Restricting access to the Snow role policy
You can restrict access to the selected role based on the customer account number and source ARN.
-
In the navigation pane of the IAM console, choose Roles. The console displays the roles for your account.
-
Choose the name of the role that you want to modify, and select the Trust relationships tab on the details page.
-
Choose Edit trust relationships. Update the trust policy to one of the following:
To restrict access by customer account number:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition":{ "StringEquals":{ "aws:SourceAccount":"111122223333" } } } ] }
To restrict access by source ARN:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:snowball:REGION:555555555555:RESOURCE_ID" } } }] }
To restrict access by both customer account number and source ARN:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:snowball:REGION:111122223333:RESOURCE_ID" } } }] }