Patent application number | Description | Published |
20100246443 | PROVIDING LOGICAL NETWORKING FUNCTIONALITY FOR MANAGED COMPUTER NETWORKS - Techniques are described for providing logical networking functionality for managed computer networks, such as for virtual computer networks provided on behalf of users or other entities. In some situations, a user may configure or otherwise specify a network topology for a virtual computer network, such as a logical network topology that separates multiple computing nodes of the virtual computer network into multiple logical sub-networks and/or that specifies one or more logical networking devices for the virtual computer network. After a network topology is specified for a virtual computer network, logical networking functionality corresponding to the network topology may be provided in various manners, such as without physically implementing the network topology for the virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users. | 09-30-2010 |
20110173637 | MANAGING PRIVATE USE OF PROGRAM EXECUTION CAPACITY - Techniques are described for managing execution of programs, including using excess program execution capacity of one or more computing systems. For example, a private pool of excess computing capacity may be maintained for a user based on unused dedicated program execution capacity allocated for that user, with the private pool of excess capacity being available for priority use by that user. Such private excess capacity pools may further in some embodiments be provided in addition to a general, non-private excess computing capacity pool that is available for use by multiple users, optionally including users who are associated with the private excess capacity pools. In some such situations, excess computing capacity may be made available to execute programs on a temporary basis, such that the programs executing using the excess capacity may be terminated at any time if other preferred use for the excess capacity arises. | 07-14-2011 |
20120084113 | VIRTUAL RESOURCE COST TRACKING WITH DEDICATED IMPLEMENTATION RESOURCES - Virtual resources may be provisioned in a manner that is aware of, and respects, underlying implementation resource boundaries. A customer of the virtual resource provider may specify that particular virtual resources are to be implemented with implementation resources that are dedicated to the customer. Dedicating an implementation resource to a particular customer of a virtual resource provider may establish one or more information barriers between the particular customer and other customers of the virtual resource provider. Implementation resources may require transition procedures, including custom transition procedures, to enter and exit dedicated implementation resource pools. Costs corresponding to active and inactive implementation resources in a dedicated pools associated with a particular customer may be accounted for, and presented to, the customer in a variety of ways including explicit, adjusted per customer and adjusted per type of virtual resource and/or implementation resource. | 04-05-2012 |
20120084443 | VIRTUAL PROVISIONING WITH IMPLEMENTATION RESOURCE BOUNDARY AWARENESS - Virtual resources may be provisioned in a manner that is aware of, and respects, underlying implementation resource boundaries. A customer of the virtual resource provider may specify that particular virtual resources are to be implemented with implementation resources that are dedicated to the customer. Dedicating an implementation resource to a particular customer of a virtual resource provider may establish one or more information barriers between the particular customer and other customers of the virtual resource provider. Implementation resources may require transition procedures, including custom transition procedures, to enter and exit dedicated implementation resource pools. Costs corresponding to active and inactive implementation resources in a dedicated pools associated with a particular customer may be accounted for, and presented to, the customer in a variety of ways including explicit, adjusted per customer and adjusted per type of virtual resource and/or implementation resource. | 04-05-2012 |
20120233329 | OUTSIDE LIVE MIGRATION - Global remappable addresses can be announced from multiple points across the Internet or other public networks. A global address can be mapped to one or more internal addresses for a provider, such that when traffic is received to a given network location the provider can determine whether the traffic is to be processed in the current network location or a different network location, as may be determined using a static process or a dynamic process based on any of a number of factors. If the traffic is destined for a different network location, the traffic can be remapped and forwarded to that network location over a public or private network. Once the traffic is in the determined destination network location, the traffic can be remapped and delivered to the ultimate destination. The remappings and destination network locations can be adjusted at any time, based on any of a number of factors, without significant risk of dropping traffic. | 09-13-2012 |
20120239790 | ESTABLISHING SECURE REMOTE ACCESS TO PRIVATE COMPUTER NETWORKS - Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service to create and configure computer networks that are provided by the configurable network service for use by the users. Secure private access between a computer network provided for a user by the configurable network service and one or more other remote computing systems of the user (e.g., a remote private network) may be enabled in various ways. For example, a user may programmatically invoke an API provided by the configurable network service to obtain assistance in establishing remote access from a remote location to a provided computer network of the configurable network service, such as to establish a VPN connection from the remote location to the provided computer network using hardware and/or software supplied to the remote location in response to the API invocation. | 09-20-2012 |
