AWS Snowball Edge is no longer available to new customers. New customers should explore [AWS DataSync](https://aws.amazon.com/datasync/) for online transfers, [AWS Data Transfer Terminal](https://aws.amazon.com/data-transfer-terminal/) for secure physical transfers, or AWS Partner solutions. For edge computing, explore [AWS Outposts](https://aws.amazon.com/outposts/). # What is Snowball Edge? What is Snowball Edge? Snowball Edge is a device with on-board storage and compute power for select AWS capabilities. Snowball Edge can process data locally, run edge-computing workloads, and transfer data to or from the AWS Cloud. Each Snowball Edge device can transport data at speeds faster than the internet. This transport is done by shipping the data in the devices through a regional carrier. The appliances are rugged, complete with E Ink shipping labels. Snowball Edge devices have two options for device configurations—*Storage Optimized 210 TB* and *Compute Optimized*. When this guide refers to Snowball Edge devices, it's referring to all options of the device. When specific information applies only to one or more optional configurations of devices, it is called out specifically. For more information, see [Snowball Edge device configurations](device-differences.md#device-options). **Topics** + [ ## Snowball Edge features ](#edge-feature-overview) + [ ## Services related to Snowball Edge ](#edge-related) + [ ## Accessing the Snowball Edge service ](#accessing-service) + [ ## Pricing for the Snowball Edge ](#pricing-for-edge) + [ ## AWS monitoring of Snowball Edge ](#device-monitoring) + [ ## Resources for first-time AWS Snowball Edge users ](#first-time-user) + [ # AWS Snowball Edge device hardware information ](device-differences.md) + [ # Prerequisites for using Snowball Edge ](snowball-prereqs.md) ## Snowball Edge features Snowball Edge devices have the following features: + Large amounts of storage capacity or compute functionality for devices. This depends on the options you choose when you create your job. + Network adapters with transfer speeds of up to 100 Gbit/second. + Encryption is enforced, protecting your data at rest and in physical transit. + You can import or export data between your local environments and Amazon S3, and physically transport the data with one or more devices without using the internet. + Snowball Edge devices are their own rugged box. The built-in E Ink display changes to show your shipping label when the device is ready to ship. + Snowball Edge devices come with an on-board LCD display that can be used to manage network connections and get service status information. + You can cluster Snowball Edge devices for local storage and compute jobs to achieve data durability across 3 to 16 devices and locally grow or shrink storage on demand. + You can use Amazon EKS Anywhere on Snowball Edge devices for Kubernetes workloads. + Snowball Edge devices have Amazon S3 and Amazon EC2 compatible endpoints available, enabling programmatic use cases. + Snowball Edge devices support the new `sbe1`, `sbe-c`, and `sbe-g` instance types, which you can use to run compute instances on the device using Amazon Machine Images (AMIs). + Snowball Edge supports these data transfer protocols for data migration: + NFSv3 + NFSv4 + NFSv4.1 + Amazon S3 over HTTP or HTTPS (via API compatible with AWS CLI version 1.16.14 and earlier) ## Services related to Snowball Edge Related Services You can use an AWS Snowball Edge device with the following related AWS services: + **Amazon S3 adapter** — Use for programmatic data transfer in to and out of AWS using the Amazon S3 API for Snowball Edge, which supports a subset of Amazon S3 API operations. In this role, data is transferred to the Snow device by AWS on your behalf and the device is shipped to you (for an export job), or AWS ships an empty Snow device to you and you transfer data from your on-premises sources to the device and ship it back to AWS (for an import job)" + **Amazon S3 compatible storage on Snowball Edge** — Use to support the data needs of compute services such as Amazon EC2, Amazon EKS Anywhere on Snow, and others. This feature is available on Snowball Edge devices and provides an expanded Amazon S3 API set and features such as increased resiliency with flexible cluster setup for 3 to 16 nodes, local bucket management, and local notifications. + **Amazon EC2** – Run compute instances on a Snowball Edge device using the Amazon EC2 compatible endpoint, which supports a subset of the Amazon EC2 API operations. For more information about using Amazon EC2 in AWS, see [Getting started with