AWS Snowball User Guide
Authorization and Access Control
Authorization and Access Control in AWS Snowball
You must have valid credentials to create Snowball jobs. You use these credentials to authenticate your
access. A requester with valid credentials must also have permissions from the resource owner to access
resources from the resource owner. For example, you can use the AWS Identity and Access Management
(IAM) service to create users in your account. IAM users have valid credentials to make requests, but by
default they don't have permissions to access any resources. Following, you can find information on how
to authenticate requests and manage permissions to access Snowball resources.
Note
The following contains information specific to the AWS Snowball Management Console and
Snowball client. If you're planning on programmatically creating jobs and transferring data, see
AWS Snowball API Reference.
Authentication
Every Snowball job must be authenticated. You do this by creating and managing the IAM users in your
account. Using IAM, you can create and manage users and permissions in AWS.
Snowball users must have certain IAM-related permissions to access the AWS Snowball Management
Console to create jobs. An IAM user that creates an import or export job must also have access to the
right Amazon Simple Storage Service (Amazon S3) resources, such as the Amazon S3 buckets to be used
for the job.
To use AWS Snowball Management Console, the IAM user must meet the following conditions:
• The IAM account must be able to do the following:
• List all of your Amazon S3 buckets and create new ones as needed.
• Create Amazon Simple Notification Service (Amazon SNS) topics.
• Select AWS Key Management Service (AWS KMS) keys.
• Create IAM role Amazon Resource Names (ARNs).
For more information on granting a user access to an Amazon S3 bucket, see Creating an IAM User for
Snowball (p. 79).
• An IAM role must be created with write permissions for your Amazon S3 buckets. The role must also
have a trust relationship with Snowball, so AWS can write the data in the Snowball to your designated
Amazon S3 buckets. The job creation wizard for each job does this step automatically; you can also do
it manually. For more information, see Creating an IAM Role for Snowball (p. 81).
Creating an IAM User for Snowball
If the account doing the work in the Snowball console is not the root account or administrator, you must
use the IAM Management Console to grant the user the permissions necessary to create and manage
jobs. The following procedure shows how to create a new IAM user for this purpose and give that user
the necessary permissions through an inline policy.
If you are updating an existing IAM user, start with step 6.
To create a new IAM user for Snowball
1. Sign in to the AWS Management Console and open the IAM Management Console at https://
console.aws.amazon.com/iam.
2. From the navigation pane, choose Users.
3. Choose Create New Users.
79
To Next Page
Loading...