Step 4: Choose Your Security Preferences - Amazon Snowball Edge Developer Guide
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Step 4: Choose Your Security Preferences

Setting security adds the permissions and encryption settings for your Amazon Snow Family devices job to help protect your data while in transit.

To set security for your job

  1. In the Encryption section, choose the KMS key that you want to use.

    • If you want to use the default Amazon Key Management Service (Amazon KMS) key, choose aws/importexport (default). This is the default key that protects your import and export jobs when no other key is defined.

    • If you want to provide your own Amazon KMS key, choose Enter a key ARN, provide the Amazon Resource Name (ARN) in the key ARN box, and choose Use this KMS key. The key ARN will be added to the list.

  2. In the Service access section, do one of the following:

    • Choose Create service role to grant Amazon Snow Family permissions to use Amazon S3 and Amazon Simple Notification Service (Amazon SNS) on your behalf. The role grants Amazon Security Token Service (Amazon STS) AssumeRole trust to the Snow service

    • Choose Add an existing role to use, to specify the IAM role that you want, or you can use the default role.

      For Policy name, choose the import policy that you want to use.

      Add the Condition object and aws:SourceAccount or aws:SourceARN elements to the access policy to restrict the Snow service so that it acts as only one Amazon account numbers. Or add both to be most restrictive.

      To restrict the Snow service so that it acts as only one or more account numbers, add one aws:SourceAccount element to the access policy and the account ID as the value.

      To restrict the Snow service so that it acts as only one or more ARNs, add one aws:SourceArn element to the access policy and the ARN as the value.

    Example of Condition object to restrict Snow service actions

    Example of restricting Snow service actions by ARN and account IDs.

    "Condition": { "StringEquals": { "aws:SourceAccount": "AWS_ACCOUNT_ID" } "ArnLike": { "aws:SourceArn": "arn:aws:snowball:REGION:AWS_ACCOUNT_ID:RESOURCE_ID" } }

    The following shows these conditions included in a policy.

    { "Version": "2012-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__default_statement_ID", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SNS:GetTopicAttributes", "SNS:SetTopicAttributes", "SNS:AddPermission", "SNS:RemovePermission", "SNS:DeleteTopic", "SNS:Subscribe", "SNS:ListSubscriptionsByTopic", "SNS:Publish" ], "Resource": "arn:aws-cn:sns:us-east-1:123456789012:my-sns-topic", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws-cn:sns:us-east-1:555555555555:my-sns-topic" } } } ] }

    Example policies for Snowball Edge devices

    The following is an example of an Amazon S3 import-only role policy.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketPolicy", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads", "s3:ListBucket", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:PutObjectAcl", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET1", "arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*" ] } ] }
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

    The following is an example of an Amazon S3 export role policy.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:GetBucketPolicy" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET3", "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*" ] } ] }
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
    Note

    You can modify the trust relationship and restrict access to this role based on the customer account number and source arn. See Restricting Access to the Snow Role Policy on how to modify the trust relationship to restrict access.

  3. Choose Next. If the selected IAM role has defined a restricted access, the Create Job procedure will fail if the access criteria is not met.

  4. Choose Allow.

  5. Choose Next.