Search

US-12625947-B2 - Isolated runtime environments for securing secrets used to access remote resources from compute instances

US12625947B2US 12625947 B2US12625947 B2US 12625947B2US-12625947-B2

Abstract

An instance secrets management isolated runtime environment is launched at a virtualization server, and utilizes a subset of memory assigned to a compute instance. The subset of memory is inaccessible from entities external to the runtime environment. A secrets manager of the runtime environment provides a security artifact to an application, running at the compute instance, which has requested access to a resource. The artifact is generated by the secrets manager using a security secret associated with the compute instance; the secret is not accessible to programs external to the runtime environment. In response to a determination that the artifact is valid, the application obtains access to the resource.

Inventors

  • Joshua Benjamin Levinson
  • Colm MacCarthaigh
  • Alexander Graf
  • Iulia-Daniela Doras-Prodan
  • Petre Eftime

Assignees

  • AMAZON TECHNOLOGIES, INC.

Dates

Publication Date
20260512
Application Date
20220630

Claims (20)

  1. 1 . A system, comprising: a control plane server of a virtualized computing service of a cloud provider network; a virtualization server of the virtualized computing service; and a resource manager of a collection of resources of another service of the cloud provider network; wherein the control plane server comprises one or more processors and corresponding memory and is configured to: cause an instance secrets management isolated runtime environment to be launched at the virtualization server, wherein the instance secrets management isolated runtime environment uses a subset of memory assigned to a compute instance of the virtualization server, wherein the instance secrets management isolated runtime environment is launched without receiving a launch request for the instance secrets management isolated runtime environment from a client of the virtualized computing service on whose behalf the compute instance is launched, wherein the subset of memory is inaccessible from programs running outside the instance secrets management isolated runtime environment, wherein network communication with endpoints outside the virtualization server is prohibited from the instance secrets management isolated runtime environment, and wherein the instance secrets management isolated runtime environment comprises a secrets manager; wherein the secrets manager is configured to: determine, from a security service of the cloud provider network, a cryptographic key associated with an authorization role assigned to the compute instance, without receiving a request from the client to determine the cryptographic key, wherein the cryptographic key is not accessible by programs that are (a) running at the virtualization server and (b) not running within the instance secrets management isolated runtime environment; and obtain an indication of a request, generated by an application running within the compute instance, to access a resource of the collection of resources; and provide, to the application, a signature associated with at least a portion of the request, wherein the signature is generated by the secrets manager using at least the cryptographic key; and wherein the resource manager is configured to: provide, to the application, access to the resource in response to a determination that the signature is acceptable and the authorization role permits access to the resource.
  2. 2 . The system as recited in claim 1 , wherein the control plane server is further configured to: verify, prior to causing the instance secrets management isolated runtime environment to be launched, that the client has not opted out of a use of instance secrets management isolated runtime environments.
  3. 3 . The system as recited in claim 1 , wherein the control plane server is further configured to: obtain, via a programmatic interface from the client, an indication of an expiration criterion for one or more security secrets managed by the secrets manager, including the cryptographic key; and wherein the secrets manager is further configured to: obtain a replacement cryptographic key in accordance with the expiration criterion.
  4. 4 . The system as recited in claim 1 , wherein the cryptographic key is obtained at the secrets manager after validation of at least a portion of installed software of the virtualization server.
  5. 5 . The system as recited in claim 1 , wherein the control plane server is further configured to: obtain an indication, from the client via a programmatic interface, that the authorization role is to be assigned to the compute instance.
  6. 6 . A computer-implemented method, comprising: launching an instance secrets management isolated runtime environment using a first subset of memory assigned to a compute instance of a virtualization server of a virtualized computing service, without receiving a request for the instance secrets management isolated runtime environment from a client on whose behalf the compute instance is launched, wherein the first subset of memory is inaccessible from programs running outside the instance secrets management isolated runtime environment, and wherein the instance secrets management isolated runtime environment comprises a first secrets manager; generating, by the first secrets manager using a first security secret associated with the compute instance, a first security artifact, wherein the first security secret is not accessible to programs that are running within the compute instance and are not running within the instance secrets management isolated runtime environment; providing, to an application within the compute instance by the first secrets manager within the instance secrets management isolated runtime environment launched using the first subset of memory assigned to the compute instance, the first security artifact associated with a request to access a first resource from the application; and obtaining, by the application, in response to a determination that the first security artifact is valid, access to the first resource.