20120311108 | Providing Access to Configurable Private Computer Networks - Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. If so, secure private access between an existing computer network and new computer network extension that is being provided may be enabled using one or more VPN connections or other private access mechanisms. | 12-06-2012 |
20130010797 | CUSTOM ROUTING DECISIONS - With the advent of virtualization technologies, networks and routing for those networks can now be simulated using commodity hardware rather than actual routers. For example, virtualization technologies such as those provided by VMWare, XEN, or User-Mode Linux can be adapted to allow a single physical computing machine to be shared among multiple virtual networks by providing each virtual network user with one or more virtual machines hosted by the single physical computing machine, with each such virtual machine being a software simulation acting as a distinct logical computing system that provides users with the illusion that they are the sole operators and administrators of a given hardware computing resource. In addition, routing can be accomplished through software, providing additional routing flexibility to the virtual network in comparison with traditional routing. As a result, in some implementations, supplemental information other than packet information can be used to determine network routing. | 01-10-2013 |
20130086661 | TECHNIQUES FOR CLIENT CONTRUCTED SESSIONS - Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key's use. | 04-04-2013 |
20130086662 | PARAMETER BASED KEY DERIVATION - Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key's use. | 04-04-2013 |
20130086663 | KEY DERIVATION TECHNIQUES - Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information that, as a result of being used to generate the keys, renders the generated keys usable for a smaller scope of uses than the secret credential. Further, key generation may involve multiple invocations of a function where each of at least a subset of the invocations of the function results in a key that has a smaller scope of permissible use than a key produced from a previous invocation of the function. Generated keys may be used as signing keys to sign messages. One or more actions may be taken depending on whether a message and/or the manner in which the message was submitted complies with restrictions of the a key's use. | 04-04-2013 |
20130204971 | PROVIDING ACCESS TO CONFIGURABLE PRIVATE COMPUTER NETWORKS - Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. If so, secure private access between an existing computer network and new computer network extension that is being provided may be enabled using one or more VPN connections or other private access mechanisms. | 08-08-2013 |
20130263256 | TECHNIQUES FOR PROTECTING AGAINST DENIAL OF SERVICE ATTACKS NEAR THE SOURCE - Systems and methods protect against denial of service attacks. Remotely originated network traffic addressed to one or more network destinations is routed through one or more locations. One or more of the locations may be geographically proximate to a source of a denial of service attack. One or more denial of service attack mitigation strategies is applied to portions of the network traffic received at the one or more locations. Network traffic not blocked pursuant to the one or more denial of service attack mitigation strategies is dispatched to its intended recipient. Dispatching the unblocked network traffic to its intended recipient may include the use of one or more private channels and/or one or more additional denial of service attack mitigation strategies. | 10-03-2013 |
20130311650 | MANAGING ALLOCATION OF COMPUTING CAPACITY - Systems and methods are described for managing requests for computing capacity from a provider of computing resources. The computing resources may include program execution capabilities, data storage or management capabilities, network bandwidth, etc. In some implementations, user requests are probabilistically denied or granted while some computing resources are still available. By denying some requests or granting only some, the rate of computing resource usage can be reduced, thus preserving some capacity for a longer period of time. In one embodiment, the capacity can be provided to clients based on client priority, provided to clients with reserved resources, provided to clients probabilistically, sold on a spot market, or allocated in some other fashion. | 11-21-2013 |
20140012969 | TECHNIQUES FOR NETWORK REPLICATION - In response to a request to duplicate a network, the network is duplicated. The duplicate network includes one or more virtual devices that correspond to one or more devices in the network being duplicated. The devices of the duplicate network are communicatively arranged in a manner consistent with a topology of the network being duplicated. Once the duplicate network is created, access to the duplicate network is provided. | 01-09-2014 |
20140047082 | PROVIDING ACCESS TO CONFIGURABLE PRIVATE COMPUTER NETWORKS - Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service in order to create and configure computer networks that are provided by the configurable network service for use by the users. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. If so, secure private access between an existing computer network and new computer network extension that is being provided may be enabled using one or more VPN connections or other private access mechanisms. | 02-13-2014 |
