Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This Application claims the benefit of U.S. Provisional Application No. 63/266,031 filed on December 27, 2021, the contents of which are hereby incorporated by reference.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/17/2025, 10/17/2025, 11/04/2025, and 12/04/2025 were filed after the mailing date of the Final Office Action on 09/05/2025. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
DETAILED ACTION
This Office Action is in response to a Request for Continued Examination (RCE) application received on 12/04/2025. In the RCE, claims 10, and 21 have been amended. Claims 22-23 have been added as new claims. Claims 1-9, and 11-20 remain original. No claim has been cancelled.
For this Office Action, claims 1-23 have been received for consideration and have been examined.
Response to Arguments
Claim Rejections – 35 USC § 103
Applicant’s remarks regarding rejection of claims under 35 USC § 103 have been reviewed by the examiner, however, remarks are not found persuasive. After review, the remarks have been summarized as follows:
# 1. NPL1 is not detecting a first encrypted disk on a workload in a cloud computing environment, as the encrypted AMI is not an encrypted disk on a workload … This is because the Office Action is using an incorrect mapping. In this regard, again, as explained hereinabove, an AMI is not a disk, it does not function as a disk, and it is not attached to any workload … The shared encrypted AMI is not an encrypted disk of a workload as called for in the claim (Page # 8-9).
Examiner’s Response
Regarding remark # 1, that NPL1 is not detecting a workload in a cloud computing environment and AMI is not a disk because it does not function as a disk and it is not attached to any workload, examiner respectfully disagree.
Firstly, examiner would like to note that the claim language does not explicitly mentions whether the claimed “disk” is a physical disk or a virtual disk. Under MPEP BRI guideline, the pending claims must be “given their broadest reasonable interpretation consistent with the specification.” Based on the BRI, the examiner construed that the claimed “disk” is a virtual disk (as mentioned in [0023] of the instant disclosure) and because of that the examiner maps the AMI of NPL1 as a disk because AMI serves as a foundational component of Amazon Web Services and provides the necessary information to launch and run an instance, which is essentially “a virtual server” in the cloud and in a virtual server there is a emulated storage device which is construed as a disk and stores operating system, and required application. Therefore, Applicant’s alleged remark is not correct that NPL1 does not disclose encrypted disk on a workload in a cloud computing environment.
Secondly, the Applicant allege that NPL1 does not disclose a workload, the examiner respectfully disagrees. Examiner would like to note that Applicant has not elaborated in the remarks as what is exactly mean by ‘workload’ and what is the significance of ‘workload’ in the claim. Examiner being an ordinary skill in the art finds that in cloud computing, a workload refers to the combination of applications, services, processes, and the computing resources (CPU, memory, storage, networking) they consume to perform a specific task in a cloud environment. This can range from a single application running on a virtual machine to complex, distributed systems spanning multiple cloud services (https://www.google.com/search?q=workload+meaning+in+cloud&rlz=1C1GCEA_enUS1124US1124&oq=workload+meaning+in+cloud&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIICAEQABgWGB4yDQgCEAAYhgMYgAQYigUyDQgDEAAYhgMYgAQYigUyBwgEEAAY7wUyCggFEAAYogQYiQUyCggGEAAYogQYiQXSAQgxNjQ1ajBqMagCCLACAfEFs_HB7cYpV3Q&sourceid=chrome&ie=UTF-8). In short, workload is an application, service, capability, or a specified amount of work that consumes cloud-based resources (such as computing or memory power). And based on that disclosed Amazon Machine Instances (AMI) in NPL1 fits that definition of claimed “workload in a cloud computing environment”.
Regarding Applicant’s remark that “The shared encrypted AMI is not an encrypted disk of a workload as called for in the claim”, examiner would like to note that claim language does not limit the term disk to be physical hardware disk. The disk on a workload in a cloud environment is a virtual disk similar to NPL1’s AMI virtual instance which is happened to be encrypted virtual instance that being re-encrypted for another user account and being shared with that user account. Additionally, the instant specification [0023] discloses that “the virtual workload 110 is connected a storage disk, a plurality of storage disks, and the like, such as storage disks 112-1 through 112-N, where 'N' is an integer having a value of '2' or greater. In some embodiments, the storage disk is provisioned as a virtual disk, as a block address on a block storage, and the like” which is equivalent to NPL1 AMI virtual instance which is stored in a cloud environment.
