US 12,034,727 B2
Analysis of role reachability with transitive tags
John Byron Cook, Brooklyn, NY (US); Neha Rungta, San Jose, CA (US); Carsten Varming, Brooklyn, NY (US); Daniel George Peebles, Richland, WA (US); Daniel Kroening, Oxford (GB); and Alejandro Naser Pastoriza, Madrid (ES)
Assigned to Amazon Technologies, Inc., Seattle, WA (US)
Filed by Amazon Technologies, Inc., Seattle, WA (US)
Filed on Dec. 11, 2020, as Appl. No. 17/119,855.
Claims priority of application No. 202031233 (ES), filed on Dec. 10, 2020.
Prior Publication US 2022/0191205 A1, Jun. 16, 2022
Int. Cl. H04L 9/40 (2022.01); H04L 41/0604 (2022.01); H04L 41/22 (2022.01)
CPC H04L 63/101 (2013.01) [H04L 41/0627 (2013.01); H04L 41/22 (2013.01); H04L 63/0435 (2013.01); H04L 63/20 (2013.01); H04L 63/105 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system, comprising:
an access control analyzer comprising one or more processors and one or more memories to store computer-executable instructions that, when executed, cause the one or more processors to:
determine a graph comprising a plurality of nodes and one or more directed edges, wherein one or more of the directed edges represent role assumption transitions, wherein the nodes represent a plurality of roles in a provider network hosting a plurality of services and resources, wherein the nodes comprise a first node representing a first role and a second node representing a second role, wherein the roles are assumable by clients or other roles for role sessions and are associated with a plurality of access control policies granting or denying access, based at least in part on one or more key-value tags for a role session, to individual ones of the plurality of services and resources for a role session during which the role is assumed; and
determine, based at least in part on a role reachability analysis of the graph, whether the first role can assume the second role using one or more role assumption steps for a particular state of the one or more key-value tags, wherein an individual one of the role assumption steps provides temporary access during a role session, and wherein the one or more key-value tags comprise one or more transitive tags that persist during the one or more role assumption steps.