20140181278 | VIRTUAL RESOURCE PROVIDER WITH VIRTUAL CONTROL PLANES - Control planes of virtual resource providers may be customized in a secure, stable and efficient manner with virtual control planes. Control planes may be modularized. Control plane modules may be supplied with data from standardized sensors, and required to generate standardized resource configuration requests responsive to solicitations with specified response latencies. Custom control plane modules may be selected to replace or complement default control plane modules. Financial and computational costs associated with control plane modules may be tracked. Competing resource configurations may be mediated by a control plane supervisor. Such mediation may be based on control plane module reputation scores. Reputation scores may be based on customer feedback ratings and/or measured performance with respect to module goals. Mediated configuration parameter values may be based on a combination of competing configuration parameter values weighted according to reputation. Contribution of individual modules to goal achievement may be tracked and rewarded accordingly. | 06-26-2014 |
20140181677 | COST TRACKING FOR VIRTUAL CONTROL PLANES - Control planes of virtual resource providers may be customized in a secure, stable and efficient manner with virtual control planes. Control planes may be modularized. Control plane modules may be supplied with data from standardized sensors, and required to generate standardized resource configuration requests responsive to solicitations with specified response latencies. Custom control plane modules may be selected to replace or complement default control plane modules. Financial and computational costs associated with control plane modules may be tracked. Competing resource configurations may be mediated by a control plane supervisor. Such mediation may be based on control plane module reputation scores. Reputation scores may be based on customer feedback ratings and/or measured performance with respect to module goals. Mediated configuration parameter values may be based on a combination of competing configuration parameter values weighted according to reputation. Contribution of individual modules to goal achievement may be tracked and rewarded accordingly. | 06-26-2014 |
20140196130 | TECHNIQUES FOR CREDENTIAL GENERATION - Systems and methods for managing credentials distribute the credentials to subsets of a set of collectively managed computing resources. The collectively managed computing resources may include one or more virtual machine instances. The credentials distributed to the computing resources may be used by the computing resources to perform one or more actions. Actions may include performing one or more functions in connection with configuration, management, and/or operation of the one or more resources, and/or access of other computing resources. The ability to use credentials may be changed based at least in part on the occurrence of one or more events. | 07-10-2014 |
20140207824 | ACCESS CONTROLS ON THE USE OF FREEFORM METADATA - Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment. | 07-24-2014 |
20140207861 | ACCESS CONTROL POLICIES ASSOCIATED WITH FREEFORM METADATA - Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment. | 07-24-2014 |
20140208096 | SECURE INTERFACE FOR INVOKING PRIVILEGED OPERATIONS - A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order authorize and authenticate requests sent to a virtualization later. The interfaces can be invoked to perform security monitoring, forensic capture, and/or patch software systems at runtime. In addition to the foregoing, other aspects are described in the claims, detailed description, and figures. | 07-24-2014 |
20140208097 | SECURING RESULTS OF PRIVILEGED COMPUTING OPERATIONS - A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order to secure the results of privileged operations on systems such as the operating system (OS) kernel and/or the hypervisor. The interface allows a public key to be included into a request to perform a privileged operation on a hypervisor and/or kernel. The kernel and/or hypervisor use the key included in the request to encrypt the results of the privileged operation. In some embodiments, the request itself can also be encrypted, such that any intermediate parties are not able to read the parameters and other information of the request. | 07-24-2014 |
20140208111 | SECURE VIRTUAL MACHINE MIGRATION - A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order to enable secure migration of virtual machine instances between multiple host computing devices. The migration is performed by receiving a request to migrate a virtual machine where the request includes public keys for the source host computing and the destination host computing. The source and destination hosts use the public keys to establish an encrypted session and then use the encrypted session to migrate the virtual machine. | 07-24-2014 |
20140208414 | USE OF FREEFORM METADATA FOR ACCESS CONTROL - Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment. | 07-24-2014 |
