Enhanced Control-Plane Security for Network-Accessible Services

1. A system, comprising: a plurality of computing devices comprising one or more hardware processors and memory, wherein the plurality of computing devices are configured to: determine, by at least one of the computing devices and in accordance with a security policy of a network-accessible service implemented at a provider network, that at least a subset of administrative operations associated with configuration of a service instance at a particular instance host are to be performed at one or more control servers of the plurality of computing devices, wherein: at least one control server of the one or more control servers differs from the particular instance host in at least one security-related property indicated in the security policy; and the at least one security-related property of the at least one control server comprises a higher level of security than the particular instance host; establish, by at least one of the computing devices, a secure communication channel between a particular control server of the one or more control servers and the particular instance host; in response to an indication of a configuration request directed at the service instance, perform one or more administrative operations associated with the configuration request at the one or more control servers; transmit, by one of the computing devices implementing the particular control server, at least one command via the secure communication channel to a command receiver instantiated at the particular instance host, wherein the at least one command is determined based at least in part on a result of an administrative operation of the one or more administrative operations; receive, by one of the computing devices implementing the particular control server, a command result from the particular instance host via the secure communication channel; and provide, by at least one of the computing devices and based at least in part on the command result, a response to the configuration request.

2. The system as recited in claim 1 , wherein the particular instance host is located at a first data center, and wherein the one or more control servers are located at a second data center, wherein the first data center differs from the second data center in at least one of: (a) a physical security protocol governing access to data center assets, (b) a network security protocol, (c) country of location, or (d) legal authorities granted jurisdiction.

3. The system as recited in claim 1 , wherein the one or more administrative operations associated with the configuration request include one of: (a) an authorization operation, (b) an authentication operation, (c) a capacity management operation, (d) a quota check, (e) an interaction with a different network-accessible service of the provider network to obtain access to a resource of the different network-accessible service, (f) a billing account check, or (g) a concurrency control operation associated with managing concurrent updates to internal data structures of the network-accessible service.

4. The system as recited in claim 1 , wherein the plurality of computing devices are further configured to: transmit, to the particular instance host via the secure channel, at least one of (a) a security token to be used to execute the at least one command, wherein the security token is configured with a validity period determined at the one or more control servers, or (b) encrypted data to be used to execute the at least one command.

5. The system as recited in claim 1 , wherein the network-accessible service comprises one of: a virtual computing service, a storage service, or a database service.

6. A method, comprising: performing, by a plurality of computing devices comprising one or more hardware processors and memory: determining, by at least one of the computing devices and in accordance with a security policy of a network-accessible service implemented at a provider network, that at least a subset of administrative operations associated with configuration of a service instance at a particular instance host are to be performed at one or more control servers of the plurality of computing devices, wherein: at least one control server of the one or more control servers differs from the particular instance host in at least one security-related property; and the at least one security-related property of the at least one control server comprises a higher level of security than the particular instance host; and in response to an indication of a configuration request directed at the service instance, implementing one or more administrative operations associated with the configuration request at the one or more control servers; transmitting, by one of the computing devices implementing a particular control server, at least one command via a network connection from the particular control server of the one or more control servers to the particular instance host; receiving, by one of the computing devices implementing the particular control server, a command result from the particular instance host via the network connection; and providing, by at least one of the computing devices and based at least in part on the command result, a response to the configuration request.

7. The method as recited in claim 6 , wherein the particular instance host is located at a first data center, and wherein the one or more control servers are located at a second data center.

8. The method as recited in claim 6 , wherein the security-related property comprises an indication of one of: (a) a physical security protocol governing access to data center assets, (b) a network security protocol, (c) a country of location, or (d) a legal authority granted jurisdiction.

9. The method as recited in claim 6 , wherein the one or more administrative operations associated with the configuration request include one of: (a) an authorization operation, (b) an authentication operation, (c) a capacity management operation, (d) a quota limit check, (e) an interaction with a different network-accessible service of the provider network to obtain access to a resource of the different network-accessible service, (f) a billing account check, or (g) a concurrency control operation associated with managing concurrent updates to internal data structures of the network-accessible service.