Amazon EC2 Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/GettingStartedGuide/). + **Amazon EKS Anywhere on Snow** – Create and operate Kubernetes clusters on Snowball Edge devices. See [Using Amazon EKS Anywhere on AWS Snow](using-eksa.md). + **AWS Lambda powered by AWS IoT Greengrass** – Invoke Lambda functions based on Amazon S3 compatible storage on Snowball Edge storage actions made on an AWS Snowball Edge device. For more information about using Lambda, see [Using AWS Lambda with an AWS Snowball Edge](using-lambda.md) and the [AWS Lambda Developer Guide](https://docs.aws.amazon.com/lambda/latest/dg/). + **Amazon Elastic Block Store (Amazon EBS)** – Provide block-level storage volumes for use with EC2-compatible instances. For more information, see [Amazon Elastic Block Store (Amazon EBS)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html). + **AWS Identity and Access Management (IAM)** – Use this service to securely control access to AWS resources. For more information, see [What is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) + **AWS Security Token Service (AWS STS)** – Request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users). For more information, see [Temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html). + **Amazon EC2 Systems Manager** – Use this service to view and control your infrastructure on AWS. For more information, see [What is AWS Systems Manager?](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) ## Accessing the Snowball Edge service You can use the [AWS Snow Family Management Console](https://console.aws.amazon.com/snowfamily/home) or the job management API to create and manage jobs. For more information about using the [AWS Snow Family Management Console](https://console.aws.amazon.com/snowfamily/home), see [Getting started with Snowball Edge](getting-started.md). For information about the job management API, see [Job Management API Reference for Snowball Edge](https://docs.aws.amazon.com/snowball/latest/api-reference/api-reference.html). ### Accessing an AWS Snowball Edge device After your Snowball Edge device is onsite, you can configure it with an IP address using the LCD screen then you can unlock the device using the Snowball Edge client or AWS OpsHub. Then, you run can perform data transfer or edge compute tasks. For more information, see [Receiving the Snowball Edge](https://docs.aws.amazon.com/snowball/latest/developer-guide/receive-device.html). ## Pricing for the Snowball Edge For information about the pricing and fees associated with the service and its devices, see [AWS Snowball Edge Pricing.](https://aws.amazon.com/snowball/pricing/) ## AWS monitoring of Snowball Edge AWS will monitor the Snow device and may collect metrics and usage information when the Snow device is connected to an AWS Region. If the Snow device is not connected to the AWS Region, then AWS will not monitor the Snow device. If AWS detects an irreparable issue, and there is a need to replace physical equipment, AWS will notify you. You can then place a replacement job that we will ship to your site. There is no additional charge for this, as Snow device monitoring is included as part of the Snow device service fee. ## Resources for first-time AWS Snowball Edge users If you are a first-time user of the AWS Snowball Edge service, we recommend that you read the following sections in order: 1. For information about device types and options, see [AWS Snowball Edge device hardware information](device-differences.md). 1. To learn more about the types of jobs, see [Understanding Snowball Edge jobs](jobs.md). 1. For an end-to-end overview of how to use an AWS Snowball Edge device, see [How AWS Snowball Edge works](how-it-works.md). 1. When you're ready to get started, see [Getting started with Snowball Edge](getting-started.md). 1. For information about using compute instances on a device, see [Using Amazon EC2-compatible compute instances on Snowball Edge](using-ec2.md). # AWS Snowball Edge device hardware information Device hardware information All Snowball Edge devices share physical characteristics, like size and weight, but contain different types of hardware to suit their intended use. Devices designed for data transfer are configured with more storage and devices designed for compute are configured with more virtual CPUs and memory. This section provides information about the physical characteristics of Snowball Edge devices, and their compute and storage specifications. **Topics** + [ ## Snowball Edge device configurations ](#device-options) + [ ## AWS Snowball Edge device specifications ](#sbe-specifications) + [ ## Network hardware supported by Snowball Edge ](#sbe-network-hardware) ## Snowball Edge device configurations Device configurations Snowball Edge devices have the following options for device configurations: + **Snowball Edge storage-optimized 210 TB** – This Snowball Edge device option has 210 TB of usable storage capacity. + **Snowball Edge compute-optimized** – This Snowball Edge device (with AMD EPYC Gen2) has the most compute functionality, with up to 104 vCPUs, 416 GB of memory, and 28 TB of dedicated NVMe SSD for compute instances. **Note** When using Amazon S3 compatible storage on Snowball Edge on these devices, usable storage will vary. See [Using Amazon S3 compatible storage on Snowball Edge on Snowball Edge](https://docs.aws.amazon.com/snowball/latest/developer-guide/s3compatible-on-snow.html) for storage capacity with Amazon S3 compatible storage on Snowball Edge. For more information about the compute functionality of these three options, see [Using Amazon EC2-compatible compute instances on Snowball Edge](using-ec2.md). Job creation and disk capacity differences in terabytes are described [here](https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateJob.html). **Note** When we refer to *Snowball Edge devices*, this includes all optional variants of the device. When information applies to one or more specific optional configurations, we mention this explicitly. The following table summarizes the differences between the various device options. For hardware specification information, see [AWS Snowball Edge device specifications](#sbe-specifications). | | Snowball Edge storage-optimized 210 TB | Snowball Edge compute-optimized with AMD EPYC Gen2 and NVME | | --- | --- | --- | | CPU | AMD Rome, 64 cores, 2 GHz | AMD Rome, 64 cores, 2 GHz | | vCPUs | 104 | 104 | | Usable memory | 416 GB | 416 GB | | Security card | Yes | Yes | | SSD | 210 TB NVMe | 28 TB NVMe | | Usable HDD | Not applicable | Not applicable | | Network interfaces | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/snowball/latest/developer-guide/device-differences.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/snowball/latest/developer-guide/device-differences.html) | | Physical security features | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/snowball/latest/developer-guide/device-differences.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/snowball/latest/developer-guide/device-differences.html) | ## AWS Snowball Edge device specifications Device specifications In this section, you can find specifications for AWS Snowball Edge device types and the hardware. **Topics** + [ ### Snowball Edge Storage Optimized 210 TB specifications ](#specs-storage-optimized-v35s) + [ ### Snowball Edge Compute Optimized device specifications ](#sbe-compute-specifications) ### Snowball Edge Storage Optimized 210 TB specifications The following table contains hardware specifications for Snowball Edge Storage Optimized 210 TB devices. | Item | Snowball Edge Storage Optimized 210 TB specifications | | --- | --- | | Compute and memory specifications | | | CPU | 104 vCPUs | | RAM | 416 GB | | Storage specifications | | | NVME storage capacity | 210 TB usable (for object and NFS data transfer) | | SSD storage capacity | None | | Power supply specifications | | | Power | In AWS Regions in the US: NEMA 5–15p 100–220 volts. In all AWS Regions, a power cable is included | | Power consumption | 304 watts for an average use case, though the power supply is rated for 1200 watts | | Voltage | 100 – 240V AC | | Frequency | 47/63 Hz | | Data and network connections | 2x 10 Gbit – RJ45 (one usable) 1x 25 Gbit – SFP28 1x 100 Gbit – QSFP28 | | Cables | Each AWS Snowball Edge device ships country-specific power cables. No other cables or optics are provided. For more information, see [Network hardware supported by Snowball Edge](#sbe-network-hardware). | | Thermal requirements | AWS Snowball Edge devices are designed for office operations, and are ideal for data center operations. | | Decibel output | On average, an AWS Snowball Edge device produces 68 decibels of sound, typically quieter than a vacuum cleaner or living-room music. | | Dimensions and weight specifications | | | Weight | 49.7 pounds (22.54 Kg) | | Height | 15.5 inches (394 mm) | | Width | 10.6 inches (265 mm) | | Length | 28.3 inches (718 mm) | | Environment specifications | | | Vibration | Non-operational use equivalent to ASTM D4169 Truck level I 0.73 GRMS | | Shock | Operational use equivalent to 70G (MIL-S-901) Non-operational use equivalent to 50G (ISTA-3A) | | Altitude | Operational