AWS Setup for Snowplow Insights Enterprise

To setup Snowplow, we need you to create a sub-account dedicated to Snowplow, then set up a user within this sub-account with the appropriate permissions (using an IAM policy) to set up the pipeline. The process for this is as follows:

Create sub-account

  1. From your main AWS account, set up an Organisation if you haven’t done so already.
  2. Create an account in that organisation (sub-account)
  3. Sign out and sign into the new sub-account. Everything Snowplow-related will take place within this account from here in.

Set up User and IAM permissions

  1. Create the IAM policy
  2. Create a group and assign them this policy
  3. Create user in that group, and send the login details to the alexdean user via passpack


Step 1. Create an Organisation and sub-account

  • From the console homepage, navigate to ‘AWS Organizations’ (via the search bar), and select Create Organization.

shot 0 search org

shot 1 org home

  • Create an organization - Choose enable all features

shot 2 add account

  • Add account - you will need to create this account with a separate email address. This will be the sub-account we use for Snowplow. You can invite an existing account, or create a new one, but make sure that this account is not used for anything but setting up the Snowplow Pipeline.

shot 3 add account

shot 4 create account

  • Sign out, and sign in with that account - this is your Snowplow sub-account and everything to do with Snowplow happens here from now on.

Step 2. Create a Permissions Policy, User Group, and User

Create IAM policy:

  • Navigate to ‘IAM’ (via the search bar) - Note that all steps from here take place from within this section

shot 5 search iam

  • Navigate to Policies (left panel) -> Create policy -> Create Your Own Policy

shot 6 create policy

shot 7 create own policy

  • Name the policy snowplow-policy-setup-infrastructure, copy and paste the below into the policy document:
  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": [
      "Resource": [

shot 9 policy text rt

Create a Group with this policy:

  • Navigate to Groups (left pane) -> Create New Group

shot 10 create new group

  • Name the Group snowplow-setup

shot 11 name group

  • On the attach policy step, select the policy we have just created: snowplow-policy-setup-infrastructure. You can use the searchbar to find it easily.

shot 12 attach policy

  • Review the details and create the group.

shot 13 review and create

Create a User in this Group:

  • Navigate to Users (left pane, from the IAM homescreen) -> Add User

shot 14 add user

  • Name the user snowplow-setup
  • Select both checkboxes under ‘Access type’
  • Select Autogenerated Password under ‘Console Password’
  • Make sure that the Require password reset box is checked

shot 15 user config

  • On the next screen, add the check the box next to snowplow-setup to add the user to this group.

shot 16 add user to group

  • Once you see the success message, copy the username, password and AWS Console login URL - we will need these to set up the pipeline.

shot 17 details

User Creation

You will need to create users in order to upload schemas and implement custom tracking - we will create a usergroup SnowplowIgluAdmin with the minimum required permissions to do so - it is recommended that users are created within this group for these purposes.