Changelog for AWS KMS key policies

As part of our ongoing work to make Atlassian Cloud more scalable, reliable, and resilient, earlier versions of AWS KMS key policy template may become insufficient to support upcoming cloud changes.

When we introduce a breaking change, we’ll:

explain what is changing
provide a transition window so you can update your key policy
document timelines and may provide assistance as needed during such transitions

This changelog page:

tracks required updates to your AWS KMS key policies used with Atlassian cloud
is for customers who use Customer-managed keys (CMK) encryption, not Bring Your Own Key (BYOK). What is CMK encryption?

To modify your AWS KMS key policy, follow the AWS instructions for editing key policies.

Changelog

The table below includes historically published CMK key policy versions.

Active - the most recent and stable version.
Supported - no longer the suggested version, but remain stable and supported.
Deprecated - no longer supported, for reference only.

Version	What’s new	Compatibility	Status	Publish date
V2	Support for AWS high-performance Elastic Block Store (EBS)	Requires policy V1 → V2 update within transition window	Active	Nov 3, 2025
V1	Initial version	(no prior versions)	Supported until June 30, 2026	April 1, 2025

Scroll down this page to see further details of each version.

The primary instruction page Set up AWS account and create a KMS key policy always refers to the latest template versions.

You can use either /latest/ or the most recent version number to access the most up-to-date templates. For example:

Latest key policy template: https://cmk-atlassian.s3.amazonaws.com/latest/atlassian-cmk-key-template.json
Latest CloudFormation template: https://cmk-atlassian.s3.amazonaws.com/latest/atlassian-cmk-key-template-cf.json

V2

Description	Support Elastic Block Store (EBS) due to Atlassian cloud infrastructure change.
Active	November 3, 2025
Key policy template	https://cmk-atlassian.s3.amazonaws.com/v2/atlassian-cmk-key-template.json
Further details	This code has been added in this version: `{` `"Sid": "AwsManagedServiceEBS",` `"Effect": "Allow",` `"Principal": "",` `"Action": [` `"kms:CreateGrant",` `"kms:GenerateDataKeyWithoutPlaintext",` `"kms:ReEncrypt"` `],` `"Resource": "",` `"Condition": {` `"StringEquals": {` `"kms:ViaService": "ec2.${AWS::Region}.amazonaws.com"` `},` `"ForAnyValue:StringEquals": {` `"kms:EncryptionContextKeys": "aws:ebs:id"` `},` `"ForAnyValue:StringLike": {` `"aws:PrincipalOrgPaths": [` `"o-rab3nm4fez//ou-6ypf-c369q98l/*"` `]` `}` `}` `}`
CloudFormation template	https://cmk-atlassian.s3.amazonaws.com/v2/atlassian-cmk-key-template-cf.json

V1

Description	Initial Key policies for CMK.
Active	April 1, 2025 – November 3, 2025
Supported	November 3, 2025
Key policy template	https://cmk-atlassian.s3.amazonaws.com/v1/atlassian-cmk-key-template.json
CloudFormation template	https://cmk-atlassian.s3.amazonaws.com/v1/atlassian-cmk-key-template-cf.json

Was this helpful?

It wasn't accurateIt wasn't clearIt wasn't relevant

Still need help?

The Atlassian Community is here for you.

Ask the Community