Using Identity-Based Policies (IAM Policies) for Amazon Snowball - Amazon Snowball Edge Developer Guide
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Using Identity-Based Policies (IAM Policies) for Amazon Snowball

This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles). These policies thereby grant permissions to perform operations on Amazon Snowball resources in the Amazon Web Services Cloud.

Important

We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your Amazon Snowball resources. For more information, see Overview of Managing Access Permissions to Your Resources in the Amazon Web Services Cloud.

The sections in this topic cover the following:

The following shows an example of a permissions policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "snowball:*", "importexport:*" ], "Resource": "*" } ] }

The policy has two statements:

  • The first statement grants permissions for three Amazon S3 actions (s3:GetBucketLocation, s3:GetObject, and s3:ListBucket) on all Amazon S3 buckets using the Amazon Resource Name (ARN) of arn:aws:s3:::*. The ARN specifies a wildcard character (*) so the user can choose any or all Amazon S3 buckets to export data from.

  • The second statement grants permissions for all Amazon Snowball actions. Because these actions don't support resource-level permissions, the policy specifies the wildcard character (*) and the Resource value also specifies a wild card character.

The policy doesn't specify the Principal element because in an identity-based policy you don't specify the principal who gets the permission. When you attach a policy to a user, the user is the implicit principal. When you attach a permissions policy to an IAM role, the principal identified in the role's trust policy gets the permissions.

For a table showing all of the Amazon Snowball job management API actions and the resources that they apply to, see Amazon Snowball API Permissions: Actions, Resources, and Conditions Reference.

Permissions Required to Use the Amazon Snowball Console

The permissions reference table lists the Amazon Snowball job management API operations and shows the required permissions for each operation. For more information about job management API operations, see Amazon Snowball API Permissions: Actions, Resources, and Conditions Reference.

To use the Amazon Snow Family Management Console, you need to grant permissions for additional actions as shown in the following permissions policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetBucketPolicy", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:GetFunctionConfiguration" ], "Resource": "arn:aws:lambda:::function:*" }, { "Effect": "Allow", "Action": [ "lambda:ListFunctions" ], "Resource": "arn:aws:lambda:::*" }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreateRole", "iam:ListRoles", "iam:ListRolePolicies", "iam:PutRolePolicy" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "importexport.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:ModifyImageAttribute", ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:ListTopics", "sns:GetTopicAttributes", "sns:SetTopicAttributes", "sns:ListSubscriptionsByTopic", "sns:Subscribe" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "greengrass:getServiceRoleForAccount" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "snowball:*" ], "Resource": [ "*" ] } ] }

The Amazon Snowball console needs these additional permissions for the following reasons:

  • ec2: – These allow the user to describe Amazon EC2 instances and modify their attributes for local compute purposes. For more information, see Using Amazon EC2 Compute Instances.

  • lambda: – These allow the user to select Lambda functions for local compute purposes. For more information, see Using Amazon Lambda with an Amazon Snowball Edge.

  • iam: – These allow the user to create or choose an IAM role ARN that Amazon Snowball will assume to access the Amazon resources associated with job creation and processing.

  • sns: – These allow the user to create or choose the Amazon SNS notifications for the jobs they create. For more information, see Notifications for the Amazon Snowball Edge.

Amazon-Managed (Predefined) Policies for Amazon Snowball Edge

Amazon addresses many common use cases by providing standalone IAM policies that are created and administered by Amazon. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see Amazon Managed Policies in the IAM User Guide.

You can use the following Amazon-managed policies with Amazon Snowball.

Creating an IAM Role Policy for Snowball Edge

An IAM role policy must be created with read and write permissions for your Amazon S3 buckets. The IAM role must also have a trust relationship with Snowball. Having a trust relationship means that Amazon can write the data in the Snowball and in your Amazon S3 buckets, depending on whether you're importing or exporting data.

When you create a job in the Amazon Snow Family Management Console, creating the necessary IAM role occurs in step 4 in the Permission section. This process is automatic. The IAM role that you allow Snowball to assume is only used to write your data to your bucket when the Snowball with your transferred data arrives at Amazon. The following procedure outlines that process.

To create the IAM role for your import job

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Snowball console at https://console.amazonaws.cn/importexport/.

  2. Choose Create job.

  3. In the first step, fill out the details for your import job into Amazon S3, and then choose Next.

  4. In the second step, under Permission, choose Create/Select IAM Role.

    The IAM Management Console opens, showing the IAM role that Amazon uses to copy objects into your specified Amazon S3 buckets.

  5. Review the details on this page, and then choose Allow.

    You return to the Amazon Snow Family Management Console, where Selected IAM role ARN contains the Amazon Resource Name (ARN) for the IAM role that you just created.

  6. Choose Next to finish creating your IAM role.

The preceding procedure creates an IAM role that has write permissions for the Amazon S3 buckets that you plan to import your data into. The IAM role that is created has one of the following structures, depending on whether it's for an import job or export job.

IAM Role for an Import Job

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketPolicy", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::*" } ] }

If you use server-side encryption with Amazon KMS–managed keys (SSE-KMS) to encrypt the Amazon S3 buckets associated with your import job, you also need to add the following statement to your IAM role.

{ "Effect": "Allow", "Action": [ "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-west-2:123456789012:key/abc123a1-abcd-1234-efgh-111111111111" }

If the object sizes are larger, the Amazon S3 client that is used for the import process uses multipart upload. If you initiate a multipart upload using SSE-KMS, then all the uploaded parts are encrypted using the specified Amazon KMS key. Because the parts are encrypted, they must be decrypted before they can be assembled to complete the multipart upload. So you must have permission to decrypt the Amazon KMS key (kms:Decrypt) when you run a multipart upload to Amazon S3 with SSE-KMS.

The following is an example of an IAM role needed for an import job that needs kms:Decrypt permission.

{ "Effect": "Allow", "Action": [ "kms:GenerateDataKey","kms:Decrypt" ], "Resource": "arn:aws:kms:us-west-2:123456789012:key/abc123a1-abcd-1234-efgh-111111111111" }

The following is an example of an IAM role needed for an export job.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetBucketPolicy", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::*" } ] }

If you use server-side encryption with Amazon KMS–managed keys to encrypt the Amazon S3 buckets associated with your export job, you also need to add the following statement to your IAM role.

{ "Effect": "Allow", "Action": [ “kms:Decrypt” ], "Resource": "arn:aws:kms:us-west-2:123456789012:key/abc123a1-abcd-1234-efgh-111111111111" }

You can create your own custom IAM policies to allow permissions for API operations for Amazon Snowball job management. You can attach these custom policies to the IAM users or groups that require those permissions.