AWS Snowball → Amazon S3 Glacier
This architecture outlines how to transfer large volumes of on-premises data to Amazon S3 Glacier using AWS Snowball for offline transport and S3 lifecycle policies for archival.
🧭 Use Case
Organizations with terabytes to petabytes of on-premises data (e.g., backups, logs, surveillance, research data) want to:
- Avoid network bandwidth limitations
-
Securely archive data into cost-effective cold storage
→ S3 Glacier or Glacier Deep Archive
🧱 Architecture Components
| Component | Purpose |
|---|---|
| AWS Snowball Edge | Secure physical device for data transfer |
| AWS OpsHub / CLI | Manages data transfer onto Snowball |
| Amazon S3 (Staging Bucket) | Initial landing zone for data in AWS |
| S3 Lifecycle Policy | Automatically transitions data to Glacier |
| IAM | Controls access and permissions |
| KMS (optional) | Encrypts data during transfer and storage |
🔁 Workflow Diagram
+------------------+ (1) Copy Data +-------------------------+
| On-Prem Servers | ----------------------------------> | AWS Snowball Edge |
+------------------+ +-------------------------+
| - Local S3 interface |
| - Encrypted at rest |
+-------------------------+
|
| (2) Ship to AWS
V
+-------------------------+
| AWS Import Facility |
+-------------------------+
|
| (3) Data Import
V
+------------------------------+
| Amazon S3 (Staging Bucket) |
+------------------------------+
|
| (4) Lifecycle Rule
V
+------------------------------+
| Amazon S3 Glacier (or Deep) |
+------------------------------+
📝 Step-by-Step Setup
✅ 1. Order & Configure Snowball
- Use AWS Console or CLI to create a Snowball Edge job
- Select destination: S3 Bucket
- Choose KMS key if needed
✅ 2. Copy Data Locally
- Install AWS OpsHub
- Connect to Snowball via Ethernet
- Copy data using:
- OpsHub GUI
- AWS CLI
- S3-compatible APIs
✅ 3. Ship Snowball to AWS
- AWS receives the device
- Verifies and decrypts data
- Uploads data to your S3 bucket
✅ 4. Configure Lifecycle Policy
Apply a policy like:
🔒 Security & Monitoring
| Feature | Notes |
|---|---|
| Encryption at Rest | Data is encrypted on Snowball and in S3 using KMS |
| Tamper-Proof Device | Snowball uses TPM & strong encryption |
| IAM Role Access | Limit write/read access to S3 and Snow APIs |
| CloudTrail | Track import activity and lifecycle changes |
| S3 Access Logs | Monitor Glacier object retrieval requests |
💰 Cost Considerations
| Service | Cost Notes |
|---|---|
| Snowball Edge | Per-day usage + shipping |
| S3 Standard Storage | For staging (short-term) |
| S3 Glacier | Very low cost per GB/month |
| Retrieval Costs | Apply for Glacier/Deep Archive |
✅ Summary
| Step | Action |
|---|---|
| Transfer Medium | AWS Snowball Edge (80+ TB) |
| AWS Landing Zone | Amazon S3 Bucket |
| Final Storage Tier | Amazon S3 Glacier / Deep Archive |
| Automation Tool | S3 Lifecycle Rules |
| Encryption | Snowball TPM + AWS KMS |