Many organizations utilize AWS Snowball Edge devices for secure data transfer and edge computing solutions. Recently, AWS announced the integration of AWS Identity and Access Management (IAM) with Snowball Edge. Prior to this enhancement, IT administrators had to share a single access key and secret key with all users needing to copy files or run computational workloads. This approach lacked the granularity and flexibility necessary for precise control over individual services. IAM empowers customers to securely manage access to AWS services and resources operating on Snowball Edge devices by regulating which actions users can perform. Furthermore, IAM allows for the management of which AWS resources on the device users can interact with. This blog delves into the IAM features on Snowball Edge and presents some practical examples.
Overview
With Snowball Edge, users can leverage the storage and computing capabilities of the AWS Cloud in a cost-effective manner in locations where internet connectivity is limited. It enables the transfer of hundreds of terabytes or even petabytes of data between on-premises data centers and Amazon Simple Storage Service (Amazon S3). Additionally, Snowball Edge supports specific Amazon EC2 instance types and AWS Lambda functions, allowing applications developed both on-premises and in the cloud to be deployed on the same device. Common applications of Snowball Edge include data migration, data transport, data analytics, image collation, IoT sensor stream capture, and machine learning inferences.
Snowball Edge employs multiple encryption layers to ensure the safety and security of customer data. The device is secured during transport and can be unlocked only by the customer through a unique unlock code and a manifest file. After unlocking, a set of credentials, such as the access key and secret key, can be retrieved from the device. These credentials facilitate access to the services on the device. The addition of IAM on Snowball Edge now allows customers to implement complex workflows that require more refined access controls at the edge.
Getting Started
To begin, users must first unlock the Snowball Edge device and then apply precise access controls using IAM. Through IAM, one can dictate the actions users are allowed to perform and the AWS resources they can access, akin to the management done in the AWS Cloud. Policies can be created and applied to the device using AWS OpsHub, AWS Command Line Interface (AWS CLI), or AWS Software Development Kit (SDK).
With OpsHub — an application available for download and installation on any Windows or Mac workstation — users gain a graphical interface to manage their Snowball devices. With just a few clicks in AWS OpsHub, you can:
- Unlock and configure Snow Family devices
- Drag and drop data for migration to Snow devices
- Launch applications
- Monitor metrics for Snow Family devices
- Configure IAM users, roles, and policies
For further details about OpsHub, you can refer to the AWS OpsHub documentation and check out this AWS OpsHub demo video.
The following diagram illustrates the AWS capabilities available on Snowball Edge, along with how IAM users, policies, and roles apply to them. A critical point to note is that IAM users, roles, and policies created on Snowball Edge are local to the device and do not persist in the AWS Cloud. Likewise, users, groups, roles, and policies established in your VPC are not applicable to the Snowball Edge device. To access Snowball Edge with IAM credentials, you will need:
- An unlocked Snow Family device connected to your local network
- AWS OpsHub, AWS CLI, or AWS SDK
- A user’s credentials file provided by your administrator
With IAM on Snowball Edge, you can now:
- Create and manage AWS users for logging into your Snowball Edge device
- Utilize permissions to allow or deny user access to AWS resources on your Snowball Edge device
- Implement detailed policies to regulate access to storage and EC2 resources
- Define policies to enable or restrict access to your buckets and objects
- Establish permissions for your EC2 instances
- Specify a principal, like an EC2 instance, to have access to data
- Provide temporary security credentials for accessing AWS resources for a limited period
Using IAM Locally on AWS Snowball Edge
Let’s consider a scenario where a Snowball Edge device is employed for collecting, processing, and aggregating data from remote sensor devices. In this case, the sensors would send data into an incoming S3 bucket and/or prefix as S3 objects, which would subsequently be categorized and relocated to another S3 prefix. Users would then have the ability to download those files (S3 objects). In this situation, the organization aims to delineate the various operational functions performed by different roles:
- Utilize an IAM policy or role to categorize and permit moving S3 objects to another S3 prefix
- Implement an IAM policy or role on EC2 for processing tasks on the S3 objects
- Use another IAM role that restricts some users to only reading the categorized S3 objects
Here are some examples of identity-based policies that an IT administrator can attach to IAM identities (users and roles) to grant permissions for operations on Snowball Edge resources locally.
To permit read and write access to a specific bucket, the following IAM policy is required:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}To allow only list operations for a specific bucket while denying everything else, the following policy applies:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyObjectActions",
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*"
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name"
}
]
}If access must be limited to only listing objects, adding objects, or retrieving objects from a specific bucket, the following policy should be used:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:List*"
],
"Resource": "arn:aws:s3:::examplebucket/*"
}
]
}To allow EC2 to process S3 objects, a policy granting full access to EC2 instances on Snowball Edge must be established:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
}
]
}If the goal is to have a policy that permits only starting and stopping Amazon EC2 instances, the specified policy would look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*"
}
]
}For those interested in further insights on this topic, https://chvnci.com/?p=2420 is a great authority on the subject.
Leave a Reply