# 2. Launching instances results in creation of workloads. However, the claim requires an already existing workload on which the disk is to be detected. Thus, the Office Action has things exactly backwards. Since the workload in NPL1 comes into existence only after the launch, the Office Action's construction and interpretation with respect to the claim is erroneous (Page # 9).
Examiner’s Response
Regarding remark # 2, that the workload in NPL1 comes into existence only after the launch, the Office Action's construction and interpretation with respect to the claim is erroneous, examiner respectfully disagree. Examiner would like to note that NPL1 does not disclose creating an AMI, instead an encrypted AMI (which is already existed) is shared with a new account. See below screenshot from the NPL1 page # 2 which clears Examiner’s point of view that AMI already exists and not created on the fly when it needs to be shared:
PNG
media_image1.png
194
862
media_image1.png
Greyscale
Based on highlighted text, Applicant’s interpretation is incorrect that a new AMI [claimed disk] is created/launched instead of sharing an existing one as claimed. Even the title of the NPL1 states “How to share encrypt[ed] AMIs across accounts to launch encrypted AMI encrypted EC2 instances” which means ‘encrypted AMI’ is already present in the cloud which being shared with new account for a user.
# 3. Applicants' specification's paragraph 21 does not at all coincide with the teachings of NPL1 and, indeed, has nothing to do NPL1 … This is because, again, in NPL1 the AMI is used to launch a workload. By contrast, in paragraph 21 and in the claim, the workload already exists. So, what NPL1 is teaching is the opposite of what is called for in the claim and explained in paragraph 21 of the instant specification (Page # 10).
Examiner’s Response
Regarding remark # 3, that NPL1 teaching is the opposite of what is called for in the claim, examiner respectfully disagree. As described in detail in response to remark # 2, the AMI (claimed workload in a cloud environment) is already present in the cloud and a copy is being created and shared with a new account. Therefore, Applicant’s assertion is incorrect that AMI is used to launch a workload, instead similar to paragraph 21, the AMI [workload] is already present in the NPL1’s cloud environment and is being shared with another user account.
# 4. Applicants also explained in their prior response that the target account of NPL1 is not an inspector account as it does not and cannot perform any inspection and is unrelated to inspection in any way. In this regard, it should be appreciated that the target account of NPL1 is the account in which one launches EC2 instances using a shared custom AMI. There is nothing suggesting that the target account can, or even could, be used for inspection. As such, NPL1 fails to teach or suggest the claim element of generating a key for an inspector account, notwithstanding the Office Action's suggestion to the contrary (Page # 11).
Examiner’s Response
Regarding remark # 4, that “NPL1 is not an inspector account as it does not and cannot perform any inspection and is unrelated to inspection in any way”, examiner would like to note that claim merely recites generating a key for an inspector account however the claim is silent regarding the significance of a so called an inspector account. The claimed inspector account is not performing any inspection and is not related to inspection in any way. As mentioned in the previous Final Rejection (dated 09/05/2025) response, an inspector account has no special function in the claim. An ordinary skill in the art before the effective filing date of the claimed invention can replace the claimed “inspector account” with any other type of account such as administrator/guest/service etc. accounts. The claimed inspector account has no weight to the claim itself unless the claim is amended to recite that inspector account is literally performing any step/action with a key which was solely generated for the inspector account.
With respect to claim 10 and 21, the same rationale applies that the claims further describe deployment of the inspector account however fail to disclose any functionality in the claim steps and therefore can be substituted with any type of account as explained above.
