN), for example, allows users to interact with the access system 110 using client device 130 without having to be tethered via hardwired connections. Wireless infrastructure can be provided by multiple wireless communication systems or one wireless communication system. One of the wireless communications systems can be a WLAN access point that is connected to the network 120. A wireless carrier system can be implemented with various data processing equipment and communication towers. The wireless carrier system can also rely on satellites to exchange data with the client device 130.

Access management system” 110 can be created by a company, or public sector organisation to manage access and identify to services (such as cloud computing and storage). These services are accessible to the client device 130 via Internet or other networks. The access management system and web services may include multiple data centers that host various resource pools. These could be collections of virtualized and/or physical computer servers, storage devices and networking equipment, for example, to implement and distribute infrastructure and services provided by the system 110. This includes providing multi-tenant and single tenant services. In some embodiments access management system may implement client permissions manager (115), policy suggestion tool (118), or both to manage access associated web services 154A – 154N. It may also provide access to computing resources 150A – 150N, including virtual compute services and storage services such as object storage services and block-based storage. Client device 130 can access the various services 154A -N, and resources 150A -N, via access management system 100. For example, this could be through an API or command line interface. Network-based services can also communicate with one another and/or use each other to provide different services.

The client permissions manager (115) controls the access of one or more users to the services 150A-N or the resources 154A-N. The services 154A to N may include computing, storage, database, application, or other services. Resources 150A-N can include computing resources or storages resources. Database resources, application resources and other resources may also be included. Client permissions manager (115) can be used to grant different permissions for different services and resources to different users. The client permissions manager 115, for example, can be programmed so that certain users have complete access to Amazon Elastic Compute Cloud, Amazon Simple Storage Service, Amazon DynamoDB and Amazon Redshift. Client permissions manager 115 allows other users to have read-only access only to some S3 buckets or the ability to administer some EC2 instances or access billing information. Client permissions manager 115 is used to give applications running on EC2 instances access to other resources like S3 buckets, RDS databases or DynamoDB databases. Client permissions manager can be used for authentication of a user, or group of users. It can also be used by policies 143 to authorize services to perform actions on behalf or to access resources. Policies 143 may be stored on a data repository 142 accessible to components of the Access Management System 110. The PST 118, as described herein can be used to create access policy suggestions which can be used by client permissions manager 115 in order to control access to services 154A to N and resources 150A to N.

The Access Management System 110 and its components can be accessed by one or more ways. A management console is a web-based interface that allows users to manage the system and the services and resources it provides. The command-line tool can be used with scripts for tasks. The access management system (110) may include an API to allow requests to be made directly to services. This API can be an HTTP-based interface in which requests are HTTP requests directly made to services. Other libraries and code may be used to create access programmatically to the Access Management System 110.

The client permissions manger 115 can authenticate the user of the service and determine whether to authorize the authenticated user for this particular action or access to the resource 150. The client permissions manger 115 can authenticate a user of the service, and then determine whether or not to authorize that user to perform this action or to access the resource 150.

As described above, creating policies that are appropriate for a user or a group of users can be complex. The client permissions manager (115) can enforce policy suggestions generated by the policy suggestion tool 118 for a given user. In one embodiment, access management 110 can launch the PST 118 as a response to a user request to start a test mode to access web services. The request for initiating the test mode may specify a user to be used as a tester and also include credentials of the user. Credentials can be those of an actual user. The PST 118 allows some time for all servers in the access management system to be notified that the test mode is active. The PST 118 is able to authorize requests in the test mode. It can also record test data and make access policy suggestions based on that data. The PST 118, in particular, receives authorization requests for an action to be performed or for access to one or more resources 150A-N from one or several servers 154A-N. The PST 118 may automatically approve the requests, and also record test data 145 about the requests. The test data can be stored either in the datastore 142 or in a different datastore than the policies. The PST 118 analyses the test data 145 and generates an access policy recommendation based on that data. “The access policy suggestion can also be stored on the data store 142.

In another embodiment, PST 118 transmits the suggestion of an access policy to a client device. The PST 118 may receive a request for the user to be notified of an access policy suggestion. In a second embodiment, an access policy can be applied to resources. The access policy suggestion may also be applied to groups of users, roles, human users, machine-users, etc. The PST 118 or the access management system 110 can receive a user request to end the test mode and then terminate it for that user.

In another embodiment, a PST 118 receives a request for authentication and authorization from a web service to respond to a request received by the web service to perform an action or to access a resource. The PST 118 is provided with call data about the client request by the first web service. Call data can include an identifier for the user, an action identifier and a resource identification. The PST 118 stores the call data of the client’s request. The PST 118 creates an access policy suggestion based on the call data, which specifies at least action identifiers and resource identifiers.

