Amazon S3 Commercial Cloud

Note: The information on this page applies to orders placed through the Ordering API only. It does not apply to orders placed via the MGP Pro User interface.

Orders can be delivered to an S3 bucket in the AWS commercial cloud. When you place an order using the Ordering API, the images and accompanying data will be written to the Amazon S3 bucket you specify in the request. In order to deliver the ordered files, The Ordering API needs permission to write data to your S3 bucket.

To grant "write" permission, you'll need to add a bucket policy. Access granted by this policy is limited to the ability to write objects to the bucket. Maxar will not have access to read or edit data in the bucket.

Prerequisites

If you haven't already set up an S3 bucket in the AWS commercial cloud to use for image deliveries, you'll need to create one. See Creating a Bucket in Amazon's AWS documentation.

Grant "write" access to your bucket with an S3 bucket policy

To add a bucket policy, you'll first copy the bucket policy template from this document (below) to your clipboard, and then paste it to the bucket policy box in the S3 Management Console. Then you'll edit the policy to add your bucket name as the resource. Follow the steps below to properly set up your bucket.

Sign into the AWS Management console with your AWS credentials.
From the console, select the name of the S3 bucket. Depending on your landing page, you may need to click the link on your page that says "s3" to navigate to your list of S3 buckets.
Select the Permissions tab. From here, scroll down to the "bucket policy".
From this document, copy the bucket policy example below to your clipboard.

To copy the bucket policy example, click the "copy" button in the top right corner of the example block.

Bucket policy example (copy this):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MaxarS3Access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::178494160498:root"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::{your bucket name goes here}/*",
                "arn:aws:s3:::{your bucket name goes here}"
            ]
        }
    ]
}

From the AWS Console permissions tab, scroll to the "bucket policy" section and choose "Edit" to open the bucket policy box for editing.
Paste the example bucket policy from your clipboard into the bucket policy box, including all of the brackets.
Add your S3 bucket as the resource.

In the "Resource" section, replace the brackets and the content inside with your bucket name. In this example, "mpg-docs-demo" is the bucket name.

"Resource": [
    "arn:aws:s3:::mpg-docs-demo/*",
    "arn:aws:s3:::mpg-docs-demo"

Note: The bucket policy only needs to be set up once per bucket. Any time you create a new bucket for order delivery, set this policy on the bucket.

Object Ownership

Object ownership determines who has control of objects in the bucket. We recommend the default setting of ACLs disabled, bucket owner enforced.

object owner enforced

Revoking write access

Write access to the bucket can be revoked by either deleting or editing the policy. The simplest way to revoke access is by deleting the policy. Before deleting the policy, make sure to review some reasons editing the policy makes more sense. For example:

You may have more than one policy statement in a bucket policy. Deleting it will delete all the statements in that policy. If you only want to remove access for Maxar, choose "edit" and then delete only the statement above.
You may only want to revoke access temporarily. If you plan to revoke and reinstate access, you can edit the policy instead of deleting it and re-adding it.

Deleting the bucket policy

Next to the bucket policy block in the AWS console, choose "delete." This will delete the entire policy.

Editing the bucket policy

To edit the bucket policy, choose "edit" from the block in the AWS console.

If there are multiple access statements in your policy, and you want to retain the others, remove the policy that gives Maxar access and save changes.
If you want to revoke access without deleting the bucket policy, edit the "Effect" field value to say "Deny" and save changes. To reinstate access, change the value back to "Allow."

Amazon Resource Name utility

Another way to allow access to your AWS S3 bucket is through the Amazon IAM Roles. Instead of adding a bucket policy, you would include your role's arn in the role_arn field in your output_config object. The Ordering API will assume this specified AWS IAM role in order to have permissions to write to your bucket. You must create this IAM role and you must be sure this role has the correct permissions to allow write access to your bucket. For more information, visit the AWS Identity and Access Management User Guide.

"output_configs": [ 
  {
    "type": "amazon_s3", 
    "role_arn": "arn of AWS IAM role to assume",
    "bucket": "my-bucket",
    "prefix": "some/prefix"
  }
]

Encrypted Buckets

If you are using encryption on your bucket with a private key, you will need to add the following policy to your "key policy" when you create a key:

        {
            "Sid": "Grant decrypt to MPG account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::178494160498:root"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*"
        }

Prerequisites​

Grant "write" access to your bucket with an S3 bucket policy​

Object Ownership​

Revoking write access

Deleting the bucket policy​

Editing the bucket policy​

Amazon Resource Name utility​

Encrypted Buckets​