Step 4: Choose Your Security Preferences - AWS Snowball

This guide is in the process of being deprecated and will no longer be updated.


The first-generation 80 TB Snowball device is no longer available. Use the Snowball Edge storage optimized devices for all data transfer jobs. For Snowball Edge documentation, see the AWS Snowball Edge Developer Guide.

Step 4: Choose Your Security Preferences

Setting security adds the permissions and encryption settings for your AWS Snowball job to help protect your data while in transit.

To set security for your job

  1. In the Encryption section, choose the KMS key you want to use.

    • If you want to use the default AWS Key Management Service (AWS KMS) key, choose aws/importexport (default). This is the default master key that protects your import and export jobs when no other key is defined.

    • If you want to provide your own AWS KMS key, choose Enter key ARN, provide the Amazon Resource Name (ARN) in the key ARN box, and choose Use this KMS key. The key ARN will be added to the list.

  2. In the Service access section, choose Create service role to grant Snow Family permissions to use Amazon S3 and Amazon SNS on your behalf.

  3. Choose View details to choose the IAM role that you want, or you can use the default role.

  4. For Policy name, choose the import policy that you want to use.

    Example policies for Snowball

    The following is an example of an Amazon S3 import-only role policy.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketPolicy", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::*" } ] }

    The following is an example of an Amazon S3 export role policy.

    "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::*" } ] }
  5. Choose Allow.

  6. Choose Next.