In another embodiment, PST 118 generates a response granting permission to a first service in order to perform an action or access a resource on behalf of the test user. The PST 118 is sent a request by the first web service in order to authenticate the user, authorize a certain action and allow the user to access a particular resource. The PST 118 records the test data 145 that is associated with the initial request. The PST 118 analyses the test data 145 to generate the access policies suggestion based on first request.

In another embodiment, the PST 118 is notified of a request to start a test mode to access web services. It then receives a request for authorization from a web service to perform an operation or to access a resource in the test mode. The PST 118 records test data about the second request. It authorizes the request. The PST 118 analyses the test data and generates an access policy recommendation based on that data. In a second embodiment, the PST 118 creates a permission response that authenticates and authorizes the user to perform an action or access a resource on behalf of the user. The second request can include an authentication request for authenticating the test-user and an authorization request for a first action to be performed and a resource to be accessed by the test-user in the test mode. PST 118 creates an access policy suggestion based upon the first request. The access policy may include an authorisation for the first action as well as access to the resource.

The access control system 110 can be made consistent in the end and achieve high availability through replicating data on multiple servers located within data centres around the globe. The change is safely saved if a change request is accepted. The change must then be replicated on all servers of the access management system, which may take time. These changes can include adding or updating groups, users, roles or policies. “Changes can, for instance, be made to a separate setup or initialization routine, and action can be taken in order to verify the changes propagation before production workflows are dependent on them.

FIG. According to one embodiment, 2 is a diagram showing a logical view for a policy suggestions tool (PST). PST 200 can correspond to PST 118 in FIG. 1. PST 200 can include, in some embodiments, a Test Mode Manager 205, an Editor of Policy Suggestions 225, a Test Data Recorder 210 and a Test Permissions Manager 210. PST 200 components can be used to provide policy suggestions. The individual components of FIG. The functionality of FIG. 2 can be integrated into a number of software components. PST 200 can also include other components such as APIs, CLIs, and the like.

In one embodiment, the Test Mode Manager 205 may receive a request for a test mode to be initiated, or a termination request. The test mode manager can, for example, receive a request to put a user X into a testing mode from the client device. In response to this request, the manager can set the test in motion and confirm to the device that it is working. The test mode manager can inform other components of PST 200 about the current test mode. The test mode manager can inform the web services and other instances of access management that the test user has entered test mode. It can then wait a certain period of time to ensure that the updated user can be accessed at the global endpoints of the system. The test mode manager 205 can also wait until global end points are updated. The test mode manager can inform the client device that the user’s test mode has been activated. This notification is sent in response to global endpoints updating the user. The test mode manager 205 may assign a TestID=test_id for the test user, and then send this Test User Identifier to the client device.

In test mode, the client device 230 can request a web service to perform an operation or access a particular resource. The web service 254 responds to a client device 230 request by sending a request for authentication and authorization of the action or access to the access control system 110. The test permissions manager of the PST 200 responds by sending a response indicating that the authentication and authorization request was successful. A test mode flag is set to true. The web service 254 responds by sending the call data for the action performed and any resources used to PST 200. In response, the test data recorder 215 records the call data in test data 245. The test data 245, for example, may include the user, action and resource accessed by web service 254. In an embodiment, instead of recording the test data 245 by the test data recorder 215 (as in the previous embodiment), the policy analyzer 210 records it. Client device 230 may send 0 or more requests to the same web service, or for different services in order to perform additional actions or access different resources. The test data recorder 215, which records the data for the authorization of calls, continues to keep track of the data. The client device 230 will at some point send a request for terminating the test mode of the test user. The test mode manager 205 responds to the client device by removing the test mode of the user currently in progress. It then waits for the updated user at the global endpoints to be available. The test mode manager notifies the client device 230 that the test mode for the user has been deactivated. The PST 200 is notified by the client device to create a policy recommendation for the user. The policy analyzer 220 then analyzes the test data 245, creating access policy suggestions. These are used by the Client Permissions Manager 115, once the client device accepts them. Access policy suggestions 243 may be sent to the client device for editing and selection. The client device 230 may select and edit access policy suggestions using the policy suggestion editors 225. The policy suggestion editor can, in response to a client device request (UserY), apply the suggested policy to the user. 1. This user is not just a tester, but a real user of web services. In another embodiment, a resource can be used to apply the suggested access policy. The access policy suggestion may also be applied to groups of users, roles, human users, machine users, or similar.

The following description provides some examples of suggested access policies for a user who has permissions to the web service EC2 as well as the recourse S3. This example shows the test user with all EC2 permissions and S3 (EC2*) permissions with the statement:

?Statement? : [

Click here to view the patent on Google Patents.