# 5. It should further be appreciated that NPL1's target account is an AWS account that is authorized only to launch an EC2 instance from a shared AMI. This target account performs no inspecting, it provides no disk access, and it has no analysis or security-related function. As explained on page 2, item 2, of NPL1, 2. the target account is an account in which one launches instances of EC2 using the shared custom AMI with encrypted snapshots. None of this amounts to an inspector account which is thus lacking from NPL1 (Page # 12).
Examiner’s Response
Regarding remark # 5, that “This target account performs no inspecting, it provides no disk access, and it has no analysis or security-related function”, examiner would like to note that claim language merely recites ‘inspecting/inspectable’ however does not recite any language such as “providing no disk access or analysis or security-related function” as asserted in the remarks. Examiner would recommend the applicant to amend the claim language to recite the functionalities which are mentioned in the remarks.
# 6. NPL1 cannot teach or suggest the claim element of generating a snapshot of the first encrypted disk with a reencrypt command using the generated key given that NPL1 does not teach or suggest either the first encrypted disk or the generated key which must be generated for an inspector account which NPL1 does not have.
As for the generating a second encrypted disk from the snapshot claim element, NPL1 does not teach or suggest the snapshot as explained hereinabove, so it cannot generate anything from a snapshot that it does not have. Moreover, AMIs, being essentially a template for a virtual machine, as noted above, is not a disk of a workload. As such, sharing encrypted AMIs means distributing the encrypted AMI, which is not generating a second encrypted disk from the snapshot as called for in the claim. Nor is launching encrypted AMIs, which means to create therefrom EC2 instances, i.e., launching a virtual machine, and this is not generating a second encrypted disk (Page # 12-13).
Examiner’s Response
Regarding remark # 6, that NPL1 does not disclose “either the first encrypted disk or the generated key which must be generated for an inspector account”, examiner respectfully disagree. As described in detail in Final Office Action (dated 09/05/2025) that NPL1 discloses policy setting operations comprising ‘ReEncrypt’ action of re-encrypting the AMI for a new user which is construed as claimed inspector account. NPL1 further teaches generating snapshot with ‘reencrypt’ command which teaches the claimed concept of generating a snapshot of the encrypted disk. Again, Applicant reiterate that NPL1 does not teach the first encrypted disk or the generated key which must be generated for an inspector, which is not present in the claim language. In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., inspector account performing inspection of the disk) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
# 7. decrypting a second encrypted disk, NPL2 cannot teach or suggest the claim element of generating an inspectable disk based on the decrypted second encrypted disk. Moreover, none of the language pointed to by the Office Action mentions any disk at all, thus failing to show that NPL2 has anything to do with this claim element … As such, NPL2 fails to teach or suggest any of the claim elements for which it is cited, which are thus lacking from the combination as a whole. Thus, the Office Action's proposed combination does not have any of the elements of claim 1, and, as such, independent claim 1 is allowable over the proposed combination under 35 U.S.C. §103. Turning to the alleged motivation for the combination, given the elements of the claim missing from the prior art as shown hereinabove, one of ordinary skill in the art would not be motivated to make the invention as claimed, since one cannot be motivated to combine what is not available in the prior art. In the Response to Arguments the Office Action states:
the Examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art (Page # 14-16).
Examiner’s Response
Regarding remark # 7, that NPL2 does not teach the claim element of decrypting the second encrypted disk using the generated key, examiner respectfully disagree. Examiner would like to note that both cited NPL documents are from same field of endeavor where NPL1 exclusively focuses on sharing an encrypted disk in an Amazon cloud computing environment with a prescribed re-encryption process whereas NPL2 discloses an operation to decrypt ciphertext that was encrypted under a symmetric or asymmetric KMS key.
Examiner further notes regarding applicant's argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). In this case, as described above NPL1 teaches the process of generating a new encrypted instance of an encrypted instance by re-encrypting and sharing it with a designated user and NPL2 disclosed the method of decrypting the already encrypted data.
