AWS Key Management Service in AWS Snowball Edge - AWS Snowball Edge Developer Guide

AWS Key Management Service in AWS Snowball Edge

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS uses hardware security modules (HSMs) to protect the security of your keys. Specifically, the Amazon Resource Name (ARN) for the AWS KMS key that you choose for a job in AWS Snowball Edge is associated with a KMS key. That KMS key is used to encrypt the unlock code for your job. The unlock code is used to decrypt the top layer of encryption on your manifest file. The encryption keys stored within the manifest file are used to encrypt and de-encrypt the data on the device.

In AWS Snowball Edge, AWS KMS protects the encryption keys used to protect data on each AWS Snowball Edge device. When you create your job, you also choose an existing KMS key. Specifying the ARN for an AWS KMS key tells AWS Snowball which AWS KMS master key to use to encrypt the unique keys on the AWS Snowball Edge device. For more information on AWS Snowball Edge supported Amazon S3 server-side-encryption options , see Server-Side Encryption in AWS Snowball Edge.

Using the AWS-Managed Customer Master Key for Snowball Edge

If you'd like to use the AWS-managed customer master key (CMK) for Snowball Edge created for your account, follow these steps.

To select the AWS KMS CMK for your job

  1. On the AWS Snow Family Management Console, choose Create job.

  2. Choose your job type, and then choose Next.

  3. Provide your shipping details, and then choose Next.

  4. Fill in your job's details, and then choose Next.

  5. Set your security options. Under Encryption, for KMS key either choose the AWS-managed CMK or a custom CMK that was previously created in AWS KMS, or choose Enter a key ARN if you need to enter a key that is owned by a separate account.


    The AWS KMS key ARN is a globally unique identifier for AWS KMS CMKs.

  6. Choose Next to finish selecting your AWS KMS CMK.

Creating a Custom KMS Envelope Encryption Key

You have the option of using your own custom AWS KMS envelope encryption key with AWS Snowball Edge. If you choose to create your own key, that key must be created in the same region that your job was created in.

To create your own AWS KMS key for a job, see Creating Keys in the AWS Key Management Service Developer Guide.