AWS Snowball User Guide
Encryption in AWS Snowball
Security in AWS Snowball
Following, you can find information on security considerations for working with AWS Snowball. Security
is a significant concern when transporting information of any level of classification, and Snowball has
been designed with this concern in mind.
Topics
• Encryption in AWS Snowball (p. 77)
• Authorization and Access Control in AWS Snowball (p. 79)
• AWS Key Management Service in Snowball (p. 84)
• Authorization with the Amazon S3 API Adapter for Snowball (p. 85)
• Other Security Considerations for Snowball (p. 86)
Encryption in AWS Snowball
When you're using a standard Snowball to import data into S3, all data transferred to a Snowball has
two layers of encryption:
1. A layer of encryption is applied in the memory of your local workstation. This layer is applied whether
you're using the Amazon S3 Adapter for Snowball or the Snowball client. This encryption uses AES
GCM 256-bit keys, and the keys are cycled for every 60 GB of data transferred.
2. SSL encryption is a second layer of encryption for all data going onto or off of a standard Snowball.
AWS Snowball uses server side-encryption (SSE) to protect data at rest.
Server-Side Encryption in AWS Snowball
AWS Snowball supports server-side encryption with Amazon S3–managed encryption keys (SSE-S3).
Server-side encryption is about protecting data at rest, and SSE-S3 has strong, multifactor encryption
to protect your data at rest in Amazon S3. For more information on SSE-S3, see Protecting Data Using
Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) in the Amazon Simple
Storage Service Developer Guide.
Currently, Snowball doesn't support server-side encryption with AWS KMS–managed keys (SSE-KMS) or
server-side encryption with customer-provided keys (SSE-C). However, you might want to use either of
these SSE types to protect data that has been imported. Or you might already use one of those two SSE
types and want to export. In these cases, keep the following in mind:
• Import – If you want to use SSE-KMS or SSE-C to encrypt the objects that you've imported into S3,
copy those objects into another bucket that has SSE-KMS encryption established as a part of that
bucket's bucket policy.
• Export – If you want to export objects that are encrypted with SSE-KMS or SSE-C, first copy those
objects to another bucket that either has no server-side encryption, or has SSE-S3 specified in that
bucket's bucket policy.
77
To Next Page
Loading...