use equivalent to 0–3,000 meters (0–10,000 feet) Non-operational use equivalent to 0–12,000 meters | | Temperature range | 0–30°C (operational) | ### Snowball Edge Compute Optimized device specifications | Item | Snowball Edge Compute Optimized specifications | | --- | --- | | Compute and memory specifications | | | CPU | 104 vCPUs | | RAM | 512 GB RAM (Up to 416 GB RAM - Customer usable) | | Storage specifications | | | SSD storage capacity | 28 TB NVMe SSD | | Power supply specifications | | | Power | In AWS Regions in the US: NEMA 5–15p 100–220 volts. In all AWS Regions, a power cable is included | | Power consumption | 304 watts for an average use case, though the power supply is rated for 1200 watts | | Voltage | 100 – 240V AC | | Frequency | 47/63 Hz | | Data and network connections | 2x 10 Gbit – RJ45 (one usable) 1x 25 Gbit – SFP28 1x 100 Gbit – QSFP28 | | Cables | Each AWS Snowball Edge device ships country-specific power cables. No other cables or optics are provided. For more information, see [Network hardware supported by Snowball Edge](#sbe-network-hardware). | | Thermal requirements | AWS Snowball Edge devices are designed for office operations, and are ideal for data center operations. | | Decibel output | On average, an AWS Snowball Edge device produces 68 decibels of sound, typically quieter than a vacuum cleaner or living-room music. | | Dimensions and weight specifications | | | Weight | 49.7 pounds (22.54 Kg) | | Height | 15.5 inches (394 mm) | | Width | 10.6 inches (265 mm) | | Length | 28.3 inches (718 mm) | | Environment specifications | | | Vibration | Non-operational use equivalent to ASTM D4169 Truck level I 0.73 GRMS | | Shock | Operational use equivalent to 70G (MIL-S-901) Non-operational use equivalent to 50G (ISTA-3A) | | Altitude | Operational use equivalent to 0–3,000 meters (0–10,000 feet) Non-operational use equivalent to 0–12,000 meters | | Temperature range | 0–45°C (operational) | ## Network hardware supported by Snowball Edge Supported network hardware To use the AWS Snowball Edge device, you need your own network cables. For RJ45 cables, there are no specific recommendations. SFP\$1 and QSFP\$1 cables and modules from Mellanox and Finisar have been verified to be compatible with the device. After you open the back panel of the AWS Snowball Edge device, you see the network ports similar to the ports shown in the following screenshot. ![\[The available network ports\]](http://docs.aws.amazon.com/snowball/latest/developer-guide/images/snowball-edge-back-connectors.png) Only one network interface on the AWS Snowball Edge device can be used at a time. Hence use any one of the ports to support the following network hardware. **SFP** This port provides a 10G/25G SFP28 interface compatible with SFP28 and SFP\$1 transceiver modules and direct-attach copper (DAC) cables. You need to provide your own transceivers or DAC cables. + For 10G operation, you can use any SFP\$1 option. Examples include: + 10Gbase-LR (single mode fiber) transceiver + 10Gbase-SR (multi-mode fiber) transceiver + SFP\$1 DAC cable + For 25G operation, you can use any SFP28 option. Examples include: + 25Gbase-LR (single mode fiber) transceiver + 25Gbase-SR (multi-mode fiber) transceiver + SFP28 DAC cable ![\[SFP+ Copper\]](http://docs.aws.amazon.com/snowball/latest/developer-guide/images/sfp.png) **QSFP** This port provides a 40G QSFP\$1 interface on storage optimized devices and a 40/50/100G QSFP\$1 interface on compute optimized devices. Both are compatible with QSFP\$1 transceiver modules and DAC cables. You need to provide your own transceivers or DAC cables. Examples include the following: + 40Gbase-LR4 (single mode fiber) transceiver + 40Gbase-SR4 (multi-mode fiber) transceiver + QSFP\$1 DAC ![\[QSFP+\]](http://docs.aws.amazon.com/snowball/latest/developer-guide/images/qsfp.png) **RJ45** This port provides 1Gbase-TX/10Gbase-TX operation. It is connected via UTP cable terminated with a RJ45 connector. Snowball Edge devices have two RJ45 ports. Choose one port to use. 1G operation is indicated by a blinking amber light. 