| CPC H04L 63/101 (2013.01) [H04L 41/0627 (2013.01); H04L 41/22 (2013.01); H04L 63/0435 (2013.01); H04L 63/20 (2013.01); H04L 63/105 (2013.01)] | 20 Claims |
|
1. A system, comprising:
an access control analyzer comprising one or more processors and one or more memories to store computer-executable instructions that, when executed, cause the one or more processors to:
determine a graph comprising a plurality of nodes and one or more directed edges, wherein one or more of the directed edges represent role assumption transitions, wherein the nodes represent a plurality of roles in a provider network hosting a plurality of services and resources, wherein the nodes comprise a first node representing a first role and a second node representing a second role, wherein the roles are assumable by clients or other roles for role sessions and are associated with a plurality of access control policies granting or denying access, based at least in part on one or more key-value tags for a role session, to individual ones of the plurality of services and resources for a role session during which the role is assumed; and
determine, based at least in part on a role reachability analysis of the graph, whether the first role can assume the second role using one or more role assumption steps for a particular state of the one or more key-value tags, wherein an individual one of the role assumption steps provides temporary access during a role session, and wherein the one or more key-value tags comprise one or more transitive tags that persist during the one or more role assumption steps.
|