10. The method as recited in claim 6 , further comprising performing, by the plurality of computing devices: generating a security credential with a validity period to be used to execute the at least one command at the particular instance host, and transmitting the security credential to the particular instance host.

11. The method as recited in claim 6 , further comprising performing, by the plurality of computing devices: generating encrypted data to be used to execute the at least one command at the particular instance host, and transmitting the encrypted data to the particular instance host.

12. The method as recited in claim 6 , further comprising performing, by the plurality of computing devices: invoking, by a stateless command executor module at the instance host, one or more system calls to implement the at least one command.

13. The method as recited in claim 6 , further comprising performing, by the plurality of computing devices: instantiating a secure communication channel between at least one control server and the particular instance host; wherein said transmitting comprises utilizing the secure communication channel.

14. The method as recited in claim 6 , wherein the network-accessible service comprises one of: a virtual computing service, a storage service, or a database service.

15. The method as recited in claim 11 , wherein the encrypted data comprises one of: (a) an encrypted identifier of a resource, or (b) encrypted application-level data.

16. The method as recited in claim 11 , further comprising performing, by the plurality of computing devices: providing, via a programmatic interface, a key usable to decrypt the data at the instance host.

17. A non-transitory computer-accessible storage medium storing program instructions that when executed on one or more computing devices determine, in accordance with a security policy of a network-accessible service implemented at a provider network, that at least a subset of administrative operations associated with configuration of a service instance at a first instance host located within a first security zone of the provider network are to be performed at a first control server of the plurality of computing devices located within a different second security zone, wherein: the first and second security zone differ in at least one security property; and the second security zone of the first control server comprises a higher level of security than first security zone of the first instance host; determine, in accordance with the security policy, that at least a subset of administrative operations associated with configuration of a service instance at a second instance host located within a second security zone are to be performed at a second control server located within the second security zone; provide identification information pertaining to the first instance host to the first control server, enabling the first control server to establish a first network channel to be used for transmission of configuration commands from the first control server to the first instance host; and provide identification information pertaining to the second instance host to the second control server, enabling the second control server to establish a second network channel to be used for transmission of configuration commands from the second control server to the second instance host.

18. The non-transitory computer-accessible storage medium as recited in claim 17 , wherein the first security zone differs from the second security zone in at least one of: (a) a physical security protocol governing access to data center assets, (b) a network security protocol, (c) a country of location, or (d) a legal authority granted jurisdiction.

19. The non-transitory computer-accessible storage medium as recited in claim 17 , wherein the subset of administrative operations associated with the configuration of the service instance at the first instance host located within a first security zone include one of: (a) an authorization operation, (b) an authentication operation, (c) a capacity management operation, (d) a quota limit check, (e) an interaction with a different network-accessible service of the provider network to obtain access to a resource of the different network-accessible service, (f) a billing account check, or (g) a concurrency control operation associated with managing concurrent updates to internal data structures of the network-accessible service.

20. A non-transitory computer-accessible storage medium storing program instructions that when executed on one or more computing devices: receive, at a control server selected based at least in part on a security policy to perform a set of administrative operations associated with a service unit of a network-accessible service of a provider network, a service configuration request, implement, at the control server, one or more administrative operations associated with the service configuration request; transmit at least one command via a secure network connection to a target host associated with the service unit, wherein at least one security-related property of the control server comprises a plurality of security-related properties of the target host; receive a command result from the target host via the secure network connection; and provide, based at least in part on the command result, a response to the service configuration request.

21. The non-transitory computer-accessible storage medium storing program instructions as recited in claim 20 , wherein the control server is located at a first data center, and wherein the target host is located at a second data center.

22. The non-transitory computer-accessible storage medium storing program instructions as recited in claim 20 , wherein the one or more administrative operations associated with the service configuration request include one of: (a) an authorization operation, (b) an authentication operation, (c) a capacity management operation, (d) a quota limit check, (e) an interaction with a different network-accessible service of the provider network to obtain access to a resource of the different network-accessible service, (f) a billing account check, or (g) a concurrency control operation associated with managing concurrent updates to internal data structures of the network-accessible service.