20140236864 | ALLOCATING FINANCIAL RISK AND REWARD IN A MULTI-TENANT ENVIRONMENT - Multi-tenant resources can be funded using payment submitted with requests for those resources, such that the resources do not need to be associated with a specific user account. A resource can be allocated and available as long as payment has been provided. If a user wants the resource to be available for additional processing, for example, the user can submit another request with additional funding. The funding can come in the form of donations from any user, or in the form of investments where the investor expects some return on the investment in the form of revenue, visibility, or other such compensation. One or more management components can track funding for various resources, can accept and select bids for period of sponsorship, and can manage various donation models. | 08-21-2014 |
20140237100 | MANAGING COMMUNICATIONS FOR MODIFIED COMPUTER NETWORKS - Techniques are described for managing communications between multiple computing nodes, such as computing nodes that are part of a virtual computer network. In some situations, various types of modifications may be made to one or more computing nodes of an existing virtual computer network, and the described techniques include managing ongoing communications for those computing nodes so as to accommodate the modifications. Such modifications may include, for example, migrating or otherwise moving a particular computing node that is part of a virtual network to a new physical network location, or modifying other aspects of how the computing node participates in the virtual network (e.g., changing one or more virtual network addresses used by the computing node). In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users. | 08-21-2014 |
20140258732 | SOURCE IDENTIFICATION FOR UNAUTHORIZED COPIES OF CONTENT - Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content. | 09-11-2014 |
20140283045 | MANAGING VIRTUAL COMPUTING TESTING - Systems, methods, and interfaces for the management of virtual machine networks and other programmatically controlled networks are provided. Hosted virtual networks are configured in a manner such that a virtual machine manager of the virtual network may monitor activity such as user requests, network traffic, and the status and execution of various virtual machine instances to determine possible security assessments. A security assessment may be performed before, after, or simultaneous to the execution of the activity associated with the security assessment event. The execution of an activity may further be synchronous with the results of the security assessment. The timing of the assessment may correspond to the type of assessment or type of activity that is requested or detected. | 09-18-2014 |
20140310769 | TECHNIQUES FOR DELEGATION OF ACCESS PRIVILEGES - Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information. | 10-16-2014 |
20140380461 | ESTABLISHING SECURE REMOTE ACCESS TO PRIVATE COMPUTER NETWORKS - Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service to create and configure computer networks that are provided by the configurable network service for use by the users. Secure private access between a computer network provided for a user by the configurable network service and one or more other remote computing systems of the user (e.g., a remote private network) may be enabled in various ways. For example, a user may programmatically invoke an API provided by the configurable network service to obtain assistance in establishing remote access from a remote location to a provided computer network of the configurable network service, such as to establish a VPN connection from the remote location to the provided computer network using hardware and/or software supplied to the remote location in response to the API invocation. | 12-25-2014 |
20150019705 | MANAGEMENT OF COMPUTING SESSIONS - A remote computing session management process is directed to the execution and management of aspects of virtual instances executed on data center computers at a program execution service (PES) platform. A computing session may be established between the PES platform and a computing device connected to the PES platform over a communications network. The data created by the user of the client computing device interacting with the virtual instance may be stored, and following an interruption of the remote computing session, the data may be used when re-establishing the remote computing session. | 01-15-2015 |
20150019733 | MANAGEMENT OF COMPUTING SESSIONS - A remote computing session management process is directed to the execution and management of aspects of virtual instances executed on data center computers at a program execution service (PES) platform. A computing session may be established between the PES platform and a computing device connected to the PES platform over a communications network. The data created by the user of the client computing device interacting with the virtual instance may be stored, and following an interruption of the remote computing session, the data may be used when re-establishing the remote computing session. | 01-15-2015 |
20150019858 | DATA LOSS PREVENTION TECHNIQUES - Data received through a proxy for a service is analyzed for compliance with one or more data policies, such as one or more data loss prevention policies. When data satisfies the criteria of one or more data policies, the data is manipulated at the proxy prior to transmission of the data to the service. In some examples, the manipulation of the data includes encryption. | 01-15-2015 |
20150067830 | DYNAMIC APPLICATION SECURITY VERIFICATION - Disclosed are various embodiments for performing security verifications for dynamic applications. An instance of an application is executed. During runtime, it is determined whether the application is accessing dynamically loaded code from a network site. In one embodiment, the access may be detected via the use of a particular application programming interface (API). In another embodiment, the access may be detected via the loading of downloaded data into an executable portion of memory. A security evaluation is performed on the dynamically loaded code, and an action is initiated responsive to the security evaluation. | 03-05-2015 |
