Update AWS KMS key policy for your Atlassian cloud organization
Customer-managed keys (CMK) give you greater control and visibility over your encryption keys to protect your organization’s Atlassian Cloud data. CMK is currently in Open Beta, and customers not already enrolled in BYOK can enroll in it. BYOK will eventually be deprecated and migrated to CMK.
Who can do this? |
Update Key Management Service (KMS) key policy to enforce Encryption Tenant Identifier
Your KMS key policy grants Atlassian the necessary access to operating your cloud instances. Incorrect changes to your policy after successful app provisioning may cause various failures in your cloud instances.
During your initial CMK enrollment, it is recommended to update your KMS key policy with the Encryption Tenant Identifier-tag pair.
To ensure proper enforcement, please follow the steps outlined below after Atlassian has enrolled you in Customer-managed keys (CMK) encryption:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security (top navigation) > Encryption (left navigation) > Encryption context & VPCE.
3. You can now view your Encryption Context Identifier and Tag displayed on this screen.
4. Click on the expand See sample policy to find a sample policy snippet that can be placed in your KMS key policy to enforce additional payload authentication through context identifier.
Please ensure to update any dummy values and necessary syntax adjustments to suit your needs. Other deviations will not be supported.
You have the option to implement this enforcement at a later time. Whether it's enforced during the initial enrollment or afterward, your Encryption Tenant identifier-tag pair has already been integrated into your encryption policy on Atlassian's end. This identifier-tag pair will be included with every encryption and decryption payload and can be monitored through your CloudTrail logs.
Update KMS key policy to restrict KMS access via VPC endpoint(s)
During your initial CMK enrollment, you may also set your key policy to leverage Atlassian-provided VPC endpoint(s) to restrict inbound requests to the corresponding KMS keys.
To ensure proper enforcement, please follow the steps outlined below after Atlassian has enrolled you in CMK encryption:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security (top navigation) > Encryption (left navigation) > Encryption context & VPCE.
3. You will find a VPC endpoint per region that is now displayed on this screen.
4. Click on the expand See sample policy to find a sample policy snippet that can be placed in your KMS key policy to enforce accepted KMS traffic origin.
Please ensure to update any dummy values and necessary syntax adjustments from the sample code to suit your needs. Other deviations will not be supported.
You can also choose to add this enforcement later. Regardless it is enforced during the original enrollment or at a later time, VPC routing on inbound KMS traffic is observable in your CloudTrail.
Future updates to your KMS key policy
As Atlassian Cloud continues to evolve to meet future needs, there will be times when your key policy require updates to align with changes in Atlassian cloud infrastructure. These adjustments are essential to ensure that your apps function as intended.
When the need for these updates arises, detailed instructions, testing mechanism, and a grace period will be provided to assist with the transition.
Was this helpful?