Set up CMK-enabled Atlassian apps
Customer-managed keys (CMK) give you greater control and visibility over your encryption keys to protect your organization’s Atlassian Cloud data. CMK is currently in Open Beta, and customers not already enrolled in BYOK can enroll in it. BYOK will eventually be deprecated and migrated to CMK.
Enroll in Atlassian Customer-managed keys (CMK) encryption
Once you’ve created the AWS KMS keys and a provisional KMS key policy, follow the steps on this page to submit a support ticket with required information. We’ll enroll your AWS KMS keys in the CMK encryption policy of your Atlassian Cloud organization, and provision the requested app instances to your Enterprise plan.
Who can do this? |
Currently you can create only one CMK encryption (policy) per organization and can't add CMK to an existing app. If you add the app directly, it will not be CMK -enabled.
Step 1 - Submit information
Go to Atlassian support, then follow these instructions to submit a request:
Under What can we help you with? select Technical Issues and Bugs.
Under Which product is this for? select Cloud Administration.
Under What is the site URL of your product within your organization enter your main cloud site URL.
[Optional] Under Include admin or billing/technical/end-customer contact, or additional participants on this ticket enter any relevant contacts from your organization that want to be notified about the request.
Under Summarize your issue enter
Enroll CMK from AWS account <AWS account ID>. Your AWS account ID is the AWS account that you created specifically for managing CMK encryption for your Atlassian apps. The ID is numeric, for example,279766244153.Under What is the impact to your business select a level according to your business needs. For the ticket SLA (time to response), refer to Atlassian Support Offerings.
Under Give us more details provide the following EIGHT pieces of information:
Atlassian cloud organization ID: This is a unique identifier assigned to your organization in the Atlassian cloud system. You can retrieve the URL via admin.atlassian.com:
https://admin.atlassian.com/o/my-organization-id-xxxxx-xxxxxxx-xxxxxx/overviewAWS account ID: This is the AWS account that you created specifically for managing KMS keys used for your Atlassian cloud apps. The ID is numeric, for example,
279766244153. How to find your AWS account ID.Name and e-mail address of the organization admin or billing admin.
Cloud site name(s): Cloud site URL(s), for example, acme-cmk.atlassian.net. URL(s) should be unused. We'll provision your CMK-enabled apps under their corresponding site name(s).
The realm where your KMS keys reside: The choice you make regarding KMS keys will also determine the region where your cloud app data is hosted. Your KMS key and app data are co-located. Once we enroll your CMK encryption policy, you will not be able to migrate the data out of the chosen realm.
AWS KMS key ARN(s): Provide two key ARN(s), one from each region if you chose a dual-region realm. Otherwise, provide one key ARN for a single-region realm.
Encryption context tag: This is a customer-defined tag (a 12-digit max alphanumeric string) for providing an improved readability in your AWS Cloudtrail tracking encryption authentication, for example, “AcmeCMK”. Understand more about Encryption context identifier. We will re-confirm the tag value with you to ensure accuracy. Once it starts to take effect, any subsequent changes to the tag value will require data re-encryption across your CMK-enabled app instances.
Apps that you want to create the CMK-enabled cloud instances for. This can be Jira, Confluence and/or Jira Service Management.
[Optional] Under Want faster, more accurate help? Upload screenshots or videos that show your issue and where it happened. Review our retention policy add any relevant attachments.
[Optional] Under Your phone number enter any relevant phone number.
Under Which is closest to your normal working hours? select the working hours that fit your business needs.
Select Submit Ticket to create the ticket.
Step 2 - System prepares your enrollment
Once you submit the ticket with above information, we’ll enroll you in Atlassian CMK encryption and generate a unique encryption context identifier that is specific to your Atlassian cloud tenant. Your Encryption context tag will now be linked to the system-generated identifier to form a unique pair.
Step 3 - (optional) Enforce additional security controls in your KMS key policy
During this enrollment process, you have the option to enforce encryption context identifier-tag pair, and VPC endpoint restriction on your KMS access through your AWS key policy. Understand how to enforce additional controls in your key policy.
Whether you have completed this optional step or decided to skip, you need to confirm back in the support ticket before we proceed with provisioning your app instances.
Provision your cloud app instances
Once your enrollment process has been successfully completed, we will provision the requested app instances to be CMK enabled. Understand what data is managed with Customer-managed keys
View your CMK-enabled apps
To view your CMK-enabled apps:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > Encryption.
Subsequent requests for adding CMK-enabled apps
After the initial enrolment and app provisioning process, for subsequent requests to add more CMK-enabled apps, open the form to Atlassian support, then follow these instructions to submit a request:
Under What can we help you with? select Technical Issues and Bugs.
Under Which product is this for? select Cloud Administration.
Under What is the site URL of your product within your organization enter your main cloud site URL.
[Optional] under Include admin or billing/technical/end-customer contact, or additional participants on this ticket enter any relevant contacts from your organization that want to be notified about the request under .
Under Summarize your issue enter
Enroll CMK from AWS account <AWS account ID>. Your AWS account ID is the AWS account that you created specifically for managing CMK encryption for your Atlassian apps. The ID is numeric, for example,279766244153.Under What is the impact to your business, select a level according to your business. For the ticket SLA (time to response), refer to Atlassian Support Offerings
Under Give us more details, provide the following THREE pieces of information:
Atlassian cloud organization ID: This is a unique identifier assigned to your organization in the Atlassian cloud system. You can retrieve the URL via admin.atlassian.com:
https://admin.atlassian.com/o/my-organization-id-xxxxx-xxxxxxx-xxxxxx/overviewCloud site name(s): cloud site URL(s), for example, acme-cmk.atlassian.net. We'll provision your CMK-enabled apps under their corresponding site name(s). The site(s) should be new or already enabled with CMK.
apps that you want to create the CMK-enabled cloud instances for. This can be Jira, Confluence and Jira Service Management.
[Optional] under Want faster, more accurate help? Upload screenshots or videos that show your issue and where it happened. Review our retention policy add any relevant attachments .
[Optional] under Your phone number enter any relevant phone number .
Under Which is closest to your normal working hours? select the working hours that fit your business needs.
Select Submit Ticket to create the ticket.
CMK-enabled app instances must be provisioned by Atlassian. If you add a app directly via admin.atlassian.com, it will not be set up using CMK but with Atlassian-managed keys.
Was this helpful?