Data Protection in Amazon Snowball Edge Edge - Amazon Snowball Edge Developer Guide
Protecting Data in the CloudProtecting Data On Your Device
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Data Protection in Amazon Snowball Edge Edge

Amazon Snowball Edge conforms to the Amazon shared responsibility model, which includes regulations and guidelines for data protection. Amazon is responsible for protecting the global infrastructure that runs all the Amazon services. Amazon maintains control over data hosted on this infrastructure, including the security configuration controls for handling customer content and personal data. Amazon customers and APN partners, acting either as data controllers or data processors, are responsible for any personal data that they put in the Amazon Web Services Cloud.

For data protection purposes, we recommend that you protect Amazon Web Services account credentials and set up individual users with Amazon Identity and Access Management (IAM), so that each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:

  • Use multi-factor authentication (MFA) with each account.

  • Use SSL/TLS to communicate with Amazon resources. We recommend TLS 1.2 or later.

  • Set up API and user activity logging with Amazon CloudTrail.

  • Use Amazon encryption solutions, along with all default security controls within Amazon services.

  • Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.

  • If you require FIPS 140-2 validated cryptographic modules when accessing Amazon through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-2.

We strongly recommend that you never put sensitive identifying information, such as your customers' account numbers, into free-form fields such as a Name field. This includes when you work with Amazon Snowball Edge or other Amazon services using the console, API, Amazon CLI, or Amazon SDKs. Any data that you enter into Amazon Snowball Edge or other services might get picked up for inclusion in diagnostic logs. When you provide a URL to an external server, don't include credentials information in the URL to validate your request to that server.

For more information about data protection, see the Amazon Shared Responsibility Model and GDPR blog post on the Amazon Security Blog.

Protecting Data in the Cloud

Amazon Snowball Edge protects your data when you're importing or exporting data into Amazon S3, when you create a job to order a Snowball Edge device, and when your device is updated. The following sections describe how you can protect your data when you use Snowball Edge Edge and are online or interacting with Amazon in the cloud.

Topics

    Protecting Data On Your Device

    Securing your Amazon Snowball Edge

    Following are some security points that we recommend you consider when using Amazon Snowball Edge, and also some high-level information on other security precautions that we take when a device arrives at Amazon for processing.

    We recommend the following security approaches:

    • You should make an effort to protect your job credentials from disclosure. Any individual who has access to a job's manifest and unlock code can access the contents of the device sent for that job.

    • Don't leave the device sitting on a loading dock. Left on a loading dock, it can be exposed to the elements. Although each Amazon Snowball Edge device is rugged, weather can damage the sturdiest of hardware. Report stolen, missing, or broken devices as soon as possible. The sooner such an issue is reported, the sooner another one can be sent to complete your job.

    We perform the following security steps:

    • When transferring data with the Amazon S3 adapter, object metadata is not persisted. The only metadata that remains the same is filename and filesize. All other metadata is set as in the following example: -rw-rw-r-- 1 root root [filesize] Dec 31 1969 [path/filename]

    • When transferring data with the NFS interface, object metadata is persisted.

    • When a device arrives at Amazon, we inspect it for any signs of tampering and to verify that no changes were detected by the Trusted Platform Module (TPM). Amazon Snowball Edge uses multiple layers of security designed to protect your data, including tamper-resistant enclosures, 256-bit encryption, and an industry-standard TPM designed to provide both security and full chain of custody for your data.

    • Once the data transfer job has been processed and verified, Amazon performs a software erasure of the Snowball device that follows the National Institute of Standards and Technology (NIST) guidelines for media sanitization.

    Validating NFC Tags

    Snowball Edge Compute Optimized and Snowball Edge Storage Optimized (for data transfer) devices have NFC tags built into them. You can scan these tags with the Amazon Snowball Edge Verification App, available on Android. Scanning and validating these NFC tags can help you verify that your device has not been tampered with before you use it.

    Validating NFC tags includes using the Snowball Edge client to generate a device-specific QR code to verify that the tags you're scanning are for the right device.

    The following procedure describes how to validate the NFC tags on a Snowball Edge device. Before you get started, make sure you've performed the following first five steps of the getting started exercise:

    1. Create your Snowball Edge job. For more information, see Creating a job to order a Snowball Edge device

    2. Receive the device. For more information, see Receiving the Snowball Edge.

    3. Connect to your local network. For more information, see Connecting a Snowball Edge to your local network.

    4. Get your credentials and tools. For more information, see Getting credentials to access a Snowball Edge.

    5. Download and install the Snowball Edge client. For more information, see Downloading and installing the Snowball Edge Client.

    To validate the NFC tags

    1. Run the snowballEdge get-app-qr-code Snowball Edge client command. If you run this command for a node in a cluster, provide the serial number (--device-sn) to get a QR code for a single node. Repeat this step for each node in the cluster. For more information on using this command, see Getting a QR code to validate Snowball Edge NFC tags.

      The QR code is saved to a location of your choice as a .png file.

    2. Navigate to the .png file that you saved, and open it so that you can scan the QR code with the app.

    3. You can scan these tags using the Amazon Snowball Edge Verification App on Android.

      Note

      The Amazon Snowball Edge Verification App is not available to download, but if you have a device with the app already installed, you can use the app.

    4. Start the app, and follow the on-screen instructions.

    You've now successfully scanned and validated the NFC tags for your device.

    If you encounter issues while scanning, try the following:

    • Confirm that your device has the Snowball Edge Compute Optimized options.

    • If you have the app on another device, try using that device.

    • Move the device to an isolated area of the room, away from interference from other NFC tags, and try again.

    • If issues persist, contact Amazon Web Services Support.