AWS Snowball User Guide
AWS Key Management Service in Snowball
Resource Description How to Control Access
to the IAM user to perform
the data transfer from the
workstation. This approach
limits those who can access the
Snowball to individuals who
have access to files saved on the
workstation and also that IAM
user's email address.
Unlock code The unlock code is a 29-character code with 25
alphanumeric characters and 4 hyphens. This
code decrypts the manifest when it is passed
along with the manifest to the Snowball through
the Snowball client when the client is started for
the first time. You can see the unlock code in the
AWS Snowball Management Console after your
job enters the Preparing Snowball status. The
code also appears in the dialog box when you
download the manifest for a job. The unlock code
appears on-screen only and is not downloaded.
Again, as a best practice we
recommend that you don't
save a copy of the unlock code
in the same location as the
manifest for that job. Saving
these separately helps prevent
unauthorized parties from
gaining access to the Snowball
associated with that job. For
example, you might save a
copy of the manifest to the
workstation, and email the code
to the IAM user to perform
the data transfer from the
workstation. This approach
limits those who can access the
Snowball to individuals who
have access to files saved on the
workstation and also that IAM
user's email address.
AWS Key Management Service in Snowball
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and
control the encryption keys used to encrypt your data. AWS KMS uses hardware security modules (HSMs)
to protect the security of your keys. Specifically, the Amazon Resource Name (ARN) for the AWS KMS key
that you choose for a job in AWS Snowball is associated with a KMS key. That KMS key is used to encrypt
the unlock code for your job. The unlock code is used to decrypt the top layer of encryption on your
manifest file. The encryption keys stored within the manifest file are used to encrypt and de-encrypt the
data on the device.
In Snowball, you can choose an existing KMS key. Specifying the ARN for an AWS KMS key tells Snowball
which AWS KMS master key to use to encrypt the unique keys on the Snowball.
Your data is encrypted in the local memory of your workstation before it is transferred to the Snowball.
The Snowball never contains any discoverable keys.
In Amazon S3, there is a server-side-encryption option that uses AWS KMS–managed keys (SSE-KMS).
SSE-KMS is not supported with AWS Snowball. For more information on supported SSE in AWS Snowball,
see Server-Side Encryption in AWS Snowball (p. 77).
84
To Next Page
Loading...