AUTOMATED POLICY REFINER FOR CLOUD-BASED IDENTITY AND ACCESS MANAGEMENT SYSTEMS

Organization Name

Amazon Technologies, Inc.

Inventor(s)

Neha Rungta of San Jose CA (US)

Chungha Sung of Cupertino CA (US)

Amit Goel of Portland OR (US)

Zvonimir Rakamaric of Salt Lake City UT (US)

Loris D'antoni of Madison WI (US)

AUTOMATED POLICY REFINER FOR CLOUD-BASED IDENTITY AND ACCESS MANAGEMENT SYSTEMS - A simplified explanation of the abstract

This abstract first appeared for US patent application 17957904 titled 'AUTOMATED POLICY REFINER FOR CLOUD-BASED IDENTITY AND ACCESS MANAGEMENT SYSTEMS

Simplified Explanation

The patent application describes a policy refiner application that analyzes and recommends modifications to identity and access management policies created by users of a cloud provider network to enhance security.

• The policy refiner application receives a policy and a log of events related to activity associated with accounts in the cloud provider network.
• It identifies actions permitted based on the policy statements and generates abstractions of field values from the events to suggest more restrictive policy modifications.

Potential Applications

The technology can be applied in cloud security management systems to enhance policy refinement and reduce privileges granted by policies.

Problems Solved

1. Inefficient policy management in cloud environments. 2. Lack of visibility into policy effectiveness and potential security risks.

Benefits

1. Improved security posture through least-privilege policies. 2. Enhanced compliance with regulatory requirements. 3. Streamlined policy modification process for users.

Potential Commercial Applications

Enhanced cloud security solutions for enterprises seeking to optimize their identity and access management policies.

Possible Prior Art

Prior art may include existing cloud security tools that offer policy analysis and recommendations, but may not focus specifically on refining policies based on event logs.

What are the potential limitations of this technology in real-world applications?

The technology may face challenges in handling large volumes of event logs efficiently and accurately identifying relevant actions for policy refinement.

How does this technology compare to existing policy management solutions in terms of user-friendliness and integration capabilities?

This technology offers a more proactive approach to policy refinement based on actual events, potentially providing more tailored and effective recommendations compared to traditional policy management solutions. Integration capabilities with existing cloud security tools and platforms would be a key factor in determining its usability and adoption in real-world applications.

Original Abstract Submitted

Techniques are described for providing a policy refiner application used to analyze and recommend modifications to identity and access management policies created by users of a cloud provider network (e.g., to move the policies toward least-privilege permissions). A policy refiner application receives as input a policy to analyze, and a log of events related to activity associated with one or more accounts of a cloud provider network. The policy refiner application can identify, from the log of events, actions that were permitted based on particular statements contained in the policy. Based on field values contained in the corresponding events, the policy refiner application generates an abstraction of the field values, where the abstraction of the field values may represent a more restrictive version of the field from a policy perspective. These abstractions can be presented to users as recommendations for modifying their policy to reduce the privileges granted by the policy.