AWS Snowball
User Guide

AWS Key Management Service in Snowball

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data and that uses hardware security modules (HSMs) to protect the security of your keys. AWS KMS is integrated with AWS Snowball to secure your data and help meet your regulatory and compliance needs.

In Snowball, AWS KMS protects the encryption keys used to protect data on each Snowball. When you create your job, you also choose or create an AWS KMS key that you own, along with that key's Amazon Resource Name (ARN). Specifying the AWS KMS key ARN tells Snowball which AWS KMS master key to use to encrypt the unique keys on the Snowball.

Your data is encrypted through the Snowball client using envelope encryption, before you transfer it to the Snowball using keys managed by AWS KMS. At no time does the Snowball contain any discoverable keys.

Using the Default KMS Envelope Encryption Key

If you'd like to use the default key created for your account, use the following procedure.

To create the AWS KMS key for your job using the default key

  1. On the AWS Snowball Management Console, choose Create job.

  2. Choose your job type, and then choose Next.

  3. Provide your shipping details, and then choose Next.

  4. Fill in your job's details, and then choose Next.

  5. Set your security options. Under Encryption, for KMS key either choose the default AWS KMS key or a custom key that was previously created in AWS KMS, or choose Enter a key ARN if you need to enter a key that is owned by a separate account.


    The AWS KMS key ARN is a globally unique identifier for AWS KMS keys.

  6. Choose Next to finish selecting your AWS KMS key.

Creating a Custom KMS Envelope Encryption Key

You have the option of using your own custom AWS KMS envelope encryption key with AWS Snowball. If you choose to create your own key, that key must be created in the same region that your job was created with the following exceptions.

  • US West (N. California) – KMS keys for jobs created in this region must be created in US East (N. Virginia).

  • US West (Oregon) – KMS keys for jobs created in this region must be created in US East (N. Virginia).

To create your own AWS KMS key for a job

  1. Sign in to the Identity and Access Management (IAM) console at

  2. From the navigation menu, choose Encryption Keys.

  3. Choose Create Key.

  4. For Alias, type an alias for your key, and for Description, type a description for your key. Then choose Next Step.

  5. Optionally, define any permissions for the IAM users and roles that will use this key when creating jobs for Snowball. For more information, see in the AWS Key Management Service Developer Guide.

  6. Choose Next Step.

  7. Optionally, define any usage permissions for using this key. For more information, see in the AWS Key Management Service Developer Guide.

  8. Choose Next Step.

  9. You'll see a preview of the key policy that will be generated when you finish this wizard. If it meets your needs, choose Finish.

You've now created an AWS KMS key to envelope-encrypt the data to transfer to Snowballs for your jobs. The next time you create a new job, the alias for this AWS KMS key appears in the KMS key box in Step 4: Set security of the job creation wizard in the Snowball Management Console.