Based on above explanation and interpretation, the combination of NPL1 and NPL2 teaches the claimed concept and therefore the rejection has been maintained.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 11-20, and 23 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 11 (a non-transitory computer readable medium) and claim 12 (a system) recite following steps performed by “a processing circuitry”:
(1) detecting a first encrypted disk on a workload in a cloud computing environment;
(2) generating a key for an inspector account;
(3) generating a snapshot of the first encrypted disk with a reencrypt command using the generated key;
(4) generating a second encrypted disk from the snapshot;
(5) decrypting the second encrypted disk using the generated key; and
(5) generating an inspectable disk based on the decrypted second encrypted disk.
Examiner consulted instant specification and notice that two different entities are performing the recited steps. In paragraphs [0056-0062], the first four limitations are being performed by an inspector account 130 through Figure 4 steps S410 through S440 whereas last two limitations are being performed by an inspector 150 through steps S450 through S460.
Therefore, claim limitations do not align with the specification because as per claim a processing circuitry (i.e., one entity) is performing all the steps which is not the case and not supported by the disclosure.
Dependent claims inherit these deficiencies.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-23 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to MPEP 2106.
Step 1: The independent claims 1, 11, and 12 do fall into one of the four statutory categories of “method, non-transitory machine-readable medium, and a system” claims. Nevertheless, the claim(s) still is/are considered as abstract idea (i.e., Mental process) for the following prongs and reasons.
Step 2A: Prong 1: The limitations of the independent claims 1, 11, and 12 recite the abstract idea of:
“detecting a first encrypted disk [[on a workload in a cloud computing environment]] (Mental process: an administrator detects a first encrypted disk);
generating a key for an inspector account (Mental process: the administrator generates a key for an inspector account);
generating a snapshot of the first encrypted disk with a reencrypt command using the generated key (Mental process: the administrator generates a copy with the generated key of the encrypted disk using a command);
generating a second encrypted disk from the snapshot (Mental process: the administrator generates second encrypted disk from the generated copy);
decrypting the second encrypted disk using the generated key (Mental process: the administrator decrypts the second encrypted disk using the generated key); and
generating an inspectable disk based on the decrypted second encrypted disk (Mental process: the administrator generates another disk using decrypted second encrypted disk)”.
The claim generically recites the concept of generating a key for an account, and using the key to perform Asymmetric encryption, also known as public key cryptography, is an abstract idea that encapsulates the principles of secure communication and data protection. It is an essential concept in the field of cryptography, which is the study of secure communication methods.
The above limitations are steps which clearly fall into the “Mental Process” bucket which under its broadest reasonable interpretation, covers performance of the limitations in the human mind and / or with pen and paper.
The above-described limitations can all be performed by a human administrator who is tasked to generate encrypted disk and re-encrypt them and decrypt them for desired purposes.
Step 2A: Prong 2: The judicial exception (i.e., inspecting encrypted disk using a key) is not integrated into a practical application. The patentability of asymmetrical encryption is determined by the criteria of novelty, inventive step, and industrial applicability. These criteria ensure that the encryption method introduces a technical innovation beyond mere algorithmic concepts or abstract ideas. The method must demonstrate that it is new and not previously disclosed, involve an inventive step that is not obvious to a person skilled in the art, and have clear industrial applicability.
In particular, the claims do not recite any additional element to perform beyond routine steps. To show that the involvement of a computer assists in improving the technology, the claims must recite the details regarding how a computer aids the method, the extent to which the computer aids the method, or the significance of a computer to the performance of the method. Merely adding generic computer components to perform the method is not sufficient. Thus, the claim must include more than mere instructions to perform the method on a generic component or machinery to qualify as an improvement to an existing technology (MPEP 2106.5(a) II).
In this particular case, the additional elements of the claims are:
“a method, a non-transitory machine-readable medium, and a system”.
The additional elements are recited at a high-level of generality (i.e., as generic terms performing generic computer functions (instant spec. [0063-0064] discloses that the functions of the disclosed claims can be implemented using generic computer(s)) such that it amounts no more than mere instructions to apply the exception using generic computer components. Accordingly, the additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore, the claims are directed to an abstract idea.