1G operation is not recommended for large-scale data transfers to the Snowball Edge device, as it dramatically increases the time it takes to transfer data. 10G operation is indicated by a blinking green light. It requires a Cat6A UTP cable with a maximum operating distance of 180 feet (55 meters). ![\[RJ45\]](http://docs.aws.amazon.com/snowball/latest/developer-guide/images/rj45.png) # Prerequisites for using Snowball Edge Before you get started with a Snowball Edge, you need to sign up for an AWS account if you don't have one. We also recommend learning how to configure your data and compute instances for use with Snowball Edge. AWS Snowball Edge is a region-specific service. So before you plan your job, be sure that the service is available in your AWS Region. Ensure that your location and Amazon S3 bucket are within the same AWS Region or the same country because it will impact your ability to order the device. To use Amazon S3 compatible storage on Snowball Edge with compute optimized devices for local edge compute and storage jobs, you need to provision S3 capacity on the device or devices when you order. Amazon S3 compatible storage on Snowball Edge supports local bucket management, so you can create S3 buckets on the device or cluster after you receive the device or devices. As part of the order process, you create an AWS Identity and Access Management (IAM) role and an AWS Key Management Service (AWS KMS) key. The KMS key is used to encrypt the unlock code for your job. For more information about creating IAM roles and KMS keys, see [Creating a job to order a Snowball Edge device](https://docs.aws.amazon.com/snowball/latest/developer-guide/create-job-common.html). **Note** In the Asia Pacific (Mumbai) AWS Region service is provided by Amazon on Internet Services Private Limited (AISPL). For information on signing up for Amazon Web Services in the Asia Pacific (Mumbai) AWS Region, see [Signing Up for AISPL](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment-aispl.html#aisplsignup). **Topics** + [ ## Sign up for an AWS account ](#sign-up-for-aws) + [ ## Create a user with administrative access ](#create-an-admin) + [ ## About your environment ](#sbe-before-questions) + [ ## Working with filenames that contain special characters ](#sbe-before-data-format) + [ ## Amazon S3 encryption with AWS KMS ](#s3-kms-encryption) + [ ## Amazon S3 encryption with server-side encryption ](#s3-sse-encryption) + [ ## Prerequisites for using Amazon S3 adapter on Snowball Edge for import and export jobs ](#s3-prereqs) + [ ## Prerequisites for using Amazon S3 compatible storage on Snowball Edge ](#s3-on-snowprereqs) + [ ## Prerequisites for using compute instances on Snowball Edge ](#compute-prereqes) ## Sign up for an AWS account If you do not have an AWS account, complete the following steps to create one. **To sign up for an AWS account** 1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup). 1. Follow the online instructions. Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad. When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks). AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**. ## Create a user with administrative access After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks. **Secure your AWS account root user** 1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password. For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*. 1. Turn on multi-factor authentication (MFA) for your root user. For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*. **Create a user with administrative access** 1. Enable IAM Identity Center. For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*. 1. In IAM Identity Center, grant administrative access to a user. For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*. **Sign in as the user with administrative access** + To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user. For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*. **Assign access to additional users** 1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions. For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*. 1. Assign users to a group, and then assign single sign-on access to the group. For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*. ## About your environment About the your environment Understanding your dataset and how the local environment is set up will help you complete your data transfer. Consider the following before placing your order. **What data are you transferring?** Transferring a large number of small files does not work well with AWS Snowball Edge. This is because Snowball Edge Edge encrypts each individual object. Small files include files under 1 MB in size. We recommend that you zip them up before transferring them onto the AWS Snowball Edge device. We also recommend that you have no more than 500,000 files or directories within each directory. **Will the data be accessed during the transfer?