Restricting access to the Snow role policy

You can restrict access to the selected role based on the customer account number and source ARN.

In the navigation pane of the IAM console, choose Roles. The console displays the roles for your account.
Choose the name of the role that you want to modify, and select the Trust relationships tab on the details page.

Choose Edit trust relationships. Update the trust policy to one of the following:

To restrict access by customer account number:



{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "importexport.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition":{
          "StringEquals":{
          "aws:SourceAccount":"111122223333"
          }
      }
    }
  ]
}

To restrict access by source ARN:



{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Service": "importexport.amazonaws.com"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
            "ArnLike": {
                "aws:SourceArn": "arn:aws-cn:snowball:REGION:555555555555:RESOURCE_ID"
            }
        }
    }]
}

To restrict access by both customer account number and source ARN:



{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Service": "importexport.amazonaws.com"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
            "StringEquals": {
                "aws:SourceAccount": "111122223333"
            },
            "ArnLike": {
                "aws:SourceArn": "arn:aws-cn:snowball:REGION:111122223333:RESOURCE_ID"
            }
        }
    }]
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Choose security preferences

Choose your notification preferences