AWS Snowball User Guide
Using the AWS-Managed
Customer Master Key for Snowball
Using the AWS-Managed Customer Master Key for
Snowball
If you'd like to use the AWS-managed customer master key (CMK) for Snowball created for your account,
use the following procedure.
To select the AWS KMS CMK for your job
1. On the AWS Snowball Management Console, choose Create job.
2. Choose your job type, and then choose Next.
3. Provide your shipping details, and then choose Next.
4. Fill in your job's details, and then choose Next.
5. Set your security options. Under Encryption, for KMS key either choose the AWS-managed CMK or
a custom CMK that was previously created in AWS KMS, or choose Enter a key ARN if you need to
enter a key that is owned by a separate account.
Note
The AWS KMS key ARN is a globally unique identifier for the AWS KMS CMK.
6. Choose Next to finish selecting your AWS KMS CMK.
Creating a Custom KMS Envelope Encryption Key
You have the option of using your own custom AWS KMS envelope encryption key with AWS Snowball.
If you choose to create your own key, that key must be created in the same region that your job was
created in.
To create your own AWS KMS key for a job, see Creating Keys in the AWS Key Management Service
Developer Guide.
Authorization with the Amazon S3 API Adapter for
Snowball
When you use the Amazon S3 Adapter for Snowball, every interaction is signed with the AWS Signature
Version 4 algorithm by default. This authorization is used only to verify the data traveling from its source
to the adapter. All encryption and decryption happens in your workstation's memory. Unencrypted data
is never stored on the workstation or the Snowball.
When using the adapter, keep the following in mind:
• You can disable signing – After you've installed the adapter on your workstation, you can disable
signing by modifying the snowball-adapter.config file. This file, saved to /.aws/snowball/config, has
a value named auth.enabled set to true by default. If you change this value to false, you disable
signing through the Signature Version 4 algorithm. You might not want to disable signing, because
signing is used to prevent modifications or changes to data traveling between the adapter and your
data storage. You can also enable HTTPS and provide your own certificate when communicating with
the adapter. To do so, you start the adapter with additional options. For more information, see Options
for the Amazon S3 Adapter for Snowball (p. 68).
Note
Data traveling to or from a Snowball is always encrypted, regardless of your signing solution.
85
To Next Page
Loading...