** It is important to have a static dataset, (that is, no users or systems are accessing the data during transfer). If not, the file transfer can fail due to a checksum mismatch. The files won't be transferred and the files will be marked as `Failed`. To prevent corrupting your data, don't disconnect an AWS Snowball Edge device or change its network settings while transferring data. Files should be in a static state while being written to the device. Files that are modified while they are being written to the device can result in read/write conflicts. **Will the network support AWS Snowball Edge data transfer?** Snowball Edge supports the *RJ45*, *SFP\$1*, or *QSFP\$1* networking adapters. Verify that your switch is a gigabit switch. Depending on the brand of switch, it might say **gigabit** or **10/100/1000**. Snowball Edge devices do not support a megabit switch, or 10/100 switch. ## Working with filenames that contain special characters Working with special characters It's important to note that if the names of your objects contain special characters, you might encounter errors. Although Amazon S3 allows special characters, we highly recommend that you avoid the following characters: + Backslash ("\$1") + Left curly brace ("\$1") + Right curly brace ("\$1") + Left square bracket ("[") + Right square bracket ("]") + 'Less Than' symbol ("<") + 'Greater Than' symbol (">") + Non-printable ASCII characters (128–255 decimal characters) + Caret ("^") + Percent character ("%") + Grave accent / back tick ("`") + Quotation marks + Tilde ("\$1") + 'Pound' character ("\$1") + Vertical bar / pipe ("\$1") If your files have one or more of these characters in object names, rename the objects before you copy them to the AWS Snowball Edge device. Windows users who have spaces in their file names should be careful when copying individual objects or running a recursive command. In commands, surround the names of objects that include spaces in the names with quotation marks. The following are examples of such files. | Operating system | File name: test file.txt | | --- | --- | | Windows | `“C:\Users\\desktop\test file.txt”` | | iOS | `/Users//test\ file.txt` | | Linux | `/home//test\ file.txt` | **Note** The only object metadata that is transferred is the object name and size. ## Amazon S3 encryption with AWS KMS Amazon S3 encryption with AWS KMS You can use the default AWS managed or customer managed encryption keys to protect your data when importing or exporting data. ### Using Amazon S3 default bucket encryption with AWS KMS managed keys **To enable AWS managed encryption with AWS KMS** 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. Choose the Amazon S3 bucket that you want to encrypt. 1. In the wizard that appears on the right side, choose **Properties**. 1. In the **Default encryption** box, choose ** Disabled** (this option is grayed out) to enable default encryption. 1. Choose **AWS-KMS** as the encryption method, and then choose the KMS key that you want to use. This key is used to encrypt objects that are PUT into the bucket. 1. Choose **Save**. After the Snowball Edge job is created, and before the data is imported, add a statement to the existing IAM role policy. This is the role you created during the ordering process. Depending on the job type, the default role name looks similar to `Snowball-import-s3-only-role` or `Snowball-export-s3-only-role`. The following are examples of such a statement. **For importing data** If you use server-side encryption with AWS KMS managed keys (SSE-KMS) to encrypt the Amazon S3 buckets associated with your import job, you also need to add the following statement to your IAM role. **Example Snowball import IAM role** ``` { "Effect": "Allow", "Action": [ "kms: GenerateDataKey", "kms: Decrypt" ], "Resource":"arn:aws:kms:us-west-2:123456789012:key/abc123a1-abcd-1234-efgh-111111111111" } ``` **For exporting data** If you use server-side encryption with AWS KMS managed keys to encrypt the Amazon S3 buckets associated with your export job, you also must add the following statement to your IAM role. **Example Snowball export IAM role** ``` { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource":"arn:aws:kms:us-west-2:123456789012:key/abc123a1-abcd-1234-efgh-111111111111" } ``` ### Using S3 default bucket encryption with AWS KMS customer keys You can use the default Amazon S3 bucket encryption with your own KMS keys to protect data you are importing and exporting. **For importing data** **To enable customer managed encryption with AWS KMS** 1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms). 1. To change the AWS Region, use the Region selector in the upper-right corner of the page. 1. In the left navigation pane, choose **Customer managed keys**, and then choose the KMS key associated with the buckets that you want to use. 1. Expand **Key Policy** if it is not already expanded. 