Protecting Data On Your Device - Amazon Snowball Edge Developer Guide
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Protecting Data On Your Device

Securing your Amazon Snowball Edge

Following are some security points that we recommend you consider when using Amazon Snowball Edge, and also some high-level information on other security precautions that we take when a device arrives at Amazon for processing.

We recommend the following security approaches:

  • You should make an effort to protect your job credentials from disclosure. Any individual who has access to a job's manifest and unlock code can access the contents of the device sent for that job.

  • Don't leave the device sitting on a loading dock. Left on a loading dock, it can be exposed to the elements. Although each Amazon Snowball Edge device is rugged, weather can damage the sturdiest of hardware. Report stolen, missing, or broken devices as soon as possible. The sooner such an issue is reported, the sooner another one can be sent to complete your job.

We perform the following security steps:

  • When transferring data with the Amazon S3 interface, object metadata is not persisted. The only metadata that remains the same is filename and filesize. All other metadata is set as in the following example: -rw-rw-r-- 1 root root [filesize] Dec 31 1969 [path/filename]

  • When transferring data with the file interface, object metadata is persisted.

  • When a device arrives at Amazon, we inspect it for any signs of tampering and to verify that no changes were detected by the Trusted Platform Module (TPM). Amazon Snowball Edge uses multiple layers of security designed to protect your data, including tamper-resistant enclosures, 256-bit encryption, and an industry-standard TPM designed to provide both security and full chain of custody for your data.

  • Once the data transfer job has been processed and verified, Amazon performs a software erasure of the Snowball device that follows the National Institute of Standards and Technology (NIST) guidelines for media sanitization.

Validating NFC Tags

Snowball Edge Compute Optimized and Snowball Edge Storage Optimized (for data transfer) devices have NFC tags built into them. You can scan these tags with the Amazon Snowball Edge Verification App, available on Android. Scanning and validating these NFC tags can help you verify that your device has not been tampered with before you use it.

Validating NFC tags includes using the Snowball Edge client to generate a device-specific QR code to verify that the tags you're scanning are for the right device.

The following procedure describes how to validate the NFC tags on a Snowball Edge device. Before you get started, make sure you've performed the following first five steps of the getting started exercise:

  1. Create your Snowball Edge job. For more information, see Creating an AmazonAmazon Snowball Edge Job

  2. Receive the device. For more information, see Receiving the Snowball Edge.

  3. Connect to your local network. For more information, see Connecting to Your Local Network.

  4. Get your credentials and tools. For more information, see Getting Your Credentials and Tools.

  5. Download and install the Snowball Edge client. For more information, see Downloading and Installing the Snowball Edge client.

To validate the NFC tags

  1. Run the snowballEdge get-app-qr-code Snowball Edge client command. If you run this command for a node in a cluster, provide the serial number (--device-sn) to get a QR code for a single node. Repeat this step for each node in the cluster. For more information on using this command, see Getting Your QR Code for NFC Validation.

    The QR code is saved to a location of your choice as a .png file.

  2. Navigate to the .png file that you saved, and open it so that you can scan the QR code with the app.

  3. You can scan these tags using the Amazon Snowball Edge Verification App available on iOS and Android.

  4. Start the app, and follow the on-screen instructions.

You've now successfully scanned and validated the NFC tags for your device.

If you encounter issues while scanning, try the following:

  • Confirm that your device has the Snowball Edge Compute Optimized options (with or without GPU).

  • Download the app on another phone, and try again.

  • Move the device to an isolated area of the room, away from interference from other NFC tags, and try again.

  • If issues persist, contact Amazon Web Services Support.