Customer Managed Policy Examples - Amazon Snowball Edge Developer Guide
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Customer Managed Policy Examples

In this section, you can find example user policies that grant permissions for various Amazon Snowball job management actions. These policies work when you are using Amazon SDKs or the Amazon CLI. When you are using the console, you need to grant additional permissions specific to the console, which is discussed in Permissions Required to Use the Amazon Snowball Console.

Note

All examples use the us-west-2 region and contain fictitious account IDs.

Example 1: Role Policy That Allows a User to Create a Job with the API

The following permissions policy is a necessary component of any policy that is used to grant job or cluster creation permission using the job management API. The statement is needed as a Trust Relationship policy statement for the Snowball IAM role.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "AWSIE" } } } ] }

Example 2: Role Policy for Creating Import Jobs

You use the following role trust policy for creating import jobs for Snowball Edge that use Amazon Lambda powered by Amazon IoT Greengrass functions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketPolicy", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "snowball:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:AttachPrincipalPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateThing", "iot:DescribeEndpoint", "iot:GetPolicy" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetFunction" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "greengrass:CreateCoreDefinition", "greengrass:CreateDeployment", "greengrass:CreateDeviceDefinition", "greengrass:CreateFunctionDefinition", "greengrass:CreateGroup", "greengrass:CreateGroupVersion", "greengrass:CreateLoggerDefinition", "greengrass:CreateSubscriptionDefinition", "greengrass:GetDeploymentStatus", "greengrass:UpdateGroupCertificateConfiguration", "greengrass:CreateGroupCertificateAuthority", "greengrass:GetGroupCertificateAuthority", "greengrass:ListGroupCertificateAuthorities", "greengrass:ListDeployments", "greengrass:GetGroup", "greengrass:GetGroupVersion", "greengrass:GetCoreDefinitionVersion" ], "Resource": [ "*" ] } ] }

Example 3: Role Policy for Creating Export Jobs

You use the following role trust policy for creating export jobs for Snowball Edge that use Amazon Lambda powered by Amazon IoT Greengrass functions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "snowball:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:AttachPrincipalPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateThing", "iot:DescribeEndpoint", "iot:GetPolicy" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetFunction" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "greengrass:CreateCoreDefinition", "greengrass:CreateDeployment", "greengrass:CreateDeviceDefinition", "greengrass:CreateFunctionDefinition", "greengrass:CreateGroup", "greengrass:CreateGroupVersion", "greengrass:CreateLoggerDefinition", "greengrass:CreateSubscriptionDefinition", "greengrass:GetDeploymentStatus", "greengrass:UpdateGroupCertificateConfiguration", "greengrass:CreateGroupCertificateAuthority", "greengrass:GetGroupCertificateAuthority", "greengrass:ListGroupCertificateAuthorities", "greengrass:ListDeployments", "greengrass:GetGroup", "greengrass:GetGroupVersion", "greengrass:GetCoreDefinitionVersion" ], "Resource": [ "*" ] } ] }

Example 4: Expected Role Permissions and Trust Policy

The following expected role permissions policy is a necessary for an existing service role to use. It is a one time set up.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sns:Publish", "Resource": ["[[snsArn]]"] }, { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricData", "cloudwatch:PutMetricData" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/SnowFamily" } } } ] }

The following expected role trust policy is a necessary for an existing service role to use. It is a one time set up.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Amazon Snowball API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control in the Amazon Web Services Cloud and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table following each Amazon Snowball job management API operation and the corresponding actions for which you can grant permissions to perform the action. It also includes for each API operation the Amazon resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use Amazon-wide condition keys in your Amazon Snowball policies to express conditions. For a complete list of Amazon-wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the snowball: prefix followed by the API operation name (for example, snowball:CreateJob).

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

Amazon Snowball Job Management API and Required Permissions for Actions
Job Management API Actions Required Permissions

CancelCluster

snowball:CancelCluster

CancelJob

snowball:CancelJob

CreateAddress

snowball:CreateAddress

CreateCluster

This action requires the following permissions:

CreateJob

DescribeAddress

snowball:DescribeAddress

DescribeAddresses

snowball:DescribeAddresses

DescribeCluster

snowball:DescribeCluster

DescribeJob

snowball:DescribeJob

GetJobManifest

snowball:GetJobManifest

GetJobUnlockCode

snowball:GetJobUnlockCode

GetSnowballUsage

snowball:GetSnowballUsage

ListClusterJobs

snowball:ListClusterJobs

ListClusters

snowball:ListClusters

ListJobs

snowball:ListJobs

UpdateCluster

snowball:UpdateCluster

UpdateJob

snowball:UpdateJob