AWS Key Management Service in Snowball
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data and that uses hardware security modules (HSMs) to protect the security of your keys. Specifically, the Amazon Resource Name (ARN) for the AWS KMS key that you choose for a job in AWS Snowball is associated with a KMS key. That KMS key is used to encrypt the unlock code for your job. The unlock code is used to decrypt the top layer of encryption on your manifest file. The encryption keys stored within the manifest file are used to encrypt and de-encrypt the data on the device.
In Snowball, you can choose an existing KMS key or create a new KMS key, along with that key's ARN. Specifying the ARN for a AWS KMS key tells Snowball which AWS KMS master key to use to encrypt the unique keys on the Snowball.
Your data is encrypted in the local memory of your workstation before it is transferred to the Snowball. The Snowball never contains any discoverable keys.
In Amazon S3, there is a server-side-encryption option that uses AWS KMS–managed keys (SSE-KMS). SSE-KMS is not supported with AWS Snowball. For more information on supported SSE in AWS Snowball, see Server-Side Encryption in Snowball.
Using the Default KMS Envelope Encryption Key
If you'd like to use the default key created for your account, use the following procedure.
To create the AWS KMS key for your job using the default key
On the AWS Snowball Management Console, choose Create job.
Choose your job type, and then choose Next.
Provide your shipping details, and then choose Next.
Fill in your job's details, and then choose Next.
Set your security options. Under Encryption, for KMS key either choose the default AWS KMS key or a custom key that was previously created in AWS KMS, or choose Enter a key ARN if you need to enter a key that is owned by a separate account.
The AWS KMS key ARN is a globally unique identifier for AWS KMS keys.
Choose Next to finish selecting your AWS KMS key.
Creating a Custom KMS Envelope Encryption Key
You have the option of using your own custom AWS KMS envelope encryption key with AWS Snowball. If you choose to create your own key, that key must be created in the same region that your job was created with the following exceptions.
US West (N. California) – KMS keys for jobs created in this region must be created in US East (N. Virginia).
US West (Oregon) – KMS keys for jobs created in this region must be created in US East (N. Virginia).
To create your own AWS KMS key for a job
Sign in to the IAM console at https://console.aws.amazon.com/iam/.
From the navigation menu, choose Encryption Keys.
Choose Create Key.
For Alias, type an alias for your key, and for Description, type a description for your key. Then choose Next Step.
Optionally, define any permissions for the IAM users and roles that will use this key when creating jobs for Snowball. For more information, see http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-administrators in the AWS Key Management Service Developer Guide.
Choose Next Step.
Optionally, define any usage permissions for using this key. For more information, see http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-users in the AWS Key Management Service Developer Guide.
Choose Next Step.
You'll see a preview of the key policy that will be generated when you finish this wizard. If it meets your needs, choose Finish.
You've now created an AWS KMS key to envelope-encrypt the data to transfer to Snowballs for your jobs. The next time you create a new job, the alias for this AWS KMS key appears in the KMS key box in Step 4: Set security of the job creation wizard in the Snowball Management Console.