Step 2B: The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the claims do not reflect improvement in the technology. Further, mere automated instructions to apply an exception using a generic computer component cannot provide an inventive concept. Thus, the claims are not patent eligible.
As discussed above with respect to integration of the abstract idea into a practical application, the additional elements (i.e., “method, non-transitory machine-readable medium, and a system”) amount to no more than mere instructions to apply the exception using general purpose computer.
To support this factual conclusion, the examiner takes Official Notice that one of the ordinary skill in the art, before the effective filing date of the claimed invention, would have found processors and/or software well-known and routine in technology that involves computers (instant spec. [0063-0064] discloses that the functions of the disclosed claims can be implemented using generic computer(s)) such that it amounts no more than mere instructions to apply the exception using generic computer components. Accordingly, the additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Thus, the examiner asserts that the above noted elements, when considered individually or in combination, do not constitute as “significantly more” than the abstract idea.
Dependent claims 2-10, and 13-23 have been analyzed and fall into one of the statutory categories and therefore passes step 1 analysis. However, under step 2, 2A & 2B analysis, the claims fail to recite any limitations that create a difference in the 101 analyses as indicated for claims 1, 11, and 12 because dependent claims merely recite additional steps of generating the copy of encrypted disk which is a mental process where human administrator can perform these steps manually. Thus, claims dependent claims are ineligible.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-8, 10-19, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over “How to share encrypted AMIs across accounts to launch encrypted AMI encrypted EC2 instances” hereinafter referred as NPL # 1 published 05/13/2019 in view of “Decrypt” hereinafter referred as NPL # 2 published 10/27/2021 (cited through Wayback Machine).
Regarding claim 1, NPL # 1 discloses:
A method for inspecting encrypted disks using a default key for detecting a cybersecurity object, comprising:
detecting a first encrypted disk (i.e., encrypted Amazon Machine Instance (AMI)) on a workload in a cloud computing environment (Page # 1; In this post, we demonstrate how you can share an encrypted AMI between accounts and launch an encrypted, Amazon Elastic Block Store (Amazon EBS) backed EC2 instance from the shared AMI.);
generating a key for an inspector account (i.e., target account is construed as inspector account) (Page # 2; In this example, I’ll use fictitious account IDs 111111111111 and 999999999999 for the source account and the target account, respectively. In addition, you’ll need to create an AWS KMS key in the source account in the source region. For simplicity, I’ve created an AWS KMS key with the alias cmkSource under account 111111111111 in us-east-1);
generating a snapshot (i.e., re-encrypting the snapshot is construed as generating a snapshot) of the first encrypted disk with a reencrypt command using the generated key (Page # 2; Second, the target account needs permission to use cmkSource for re-encrypting the snapshots. The following steps walk you through how to add the target account’s ID to the cmkSource key policy; Page # 3-4; Create a policy setting for the target account: Once you’ve configured the source account, you need to configure the target account. The IAM user or role in the target account needs to be able to perform the AWS KMS DescribeKey, CreateGrant, ReEncrypt* and Decrypt operations on cmkSource in order to launch an instance from a shared encrypted AMI.
PNG
media_image2.png
400
777
media_image2.png
Greyscale
);
generating a second encrypted disk from the snapshot (Page # 4; Once you’ve completed the configuration steps in the source and target accounts, then you’re ready to share and launch encrypted AMIs).
NPL # 1 does not explicitly disclose:
decrypting the second encrypted disk using the generated key; and generating an inspectable disk based on the decrypted second encrypted disk.
