AWS Snowball User Guide
API Permission Policy Reference
{
"Effect": "Allow",
"Action": [
"s3:GetBucketPolicy",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"snowball:*"
],
"Resource": [
"*"
]
}
]
}
Role Policy for Creating Export Jobs
Creating an export job requires the following role policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"snowball:*"
],
"Resource": [
"*"
]
}
]
}
Amazon S3 Bucket Policy Principal for Creating Jobs
If the Amazon S3 buckets that you use with Snowball have bucket policies in place that require listing
the role session name of the assumed role, then you'll need to specify a principal in those policies
that identifies AWSImportExport-Validation. The following Amazon S3 bucket policy example
demonstrates how to do so.
Example
{
"Version": "2012-10-17",
104
To Next Page
Loading...