Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Using Identity-Based Policies (IAM Policies) for AWS Snowball Edge

PDF
RSS
Focus mode
Using Identity-Based Policies (IAM Policies) for AWS Snowball Edge - AWS Snowball Edge Developer Guide
Permissions Required to Use the AWS Snowball Edge Console

This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles). These policies thereby grant permissions to perform operations on AWS Snowball Edge resources in the AWS Cloud.

Important

We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your AWS Snowball Edge resources. For more information, see Overview of Managing Access Permissions to Your Resources in the AWS Cloud.

The sections in this topic cover the following:

The following shows an example of a permissions policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
       "Effect": "Allow",
       "Action": [
          "snowball:*",
          "importexport:*"
       ],
       "Resource": "*"
    }
  ]
}

The policy has two statements:

  • The first statement grants permissions for three Amazon S3 actions (s3:GetBucketLocation, s3:GetObject, and s3:ListBucket) on all Amazon S3 buckets using the Amazon Resource Name (ARN) of arn:aws:s3:::*. The ARN specifies a wildcard character (*) so the user can choose any or all Amazon S3 buckets to export data from.

  • The second statement grants permissions for all AWS Snowball Edge actions. Because these actions don't support resource-level permissions, the policy specifies the wildcard character (*) and the Resource value also specifies a wild card character.

The policy doesn't specify the Principal element because in an identity-based policy you don't specify the principal who gets the permission. When you attach a policy to a user, the user is the implicit principal. When you attach a permissions policy to an IAM role, the principal identified in the role's trust policy gets the permissions.

For a table showing all of the AWS Snowball Edge job management API actions and the resources that they apply to, see AWS Snowball Edge API Permissions: Actions, Resources, and Conditions Reference.

Permissions Required to Use the AWS Snowball Edge Console

The permissions reference table lists the AWS Snowball Edge job management API operations and shows the required permissions for each operation. For more information about job management API operations, see AWS Snowball Edge API Permissions: Actions, Resources, and Conditions Reference.

To use the AWS Snow Family Management Console, you need to grant permissions for additional actions as shown in the following permissions policy: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration"
            ],
            "Resource": "arn:aws:lambda:*::function:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:ListFunctions"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant",
                "kms:GenerateDataKey",
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:RetireGrant",
                "kms:ListKeys",
                "kms:DescribeKey",
                "kms:ListAliases"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:ListRoles",
                "iam:ListRolePolicies",
                "iam:PutRolePolicy"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "importexport.amazonaws.com"
                }
            }
        },
        {
           "Effect": "Allow",
           "Action": [
                "ec2:DescribeImages",
                "ec2:ModifyImageAttribute"
           ],
           "Resource": [
                "*"
           ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:CreateTopic",
                "sns:ListTopics",
                "sns:GetTopicAttributes",
                "sns:SetTopicAttributes",
                "sns:ListSubscriptionsByTopic",
                "sns:Subscribe"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "greengrass:getServiceRoleForAccount"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "snowball:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

The AWS Snowball Edge console needs these additional permissions for the following reasons:

  • ec2: – These allow the user to describe Amazon EC2-compatible instances and modify their attributes for local compute purposes. For more information, see Using Amazon EC2-compatible compute instances on Snowball Edge.

  • kms: – These allow the user to create or choose the KMS key that will encrypt your data. For more information, see AWS Key Management Service in AWS Snowball Edge Edge.

  • iam: – These allow the user to create or choose an IAM role ARN that AWS Snowball Edge will assume to access the AWS resources associated with job creation and processing.

  • sns: – These allow the user to create or choose the Amazon SNS notifications for the jobs they create. For more information, see Notifications for Snowball Edge.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.