However, NPL # 2 discloses:
decrypting the second encrypted disk using the generated key (Page # 1; You can use this operation to decrypt ciphertext that was encrypted under a symmetric or asymmetric KMS key; Page # 1; The Decrypt operation also decrypts ciphertext that was encrypted outside of AWS KMS by the public key in an AWSKMS asymmetric KMS key); and
generating an inspectable disk based on the decrypted second encrypted disk (Page # 1; Whenever possible, use key policies to give users permission to call the Decrypt operation on a particular KMS key, instead of using IAM policies. Otherwise, you might create an IAM user policy that gives the user Decrypt permission on all KMS keys. This user could decrypt ciphertext that was encrypted by KMS keys in other accounts if the key policy for the cross-account KMS key permits it. If you must use an IAM policy for Decrypt permissions, limit the user to particular KMS keys or particular trusted accounts).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the encrypted and shared AMI (which is construed as snapshot) of NPL # 1 and include decryption steps to decrypt ciphertext that was encrypted under a symmetric or asymmetric KMS key for the encrypted snapshot, as disclosed by NPL # 2.
The motivation to combine the teachings of NPL # 1 and NPL # 2 is to leverage the decryption operation by ensuring that authorized users can decrypt ciphertext after it was encrypted.
Regarding claim 11, it is a non-transitory computer readable medium claim and recites similar subject matter as claim 1 and therefore rejected under similar grounds of rejection.
Regarding claim 12, it is a system claim and recites similar subject matter as claim 1 and therefore rejected under similar grounds of rejection.
Regarding claim 2, the combination of NPL # 1 and NPL # 2 discloses:
The method of claim 1, further comprising: inspecting the decrypted second encrypted disk (NPL # 1: Launch an instance from the shared encrypted AMI encrypted AMI).
Regarding claim 13, it is a system claim and recites similar subject matter as claim 2 and therefore rejected under similar grounds of rejection.
Regarding claim 3, the combination of NPL # 1 and NPL # 2 discloses:
The method of claim 2, further comprising: generating the inspectable disk based on a clone of the decrypted second encrypted disk (NPL # 1: Launch an instance from the shared encrypted AMI encrypted AMI).
Regarding claim 14, it is a system claim and recites similar subject matter as claim 3 and therefore rejected under similar grounds of rejection.
Regarding claim 4, the combination of NPL # 1 and NPL # 2 discloses:
The method of claim 2, further comprising: generating the inspectable disk based on a snapshot of the decrypted second encrypted disk (NPL # 1: Launch an instance from the shared encrypted AMI encrypted AMI).
Regarding claim 15, it is a system claim and recites similar subject matter as claim 4 and therefore rejected under similar grounds of rejection.
Regarding claim 5, the combination of NPL # 1 and NPL # 2 discloses:
The method of claim 2, further comprising: generating the inspectable disk based on a copy of the decrypted second encrypted disk (NPL # 1: Launch an instance from the shared encrypted AMI encrypted AMI).
Regarding claim 16, it is a system claim and recites similar subject matter as claim 5 and therefore rejected under similar grounds of rejection.
Regarding claim 6, the combination of NPL # 1 and NPL # 2 discloses:
The method of claim 1, further comprising: determining that the encrypted disk utilizes an application based encryption; and fetching a custom key from a key vault management system (NPL # 1: Page # 2; cmkSource).
Regarding claim 17, it is a system claim and recites similar subject matter as claim 6 and therefore rejected under similar grounds of rejection.
Regarding claim 7, the combination of NPL # 1 and NPL # 2 discloses:
The method of claim 6, further comprising: decrypting the custom key, wherein the custom key is encrypted using a key-encryption-key (NPL # 2: Page # 1; If the ciphertext was encrypted under a symmetric KMS key, the KeyId parameter is optional. AWS KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it was encrypted, even if they've lost track of the key ID. However, specifying the KMS key is always recommended as a best practice. When you use the KeyId parameter to specify a KMS key, AWS KMS only uses the KMS key you specify. If the cipher text was encrypted under a different KMS key, the Decrypt operation fails).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the encrypted and shared AMI (which is construed as snapshot) of NPL # 1 and include decryption steps to decrypt ciphertext that was encrypted under a symmetric or asymmetric KMS key for the encrypted snapshot, as disclosed by NPL # 2.
The motivation to combine the teachings of NPL # 1 and NPL # 2 is to leverage the decryption operation by ensuring that authorized users can decrypt ciphertext after it was encrypted.