20150082428 | DETECTING ANOMALOUS BEHAVIOR PATTERNS IN AN ELECTRONIC ENVIRONMENT - The behavior of a group of resources, such as a fleet of servers, can be monitored to attempt to determine a baseline of acceptable behaviors. When a behavior is observed, the baseline can be consulted to determine whether the behavior is indicated to be acceptable. If not, the rate or extent at which the newly observed behavior is observed on groupings of similar resources can be monitored. This information can be used to determine whether the behavior is acceptable in which case information for the observed behavior can be used to automatically update the baseline such that the baseline is representative of current acceptable behavior within the group of resources. | 03-19-2015 |
20150089049 | WIDE AREA NETWORK MONITORING - As exterior routing protocols generally do not provide information about the internal routing paths of an autonomous system, a particular autonomous system has limited information about the internal health of other autonomous systems. However, if a monitoring system has access to routing data and/or other network data from multiple points of an autonomous system, the monitoring system can estimate, with some accuracy, the health of the autonomous system. In turn, by monitoring at least some of autonomous systems forming a larger internetwork, such as the Internet, the monitoring system can estimate the overall health of at least portions of the internetwork. | 03-26-2015 |
20150089233 | RESOURCE LOCATORS WITH KEYS - Requests are pre-generated to include a cryptographic key to be used in fulfilling the requests. The requests may be encoded in uniform resource locators and may include authentication information to enable a service provider to whom the requests are submitted to determine whether the requests are authorized. The requests may be passed to various entities who can then submit the requests to the service provider. The service provider, upon receipt of a request, can verify the authentication information and fulfill the request using a cryptographic key encoded in the request. | 03-26-2015 |
20150089244 | DATA SECURITY USING REQUEST-SUPPLIED KEYS - Requests are submitted to a request processing entity where the requests include a cryptographic key to be used in fulfilling the request. The request processing entity, upon receipt of the request, extracts the key from the request and uses the key to perform one or more cryptographic operations to fulfill the request. The one or more cryptographic operations may include encryption/decryption of data that to be/is stored, in encrypted form, by a subsystem of the request processing entity. Upon fulfillment of the request, the request processing entity may perform one or more operations to lose access to the key in the request, thereby losing the ability to use the key. | 03-26-2015 |
20150106338 | FREQUENT DATA SET CAPTURES FOR VOLUME FORENSICS - Techniques, including systems and methods, take frequent captures of data sets for the purpose of forensic analysis. The data set captures are taken at the block level in various embodiments. Data set captures are used to instantiate forensic storage volumes that are attached to computing instances. The computing instances can access data in the forensic storage volumes at a state corresponding to a specified capture time. A user can select different capture times to re-instantiate the forensic storage volume to see how the forensic storage volume changed between captures. | 04-16-2015 |
20150120917 | METHODS AND APPARATUS FOR SCALABLE PRIVATE SERVICES - Methods and apparatus for providing scalable private services in service provider networking environments. A service provider that provides a large, public, multi-tenant implementation of a web service to multiple customers via a public API endpoint may allow a customer to request the establishment of a private implementation of the service. In response, a service private instance may be automatically and/or manually established for the customer that provides a private API endpoint to the service and that is at least in part implemented on single-tenant hardware that is not shared with other customers. The service private instance may initially be implemented as a relatively small scale and possibly limited implementation of the service when compared to the service public instance. As the needs of the customer grow, the service private instance may be automatically and/or manually scaled up from the initial implementation. | 04-30-2015 |
20150121400 | MANAGING PRIVATE USE OF PROGRAM EXECUTION CAPACITY - Techniques are described for managing execution of programs, including using excess program execution capacity of one or more computing systems. For example, a private pool of excess computing capacity may be maintained for a user based on unused dedicated program execution capacity allocated for that user, with the private pool of excess capacity being available for priority use by that user. Such private excess capacity pools may further in some embodiments be provided in addition to a general, non-private excess computing capacity pool that is available for use by multiple users, optionally including users who are associated with the private excess capacity pools. In some such situations, excess computing capacity may be made available to execute programs on a temporary basis, such that the programs executing using the excess capacity may be terminated at any time if other preferred use for the excess capacity arises. | 04-30-2015 |