Search

US-12619765-B2 - Existing policy determinations for an identity set

US12619765B2US 12619765 B2US12619765 B2US 12619765B2US-12619765-B2

Abstract

A plurality of identities may be added to a new policy identity pool associated with new policy generation. Each identity of the plurality of identities may have respective selected permissions associated with permission usage by the identity. A new policy may be generated, based on a set of new policy constraints, that corresponds to a largest group of identities within the new policy identity pool for which the set of new policy constraints is satisfied. The set of new policy constraints may include a first constraint that the new policy includes the respective selected permissions for each identity within the largest group of identities and a second constraint that the new policy does not exceed one or more maximum additional permission thresholds. One or more indications may be provided, to a user, to attach the new policy to each identity within the largest group of identities.

Inventors

  • Atiye Alaeddini

Assignees

  • AMAZON TECHNOLOGIES, INC.

Dates

Publication Date
20260505
Application Date
20220330

Claims (20)

  1. 1 . A computing system comprising: one or more processors; and one or more memories having stored therein instructions that, upon execution by the one or more processors, cause the one or more processors to perform operations comprising: adding a plurality of user sets to a user set pool associated with new policy generation, wherein each user set of the plurality of user sets has respective permissions associated with permission usage by the user set, wherein the respective permissions include one or more permissions that have been used by the user set within a prior time window; generating, based on a set of new policy constraints, a new policy that corresponds to a largest group of user sets within the user set pool for which the set of new policy constraints is satisfied, wherein the set of new policy constraints includes a first constraint that the new policy includes the respective permissions for each user set within the largest group of user sets and a second constraint that the new policy does not exceed one or more additional permission thresholds; providing, to a user, one or more indications to attach the new policy to each user set within the largest group of user sets; removing the largest group of user sets from the user set pool; and repeating the generating, the providing, and the removing until the user set pool is empty.
  2. 2 . The computing system of claim 1 , wherein the operations further comprise: determining, individually for each user set of the plurality of user sets, that there is no group of one or more existing policies that satisfies a set of existing policy constraints for the user set.
  3. 3 . The computing system of claim 2 , wherein each user set of the plurality of user sets is added to the user set pool based on there being no group of one or more existing policies that satisfies the set of existing policy constraints for the user set.
  4. 4 . The computing system of claim 1 , wherein the set of new policy constraints further includes a third constraint that the new policy does not exceed a permission quantity threshold.
  5. 5 . A computer-implemented method comprising: adding a plurality of user sets to a user set pool associated with new policy generation, wherein each user set of the plurality of user sets has respective permissions associated with permission usage by the user set, wherein the respective permissions include one or more permissions that have been used by the user set within a prior time window; generating, based on a set of new policy constraints, a new policy that corresponds to a largest group of user sets within the user set pool for which the set of new policy constraints is satisfied, wherein the set of new policy constraints includes a first constraint that the new policy includes the respective permissions for each user set within the largest group of user sets and a second constraint that the new policy does not exceed one or more additional permission thresholds; and providing, to a user, one or more indications to attach the new policy to each user set within the largest group of user sets.
  6. 6 . The computer-implemented method of claim 5 , wherein the one or more additional permission thresholds comprise a plurality of additional permission thresholds, and wherein each user set of the user set pool has a respective additional permission threshold of the plurality of additional permission thresholds.
  7. 7 . The computer-implemented method of claim 5 , further comprising: determining, individually for each user set of the plurality of user sets, that there is no group of one or more existing policies that satisfies a set of existing policy constraints for the user set.
  8. 8 . The computer-implemented method of claim 7 , wherein each user set of the plurality of user sets is added to the user set pool based on there being no group of one or more existing policies that satisfies the set of existing policy constraints for the user set.
  9. 9 . The computer-implemented method of claim 5 , further comprising: removing the largest group of user sets from the user set pool; and repeating the generating, the providing, and the removing until the user set pool is empty.
  10. 10 . The computer-implemented method of claim 5 , wherein the set of new policy constraints further includes a third constraint that the new policy does not exceed a permission quantity threshold.
  11. 11 . The computer-implemented method of claim 5 , wherein the user set pool is a user set cluster of a plurality of user set clusters formed based on a permission-based clustering of a parent user set pool.
  12. 12 . The computer-implemented method of claim 5 , further comprising: determining, for each user set of the plurality of user sets, the respective permissions.
  13. 13 . The computer-implemented method of claim 5 , wherein the respective permissions further include permissions that are estimated to have greater than a threshold probability of being used, by the user set, in a future time period.
  14. 14 . One or more non-transitory computer-readable storage media having stored thereon computing instructions that, upon execution by one or more computing devices, cause the one or more computing devices to perform operations comprising: adding a plurality of user sets to a user set pool associated with new policy generation, wherein each user set of the plurality of user sets has respective permissions associated with permission usage by the user set, wherein the respective permissions include one or more permissions that have been used by the user set within a prior time window; generating, based on a set of new policy constraints, a new policy that corresponds to a largest group of user sets within the user set pool for which the set of new policy constraints is satisfied, wherein the set of new policy constraints includes a first constraint that the new policy includes the respective permissions for each user set within the largest group of user sets and a second constraint that the new policy does not exceed one or more additional permission thresholds; and providing, to a user, one or more indications to attach the new policy to each user set within the largest group of user sets.
  15. 15 . The one or more non-transitory computer-readable storage media of claim 14 , wherein the one or more additional permission thresholds comprise a plurality of additional permission thresholds, and wherein each user set of the user set pool has a respective additional permission threshold of the plurality of additional permission thresholds.
  16. 16 . The one or more non-transitory computer-readable storage media of claim 14 , wherein the operations further comprise: determining, individually for each user set of the plurality of user sets, that there is no group of one or more existing policies that satisfies a set of existing policy constraints for the user set.
  17. 17 . The one or more non-transitory computer-readable storage media of claim 16 , wherein each user set of the plurality of user sets is added to the user set pool based on there being no group of one or more existing policies that satisfies the set of existing policy constraints for the user set.
  18. 18 . The one or more non-transitory computer-readable storage media of claim 14 , wherein the operations further comprise: removing the largest group of user sets from the user set pool; and repeating the generating, the providing, and the removing until the user set pool is empty.
  19. 19 . The one or more non-transitory computer-readable storage media of claim 14 , wherein the set of new policy constraints further includes a third constraint that the new policy does not exceed a permission quantity threshold.
  20. 20 . The one or more non-transitory computer-readable storage media of claim 14 , wherein the respective permissions further include permissions that are estimated to have greater than a threshold probability of being used, by the user set, in a future time period.