Regarding claim 18, it is a system claim and recites similar subject matter as claim 7 and therefore rejected under similar grounds of rejection.
Regarding claim 8, the combination of NPL # 1 and NPL # 2 discloses:
The method of claim 1, further comprising: determining that the first encrypted disk is encrypted based on metadata associated with the first encrypted disk (NPL # 1: Page # 3-4: Create a policy setting for the target account).
Regarding claim 19, it is a system claim and recites similar subject matter as claim 8 and therefore rejected under similar grounds of rejection.
Regarding claim 10, the combination of NPL # 1 and NPL # 2 discloses:
The method of claim 1, wherein the inspector is deployed as a principal in the cloud computing environment (NPL # 1: Page # 2: In this example, I’ll use fictitious account IDs 111111111111 and 999999999999 for the source account and thetarget account, respectively. In addition, you’ll need to create an AWS KMS key in the source account in the source region. For simplicity, I’ve created an AWS KMS key with the alias cmkSource under account 111111111111 in us-east-1. I’ll use this cmkSource to encrypt my AMI (ami-1234578) that I’ll share with account 999999999999).
Regarding claim 21, it is a system claim and recites similar subject matter as claim 10 and therefore rejected under similar grounds of rejection.
Claim(s) 9, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over “How to share encrypted AMIs across accounts to launch encrypted AMI encrypted EC2 instances” hereinafter referred as NPL # 1 published 05/13/2019 in view of “Decrypt” hereinafter referred as NPL # 2 published 10/27/2021 (cited through Wayback Machine) and further in view of “CopySnapshot” hereinafter referred as NPL # 3 published 10/20/2021 (cited through Wayback Machine).
Regarding claim 9, the combination of NPL # 1 and NPL # 2 fails to explicitly disclose:
The method of claim 1, further comprising: generating the second encrypted disk from the snapshot using a CopySnapshot instruction.
However, NPL # 3 discloses:
generating the second encrypted disk from the snapshot using a CopySnapshot instruction (Page # 4-5: Create a copy of an encrypted snapshot in a Region diff erent from the original).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the NPL # 1 in view of NPL # 2 and include CopySnapshot instructions to create and copy the snapshot from one region to another region, as disclosed by NPL # 3.
The motivation to leverage details from NPL # 3 is to incorporate instructions for generating copy a point-in-time snapshot of data.
Regarding claim 20, it is a system claim and recites similar subject matter as claim 9 and therefore rejected under similar grounds of rejection.
Claim(s) 22-23 are rejected under 35 U.S.C. 103 as being unpatentable over “How to share encrypted AMIs across accounts to launch encrypted AMI encrypted EC2 instances” hereinafter referred as NPL # 1 published 05/13/2019 in view of “Decrypt” hereinafter referred as NPL # 2 published 10/27/2021 (cited through Wayback Machine) and further in view of Hu et al., (US20190236373A1).
Regarding claim 22, the combination of NPL # 1 and NPL # 2 fails to explicitly disclose:
The method of claim 1, wherein an inspector is deployed in an inspecting cloud computing environment and wherein access to the inspectable disk is provided to the inspector via the inspector account.
However, Hu discloses:
wherein an inspector is deployed in an inspecting cloud computing environment and wherein access to the inspectable disk is provided to the inspector via the inspector account ([0069] the cloud computing platform B may send the patrol task to the inspector account C2-2 according to the patrol scheme; [0070] S2. Accepting the Patrol Task and Patrolling; [0071] The inspector may use an inspector account C2-2 to login the portable client terminal C2).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the NPL # 1 in view of NPL # 2 and include cloud computing platform comprising an account type such an inspector account, as disclosed by Hu.
The motivation to have an account type such as the inspector account is to perform inspector task such review contents and take appropriate safety action as necessary.
Regarding claim 23, it is a method claim and recites similar subject matter as claim 22 and therefore rejected under similar ground of rejection.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at 571-270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SYED M AHSAN/Primary Examiner, Art Unit 2491