  7. 7 . The computer-implemented method as recited in claim 6 , further comprising: obtaining, via a programmatic interface, a request from the client to assign a first authorization role to the compute instance, wherein the first security secret is generated based at least in part on the first authorization role, and wherein the first authorization role grants the compute instance permission to access the first resource.
  8. 8 . The computer-implemented method as recited in claim 7 , further comprising: obtaining, via the programmatic interface, a request from the client to assign a second authorization role to the compute instance, wherein the second authorization role grants the compute instance permission to access a second resource; and providing, to another application within the compute instance by the first secrets manager, another security artifact associated with a request to access the second resource from the other application, wherein the other security artifact is generated by the first secrets manager using a second security secret associated with the second authorization role, wherein the second security secret is not accessible to programs that are running within the compute instance and are not running within the instance secrets management isolated runtime environment.
  9. 9 . The computer-implemented method as recited in claim 6 , further comprising: obtaining, via a programmatic interface, an indication that the client has opted in to use of the instance secrets management isolated runtime environment, wherein the instance secrets management isolated runtime environment is launched based at least in part on the indication.
  10. 10 . The computer-implemented method as recited in claim 6 , further comprising: obtaining, via a programmatic interface from the client, an indication of an expiration criterion for one or more security secrets managed by the first secrets manager, including the first security secret; and obtaining, by the first secrets manager, a replacement security secret for the first security secret in accordance with the expiration criterion.
  11. 11 . The computer-implemented method as recited in claim 6 , further comprising: validating at least a portion of installed software of the virtualization server prior to providing the first security secret to the first secrets manager.
  12. 12 . The computer-implemented method as recited in claim 6 , further comprising: obtaining the first security secret by the first secrets manager during a boot procedure of the instance secrets management isolated runtime environment, prior to generation of the request to access the first resource.
  13. 13 . The computer-implemented method as recited in claim 6 , further comprising: obtaining the first security secret by the first secrets manager in response to an indication of the request to access the first resource.
  14. 14 . The computer-implemented method as recited in claim 6 , further comprising: utilizing, by the first secrets manager, one or more shared memory buffers to communicate with entities external to the instance secrets management isolated runtime environment.
  15. 15 . The computer-implemented method as recited in claim 6 , further comprising: launching a client-requested isolated runtime environment using a second subset of memory assigned to the compute instance; and utilizing, by a second secrets manager running within the client-requested isolated runtime environment, a second security secret to generate a second security artifact to be utilized by another application running within the compute instance, wherein the second security secret is obtained from a source indicated by the client, and wherein the second security secret is not accessible by the first secrets manager.
  16. 16 . A non-transitory computer-accessible storage medium storing program instructions that when executed on a processor: cause an instance secrets management isolated runtime environment to be launched at a virtualization server of a virtualized computing service, wherein the instance secrets management isolated runtime environment utilizes a subset of memory assigned to a compute instance of the virtualization server, wherein the subset of memory is inaccessible from programs running outside the instance secrets management isolated runtime environment, and wherein the instance secrets management isolated runtime environment comprises a secrets manager; generate, by the secrets manager using a first security secret associated with the compute instance, a first security artifact, wherein the first security secret is not accessible to programs that are running within the compute instance and are not running within the instance secrets management isolated runtime environment; provide, to an application within the compute instance by the secrets manager within the instance secrets management isolated runtime environment launched using the subset of memory assigned to the compute instance, the security artifact associated with a request to access a resource from the application; and obtain, by the application, in response to a determination that the security artifact is valid, access to the resource.
  17. 17 . The non-transitory computer-accessible storage medium as recited in claim 16 , wherein the security secret is generated based at least in part on an authorization role assigned to the compute instance by a client on whose behalf the compute instance is launched, and wherein the authorization role grants the compute instance permission to access the resource.
  18. 18 . The non-transitory computer-accessible storage medium as recited in claim 16 , wherein the instance secrets management isolated runtime environment is launched after a determination is made that a client on whose behalf the compute instance is launched has opted in to use of at least one instance secrets management isolated runtime environment.
  19. 19 . The non-transitory computer-accessible storage medium as recited in claim 16 , storing further program instructions that when executed on the: cause the secrets manager to obtain a replacement for the security secret in accordance with an expiration criterion for security secrets, wherein the expiration criterion is indicated by a client on whose behalf the compute instance is launched.
  20. 20 . The non-transitory computer-accessible storage medium as recited in claim 16 , wherein the resource comprises one or more of: (a) a data item stored at an object storage service, or (b) a data item stored at a database service.

