Authorization with the Amazon S3 API Adapter for Snowball
When you use the S3 SDK Adapter for Snowball, every interaction is signed with the AWS Signature Version 4 algorithm by default. This authorization is used only to verify the data traveling from its source to the adapter. All encryption and decryption happens in your workstation's memory. Unencrypted data is never stored on the workstation or the Snowball.
When using the adapter, keep the following in mind:
You can disable signing – After you've installed the adapter on your workstation, you can disable signing by modifying the snowball-adapter.config file. This file, saved to /.aws/snowball/config, has a value named
auth.enabledset to true by default. If you change this value to
false, you disable signing through the Signature Version 4 algorithm. You might not want to disable signing, because signing is used to prevent modifications or changes to data traveling between the adapter and your data storage. You can also enable HTTPS and provide your own certificate when communicating with the adapter. To do so, you start the adapter with additional options. For more information, see
Following, you can find information on S3 SDK Adapter for Snowball options that help you configure how the adapter communicates with a Snowball.
Before transferring data into Amazon S3 using Snowball, make sure that the files and directories that you're going to transfer are named according to the
Object Key Naming Guidelines.
Option Description Usage and Example
The AWS profile name that you want to use to sign requests to the Snowball. By default, the adapter uses the credentials specified in the
home directory/.aws/credentials file, under the [default] profile. To specify a different profile, use this option followed by the profile name.
snowball-adapter -a Lauren
The AWS secret key that you want to use to sign requests to the Snowball. By default, the adapter uses the key present in the default profile specified in the
home directory/.aws/credentials file, under the [default] profile. To specify a different profile, use this option, followed by a secret key. The
--aws-profile-nameoption takes precedence if both options are specified.
snowball-adapter -s wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Usage information for the adapter.
The Snowball's IP address, which can be found on the Snowball's E Ink display.
snowball-adapter -i 192.0.2.0
The path to the manifest file for this job. You can get the manifest file from the AWS Snowball Management Console, or programmatically from the job management API.
snowball-adapter -m ~/Downloads/manifest.bin
The unlock code for this job. You can get the unlock code from the. AWS Snowball Management Console, or programmatically from the job management API.
snowball-adapter -u 01234-abcde-01234-ABCDE-01234
A value that specifies whether or not the Secure Socket Layer (SSL) protocol is used for communicating with the adapter. If no additional certification path or private key are provided, then a self-signed certificate and key are generated in the
home directory/.aws/snowball/config directory.
The path to the certificate to use for the SSL protocol when communicating with the adapter.
The path to the private key to use for the SSL protocol when communicating with the adapter.
Data traveling to or from a Snowball is always encrypted, regardless of your signing solution.
The encryption key is not changed by what AWS credentials you use – Because signing with the Signature Version 4 algorithm is only used to verify the data traveling from its source to the adapter, it never factors into the encryption keys used to encrypt your data on the Snowball.
You can use any AWS profile – The S3 SDK Adapter for Snowball never connects back to AWS to verify your AWS credentials, so you can use any AWS profile with the adapter to sign the data traveling between the workstation and the adapter.
The Snowball doesn't contain any AWS credentials – You manage access control and authorization to a Snowball on-premises. No software on the Snowball or adapter differentiates access between one user and another. When someone has access to a Snowball, the manifest, and the unlock code, that person has complete and total access to the appliance and all data on it. We recommend that you plan physical and network access for the Snowball accordingly.