AWS Snowball User Guide
Access Control
In some cases, we can help you grant and manage access control to the resources used in transferring
your data with Snowball. In other cases, we suggest that you follow industry-wide best practices for
access control.
Resource Description How to Control Access
AWS Snowball
Management
Console
The AWS Snowball Management Console is
where you create and manage your data transfers
between your on-premises data centers and
Amazon S3 using discrete units of work called
jobs. To access the console, see AWS Snowball
Management Console.
You can control access to
this resource by creating or
managing your IAM users.
For more information, see
Creating an IAM User for
Snowball (p. 79).
Amazon S3
buckets
All data in Amazon S3 is stored in units called
objects. Objects are stored in containers called
buckets. Any data that goes into Amazon S3 must
be stored in a bucket.
To import data into an Amazon
S3 bucket, the IAM user that
created the import job must
have read and write access to
your Amazon S3 buckets. For
more information on granting
a user access to an Amazon
S3 bucket, see How Amazon
S3 Authorizes a Request for a
Bucket Operation and Example
1: Bucket Owner Granting Its
Users Bucket Permissions in the
Amazon Simple Storage Service
Developer Guide.
Snowball A Snowball is a storage appliance that is
physically rugged, protected by AWS Key
Management Service (AWS KMS), and owned
by Amazon. In the AWS Snowball service, all
data transfers between Amazon S3 and your on-
premises data center is done through a Snowball.
You can only access a Snowball through the
Snowball client, the data transfer tool. For you
to access a Snowball, it must be connected to
a physical workstation that has the Snowball
client installed on it in your on-premises data
center. With the Snowball client, you can access
the Snowball by providing the job manifest and
unlock code in the command that the Snowball
client uses to start communication with the
Snowball.
You can control access to the
Snowball by careful distribution
of a job's manifest and unlock
code.
Manifest The manifest is an encrypted file that you can
download from the AWS Snowball Management
Console after your job enters the Processing
status. The manifest is decrypted by the unlock
code, when you pass both values to the Snowball
through the Snowball client when the client is
started for the first time.
As a best practice, we
recommend that you don't
save a copy of the unlock code
in the same location as the
manifest for that job. Saving
these separately helps prevent
unauthorized parties from
gaining access to the Snowball
associated with that job. For
example, you might save a
copy of the manifest to the
workstation, and email the code
83
To Next Page
Loading...