1. In the **Key Users** section, choose **Add** and search for the IAM role. Choose the IAM role, and then choose **Add**. 1. Alternatively, you can choose **Switch to Policy view** to display the key policy document and add a statement to the key policy. The following is an example of the policy. **Example of a policy for the AWS KMS customer managed key** ``` { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:role/snowball-import-s3-only-role" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" } ``` After this policy has been added to the AWS KMS customer managed key, it is also needed to update the IAM role associated with the Snowball job. By default, the role is `snowball-import-s3-only-role`. **Example of the Snowball import IAM role** ``` { "Effect": "Allow", "Action": [ "kms: GenerateDataKey", "kms: Decrypt" ], "Resource": "arn:aws:kms:us-west-2:123456789012:key/abc123a1-abcd-1234-efgh-111111111111" } ``` For more information, see [Using Identity-Based Policies (IAM Policies) for AWS Snowball Edge](access-control-managing-permissions.md). The KMS key that is being used looks like the following: `“Resource”:“arn:aws:kms:region:AccoundID:key/*”` **For exporting data** **Example of a policy for the AWS KMS customer managed key** ``` { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:role/snowball-import-s3-only-role" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" } ``` After this policy has been added to the AWS KMS customer managed key, it is also needed to update the IAM role associated with the Snowball job. By default, the role looks like the following: `snowball-export-s3-only-role` **Example of the Snowball export IAM role** ``` { "Effect": "Allow", "Action": [ "kms: GenerateDataKey", "kms: Decrypt" ], "Resource": "arn:aws:kms:us-west-2:123456789012:key/abc123a1-abcd-1234-efgh-111111111111" } ``` After this policy has been added to the AWS KMS customer managed key, it is also needed to update the IAM role associated with the Snowball job. By default, the role is `snowball-export-s3-only-role`. ## Amazon S3 encryption with server-side encryption Amazon S3 encryption with server-side encryption AWS Snowball Edge supports server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Server-side encryption is about protecting data at rest, and SSE-S3 has strong, multifactor encryption to protect your data at rest in Amazon S3. For more information about SSE-S3, see [Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) in the * Amazon Simple Storage Service User Guide*. **Note** Currently, AWS Snowball Edge doesn't support server-side encryption with customer-provided keys (SSE-C). However, you might want to use that SSE type to protect data that has been imported, or you might already use it on data you want to export. In these cases, keep the following in mind: **Import** – If you want to use SSE-C to encrypt the objects that you've imported into S3, copy those objects into another bucket that has SSE-KMS or SSE-S3 encryption established as a part of that bucket's bucket policy. **Export** – If you want to export objects that are encrypted with SSE-C, first copy those objects to another bucket that either has no server-side encryption, or has SSE-KMS or SSE-S3 specified in that bucket's bucket policy. ## Prerequisites for using Amazon S3 adapter on Snowball Edge for import and export jobs You can use S3 adapter on Snowball Edge when you are using the devices to move data from on-premises data sources to the cloud or from the cloud to on-premises data storage. For more information, see [Transferring files using the Amazon S3 adapter for data migration to or from Snowball Edge](using-adapter.md). The Amazon S3 bucket associated with the job must use the Amazon S3 standard storage class. Before creating your first job, keep the following in mind. For jobs that import data into Amazon S3, follow these steps: + Confirm that the files and folders to transfer are named according to the [object key naming guidelines](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingMetadata.html#object-key-guidelines) for Amazon S3. Any files or folders with names that don't meet these guidelines aren't imported into Amazon S3. + Plan what data you want to import into Amazon S3. For more information, see [Planning your large transfer with Snowball Edge](LargeDataMigration.md#copy-general-planning). Before exporting data from Amazon S3, follow these steps: + Understand what data is exported when you create your job. For more information, see [Using Amazon S3 object keys when exporting data to a Snowball Edge device](exporttype.md#ranges). + For any files with a colon (`:`) in the file name, change the file names in Amazon S3 before you create the export job to get these files. Files with a colon in the file name fail export to Microsoft Windows Server. ## Prerequisites for using Amazon S3 compatible storage on Snowball Edge You use Amazon S3 compatible storage on Snowball Edge when you are storing data on the device at your edge location and using the data for local compute operations. Data used for local compute operations will not be imported to Amazon S3 when the device is returned. When ordering a Snow device for local compute and storage with Amazon S3 compatible storage, keep the following in mind. + You will provision Amazon S3 storage capacity when you order the device. So consider your storage need before ordering a device. + You can create Amazon S3 buckets on the device after you receive it rather than while ordering a Snowball Edge device. + You will need to download the latest version of the AWS CLI (v2.11.15 or higher), Snowball Edge client, or AWS OpsHub and install it on your computer to use Amazon S3 compatible storage on Snowball Edge. + After receiving your device, configure, start, and use Amazon S3 compatible storage on Snowball Edge according to [Using Amazon S3 compatible storage on Snowball Edge](https://docs.aws.amazon.com/snowball/latest/developer-guide/s3compatible-on-snow.html) in this guide. ## Prerequisites for using compute instances on Snowball Edge You can run Amazon EC2-compatible compute instances hosted on a AWS Snowball Edge with the `sbe1`, `sbe-c`, and `sbe-g` instance types: + The `sbe1` instance type works on devices with the Snowball Edge Edge Storage Optimized option. + The `sbe-c` instance type works on devices with the Snowball Edge Edge Compute Optimized option. All the compute instance types supported on Snowball Edge Edge device options are unique to AWS Snowball Edge devices. Like their cloud-based counterparts, these instances require Amazon Machine Images (AMIs) to launch. You choose the AMI for an instance before you create your Snowball Edge Edge job. To use a compute instance on a Snowball Edge Edge, create a job to order a Snowball Edge device and specify your AMIs. You can do this using the AWS Snowball Edge Management Console, the AWS Command Line Interface (AWS CLI), or one of the AWS SDKs. Typically, to use your instances, there are some housekeeping prerequisites that you must perform before creating your job. For jobs using compute instances, before you can add any AMIs to your job, you must have an AMI in your AWS account and it must be a supported image type. Currently, supported AMIs are based on these operating systems: + [Amazon Linux 2](https://aws.amazon.com/marketplace/pp/B08Q76DLTM) + [CentOS 7 (x86\$164) - with Updates HVM](https://aws.amazon.com/marketplace/pp/B00O7WM7QW) + Ubuntu 16.04 LTS - Xenial (HVM) + [Ubuntu 20.04 LTS - Focal](https://aws.amazon.com/marketplace/pp/prodview-iftkyuwv2sjxi) + [Ubuntu 22.04 LTS - Jammy](https://aws.amazon.com/marketplace/pp/prodview-f2if34z3a4e3i) + [Microsoft Windows Server 2012 R2](https://aws.amazon.com/marketplace/pp/prodview-g3y27m7b55tag) + [Microsoft Windows Server 2016](https://aws.amazon.com/marketplace/pp/prodview-fsarquezghuic) + [Microsoft Windows Server 2019](https://aws.amazon.com/marketplace/pp/prodview-bd6o47htpbnoe) **Note** Ubuntu 16.04 LTS - Xenial (HVM) images are no longer supported in the AWS Marketplace, but still supported for use on Snowball Edge devices through Amazon EC2 VM Import/Export and running locally in AMIs. You can get these images from [AWS Marketplace](https://aws.amazon.com/marketplace). If you're using SSH to connect to the instances running on a Snowball Edge, you can use your own key pair or you can create one on the Snowball Edge. To use AWS OpsHub to create a key pair on the device, see [Working with key pairs for EC2-compatible instances in AWS OpsHub](working-with-key-pair.md). To use the AWS CLI to create a key pair on the device, see `create-key-pair` in [List of supported EC2-compatible AWS CLI commands on a Snowball Edge](using-ec2-endpoint.md#list-cli-commands-ec2-edge). For more information on key pairs and Amazon Linux 2, see [Amazon EC2 key pairs and Linux instances](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/ec2-key-pairs.html) in the Amazon EC2 User Guide. For information specific to using compute instances on a device, see [Using Amazon EC2-compatible compute instances on Snowball Edge](using-ec2.md).