Restricting access to the Snow role policy - AWS Snowball Edge Developer Guide

Restricting access to the Snow role policy

You can restrict access to the selected role based on the customer account number and source ARN.

  1. In the navigation pane of the IAM console, choose Roles. The console displays the roles for your account.

  2. Choose the name of the role that you want to modify, and select the Trust relationships tab on the details page.

  3. Choose Edit trust relationships. Update the trust policy to one of the following:

    To restrict access by customer account number:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition":{ "StringEquals":{ "aws:SourceAccount":"111122223333" } } } ] }

    To restrict access by source ARN:

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:snowball:REGION:555555555555:RESOURCE_ID" } } }] }

    To restrict access by both customer account number and source ARN:

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:snowball:REGION:111122223333:RESOURCE_ID" } } }] }