Description

BACKGROUND Identity management services may allow customers to control and manage access to computing services and resources by creating identities (e.g., users, groups, roles, etc.) and defining permissions for the identities. When attempting to attach policies to an identity, customers may have the options of attaching one or more existing policies and/or creating one or more new policies that are specially tailored to the identity. But creation of new policies from scratch for every identity may require considerable time and effort and may be prone to errors. Some customers that don't wish to invest this considerable time and energy may prefer to use existing policies. However, since customers do not necessarily know the names of relevant policies that fit their required set of permissions, the customers may attach overly broad policies, which may pose a security risk. Customers may also be unsure of which identities could use existing policies and which identities require the creation of new policies. For example, in some cases, customers may resort to creating a new policy even when there are existing policies that may fit their required set of permissions, which may involve unnecessary expenditures of time and effort. Additionally, when attempting to create new policies for a group of identities, such as identities within a given account, the customers may perform unnecessary steps. For example, in some cases, a customer may create a separate new policy for each identity, even in scenarios when a single policy could be generated that would cover the security requirements of multiple identities. This is because customers may be unaware of which, if any, identities could be most effectively covered together by a single new policy. Customers may also be unaware of the contents of the policy that would be required in order to cover the security requirements of these multiple identities. BRIEF DESCRIPTION OF DRAWINGS The following detailed description may be better understood when read in conjunction with the appended drawings. For the purposes of illustration, there are shown in the drawings example embodiments of various aspects of the disclosure; however, the invention is not limited to the specific methods and instrumentalities disclosed. FIG. 1 is a diagram illustrating an example policy recommendation system that may be used in accordance with the present disclosure. FIG. 2 is a diagram illustrating example permission matching granularities that may be used in accordance with the present disclosure. FIG. 3 is a diagram illustrating example action categories that may be used in accordance with the present disclosure. FIG. 4 is a diagram illustrating an example matching policy subset calculation formula with service-level granularity that may be used in accordance with the present disclosure. FIG. 5 is a diagram illustrating an example matching policy subset calculation formula with individual action-level granularity that may be used in accordance with the present disclosure. FIG. 6 is a diagram illustrating an example matching policy subset calculation formula with action category-level granularity that may be used in accordance with the present disclosure. FIG. 7 is a diagram illustrating a first example of a policy recommendation user interface that may be used in accordance with the present disclosure. FIG. 8 is a diagram illustrating second examples of policy recommendation user interfaces that may be used in accordance with the present disclosure. FIG. 9 is a diagram illustrating a third example of a policy recommendation user interface that may be used in accordance with the present disclosure. FIG. 10 is a flowchart illustrating an example policy recommendation process that may be used in accordance with the present disclosure. FIG. 11 is a flowchart illustrating an example matching policy subset selection process that may be used in accordance with the present disclosure. FIG. 12 is a diagram illustrating formation of new policy and existing policy identity pools that may be used in accordance with the present disclosure. FIG. 13 is a diagram illustrating example existing policy constraints that may be used in accordance with the present disclosure. FIGS. 14A-14C are diagrams illustrating generation of new policies that may be used in accordance with the present disclosure. FIG. 15 is a diagram illustrating example new policy constraints that may be used in accordance with the present disclosure. FIGS. 16A-B are diagrams illustrating example definitions and formulas related to new policy generation that may be used in accordance with the present disclosure. FIG. 17A is a flowchart illustrating an example process for formation of new policy and existing policy identity pools that may be used in accordance with the present disclosure. FIG. 17B is a flowchart illustrating an example new policy generation process that may be used in accordance with the present disclosure. FIG. 18 is a diagram ill