Published on 13 MAY 2020
Many organizations leverage AWS Snowball Edge devices for secure data transfer and edge computing solutions. Recently, AWS introduced support for AWS Identity and Access Management (IAM) on Snowball Edge. Previously, IT administrators provided a single access key/secret key combination to all users needing to copy files or execute compute tasks. This approach lacked the detailed control and flexibility necessary for managing individual services. IAM allows customers to securely manage access to AWS services and resources operating on Snowball Edge devices by regulating which actions users can perform. Additionally, IAM enables customers to specify which AWS resources on the device users can access for those actions. In this article, we delve into the IAM functionalities on Snowball Edge and present some practical use cases.
Overview
With Snowball Edge, you can locally tap into the storage and computational capabilities of the AWS Cloud in environments where internet connectivity is limited or non-existent. You have the ability to transfer hundreds of terabytes or even petabytes of data between your local data centers and Amazon Simple Storage Service (S3). Furthermore, Snowball Edge allows for running specific Amazon EC2 instance types and AWS Lambda functions, enabling applications developed either on-premises or in the cloud to be deployed on the same device. Common applications of Snowball Edge include data migration, data transport, data analysis, image aggregation, IoT sensor data capture, and machine learning inferences.
Snowball Edge incorporates multiple encryption layers to ensure the security of customer data. The device remains locked during transport and is only unlocked by the customer using a unique unlock code and a manifest file. Upon unlocking, a set of credentials, such as the access key/secret key, can be retrieved from the device, facilitating access to the services on the device. The introduction of IAM on Snowball Edge now enables customers to implement complex workflows that require more granular access controls at the edge.
Getting Started
To begin, unlock the Snowball Edge device and apply fine-grained access control using IAM. With IAM, you can dictate which actions users can perform and which AWS resources they can access, mirroring the control you have in the AWS Cloud. Policies can be created and applied to the device using AWS OpsHub, AWS Command Line Interface (CLI), or AWS Software Development Kit (SDK).
Using OpsHub—an application available for download on any Windows or Mac workstation—you gain a graphical user interface for managing your Snowball devices. With just a few clicks in AWS OpsHub, you can:
- Unlock and configure Snow Family devices
- Effortlessly transfer data to the Snow devices
- Launch applications
- Monitor metrics of Snow Family devices
- Configure IAM users, roles, and policies
For further information about OpsHub, you can check out the AWS OpsHub documentation and view this AWS OpsHub demo video.
The following diagram illustrates the AWS capabilities available on Snowball Edge, detailing how IAM users, policies, and roles apply to them.
It is important to note that IAM users, roles, and/or policies established on Snowball Edge are local to the device and do not persist in the AWS Cloud. Similarly, users, groups, roles, and/or policies created in your VPC cannot be utilized on the Snowball Edge device. To access the Snowball Edge using IAM credentials, you will need:
- An unlocked Snow Family device connected to your local network
- AWS OpsHub, AWS CLI, or AWS SDK
- User credentials file provided by your administrator
With IAM on Snowball Edge, you can now:
- Create and manage AWS users for logging into your Snowball Edge device
- Use permissions to allow and deny user access to AWS resources on the Snowball Edge device
- Implement detailed policies to control access to storage and EC2 resources
- Set policies to enable or restrict access to your buckets and objects
- Define permissions for your EC2 instances
- Specify a principal, such as an EC2 instance, to access data
- Provide temporary security credentials for accessing AWS resources for a limited time
Using IAM Locally on AWS Snowball Edge
Consider a scenario in which Snowball Edge is used to collect, process, and aggregate data from remote sensors. In this case, the sensors would send data to an incoming S3 bucket and/or prefix as S3 objects, which would later be categorized and transferred to another S3 prefix. Subsequently, end users would be able to download these files (S3 objects). The organization aims to segregate different operational functions among various roles:
- Use an IAM policy or role to allow and categorize the movement of S3 objects to a different S3 prefix
- Employ an IAM policy or role on EC2 for processing tasks on the S3 objects
- Implement another IAM role that restricts some users to only reading the categorized S3 objects
Here are examples of identity-based policies that IT administrators can attach to IAM identities (users and roles) to grant permissions for operations on Snowball Edge resources locally.
To grant read and write access to a specific bucket, the following IAM policy would be required:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}Here is an example of a policy that permits only list operations on a specific bucket while denying all other actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyObjectActions",
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*"
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name"
}
]
}To restrict access to listing objects, adding objects, or retrieving objects from a specific bucket, the following policy can be used:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:List*"
],
"Resource": "arn:aws:s3:::examplebucket/*"
}
]
}If it is necessary to allow EC2 to process the S3 objects, a policy granting full access to EC2 instances running on Snowball Edge must be established:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
}
]
}For a policy that restricts actions to only starting and stopping Amazon EC2 instances, you would define the following policy.
Leave a Reply