&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
          function printpage()
          {
          window.print()
          }
        </script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=12348529.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 12,348,529 B2</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Automated policy refiner for cloud-based identity and access management systems</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Neha Rungta,  Seattle, WA (US);  Chungha Sung,  Seattle, WA (US);  Amit Goel,  Seattle, WA (US);  Zvonimir Rakamaric,  Seattle, WA (US); and  Loris D'Antoni,  Seattle, WA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  Amazon Technologies, Inc.,  Seattle, WA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  Amazon Technologies, Inc.,  Seattle, WA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Sep.  30, 2022, as Appl. No. 17/957,904.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Prior Publication US 2024/0114035 A1, Apr.  4, 2024</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>H04L 9/40</b></i> (2022.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>H04L 63/107</b></i> (2013.01)&#xa0;[<i><b>H04L 63/102</b></i> (2013.01)]</td>
            <td class="table_data" align="right"><b>20 Claims</b></td>
          </tr>
        </table>
        <center><img src="US12348529-20250701-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A computer-implemented method comprising:<div class="claim_text">obtaining, by a policy refiner service of a cloud provider network, a log of events related to activity associated with an account of the cloud provider network, wherein an event in the log of events indicates an action performed relative to a resource of the cloud provider network;</div>
                <div class="claim_text">identifying a policy associated with the account, wherein the policy includes a statement defining a permission associated with the account, wherein the statement includes a plurality of field values defining the permission, and wherein a particular field value of the plurality of field values identifies one of: a type of action the policy allows or denies, a resource to which the statement relates, or a condition for granting the permission;</div>
                <div class="claim_text">identifying, from the log of events, a plurality of events indicating actions that were permitted based on the statement by parsing the plurality of events from the log of events and mapping individual events from the log of events to the statement from the policy that caused an identity and access management service to permit requests represented by the individual events;</div>
                <div class="claim_text">identifying a plurality of event values from the plurality of events corresponding to the particular field value in the statement;</div>
                <div class="claim_text">generating, based on the plurality of event values, a modified field value, wherein the modified field value is generated using a field-specific abstraction algorithm, and wherein the modified field value is more restrictive than the particular field value;</div>
                <div class="claim_text">determining, using a policy property analyzer, that a modified policy including the modified field value is more restrictive than the policy with the particular field value, wherein the policy property analyzer uses a Satisfiability Modulo Theories (SMT) solver to determine that the modified policy including the modified field value is more restrictive than the policy with the particular field value; and</div>
                <div class="claim_text">causing display of a suggested modification to the policy based on the modified field value, wherein the suggested modification to the policy would result in the modified policy including the modified field value.</div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>