Description

BACKGROUND The advent of virtualization technologies for commodity hardware has provided benefits with respect to managing large-scale computing resources for many customers with diverse needs, allowing various computing resources to be efficiently and securely shared by multiple customers. For example, virtualization technologies may allow a single physical computing machine to be shared among multiple users by providing each user with one or more virtual machines hosted by the single physical computing machine. Each such virtual machine may be regarded as a software simulation acting as a distinct logical computing system that provides users with the illusion that they are the sole operators and administrators of a given hardware computing resource, while also providing application isolation and security among the various virtual machines. In cloud-based computing environments, programs running within a given virtual machine or compute instance of a virtualized computing service may need to access remote resources at other services, and the requests to access the remote resources may need to be secured. BRIEF DESCRIPTION OF DRAWINGS FIG. 1 illustrates an example system environment in which automatically launched isolated runtime environments may be utilized to enhance the security of secrets utilized for accessing remote resources from compute instances at a virtualized computing service of a cloud provider network, according to at least some embodiments. FIG. 2 illustrates an example remote request submission protocol that may be employed at a cloud provider network, according to at least some embodiments. FIG. 3 illustrates components of a virtualization server at which an instance secrets management isolated runtime environment may be launched, according to at least some embodiments. FIG. 4 illustrates example interactions associated with acquisition of instance secrets by a secrets manager running within an isolated runtime environment, according to at least some embodiments. FIG. 5 illustrates example interactions associated with the transmission of access requests for which signatures are generated by a secrets manager running within an isolated runtime environment, according to at least some embodiments. FIG. 6 illustrates an example scenario in which multiple authorization roles, each with a respective associated instance secret, may be assigned to a single compute instance, according to at least some embodiments. FIG. 7 illustrates an example scenario in which multiple isolated runtime environments may be established within a compute instance, according to at least some embodiments. FIG. 8 illustrates example programmatic interactions, related to instance secrets management, between clients and a virtualized computing service, according to at least some embodiments. FIG. 9 is a flow diagram illustrating aspects of operations which may be performed to use isolated runtime environments to manage instance secrets, according to at least some embodiments. FIG. 10 is a block diagram illustrating an example computing device that may be used in at least some embodiments. While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that embodiments are not limited to the embodiments or drawings described. It should be understood, that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include,” “including,” and “includes” mean including, but not limited to. When used in the claims, the term “or” is used as an inclusive or and not as an exclusive or. For example, the phrase “at least one of x, y, or z” means any one of x, y, and z, as well as any combination thereof. Unless otherwise explicitly stated, articles such as “a” or “an” should generally be interpreted to include one or more described items throughout this application. Accordingly, phrases such as “a device configured to” are intended to include one or more recited devices. Such one or more recited devices can also be collectively configured to carry out the stated recitations. For example, “a processor configured to carry out recitations A, B and C” can include a first processor configured to carry out recitation A working in conjunction with a second processor configured to carry out recitations B and C. Unless otherwise explicitly stated, the term “set” should generally be interpreted to inclu