US 11,658,971 B1
Virtual firewalls for multi-tenant distributed services
Kevin Ross O'Neill, Seattle, WA (US); Mark Joseph Cavage, Seattle, WA (US); Nathan R. Fitch, Seattle, WA (US); Anders Samuelsson, Redmond, WA (US); Brian Irl Pratt, Seattle, WA (US); Yunong Jeff Xiao, Seattle, WA (US); Bradley Jeffery Behm, Seattle, WA (US); and James E. Scharf, Jr., Seattle, WA (US)
Assigned to Amazon Technologies, Inc., Seattle, WA (US)
Filed by Amazon Technologies, Inc., Seattle, WA (US)
Filed on May 30, 2019, as Appl. No. 16/427,099.
Application 16/427,099 is a continuation of application No. 14/553,915, filed on Nov. 25, 2014, granted, now 10,313,346.
Application 14/553,915 is a continuation of application No. 12/861,692, filed on Aug. 23, 2010, granted, now 8,904,511, issued on Dec. 2, 2014.
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); H04L 41/28 (2022.01); H04L 67/00 (2022.01)
CPC H04L 63/10 (2013.01) [H04L 41/28 (2013.01); H04L 63/0263 (2013.01); H04L 63/20 (2013.01); H04L 67/00 (2013.01); H04L 63/08 (2013.01); H04L 63/102 (2013.01)] 18 Claims
OG exemplary drawing
 
1. A computerized system facilitating a multi-tenant distributed service, comprising:
a resource server computer configured to at least:
maintain a plurality of provisioned resources of the multi-tenant distributed service, the plurality of provisioned resources provisioned on behalf of a tenant of the multi-tenant distributed service
that is enabled to delegate authority to a plurality of users to establish a plurality of resource policy sets with respect to the plurality of provisioned resources that are provisioned on behalf of the tenant;
receive requests with respect to the plurality of provisioned resources;
identify an individual policy of the plurality of resource policy sets that is associated with a request of the received requests based at least in part on conditions associated with the request, the conditions
including a network protocol, a time period associated with the request, and an operating environment parameter associated with the request, the operating environment parameter including an
originating administrative division associated with the request and a determination that the request originated from a particular external client or a particular internal multi-tenant distributed service;
determine a decision data set from a decision data cache based at least in part on the identified individual policy, the decision data set including resource name resolution data and geographic location
mapping data, the geographic location mapping data corresponding to an origin network address associated with the request or a destination network address associated with the request;
update the decision data cache based on the determined decision data set;
evaluate the request with respect to the individual policy and the determined decision data set; and
update the plurality of resource policy sets based on evaluation of a resource policy set update notification.