Set up CMK-enabled Atlassian apps
CMK gives greater control over encryption keys to protect your Atlassian Cloud data. Currently you can create only one CMK encryption (policy) per organization for all data in scope. Customers not using BYOK can enroll in CMK. BYOK customers will eventually be migrated to CMK.
Enroll in Atlassian Customer-managed keys (CMK) encryption
Once you’ve created the AWS KMS keys and a provisional KMS key policy and enrolled in CMK encryption policy follow the steps on this page to submit a support ticket with required information. The AWS account details that were used to enroll in CMK encryption policy will be used to provision the requested app instances to your Enterprise plan.
Who can do this? |
Currently you can create only one CMK encryption (policy) per organization and can't add CMK to an existing app. If you add the app directly, it will not be CMK -enabled.
Go to Atlassian support, then follow these instructions to submit a request:
Under What can we help you with? select Technical Issues and Bugs.
Under Which product is this for? select Cloud Administration.
Under What is the site URL of your product within your organization enter an existing cloud site URL.
[Optional] Under Include admin or billing/technical/end-customer contact, or additional participants on this ticket enter any relevant contacts from your organization that want to be notified about the request.
Under Summarize your issue enter
Encrypt new apps for CMK encryption with organization ID <Organization ID>. This is a unique identifier assigned to your organization in the Atlassian cloud system.Under What is the impact to your business select a level according to your business needs. For the ticket SLA (time to response), refer to Atlassian Support Offerings.
Under Give us more details provide the following FOUR pieces of information:
Atlassian cloud organization ID: This is a unique identifier assigned to your organization in the Atlassian cloud system. You can retrieve the URL via admin.atlassian.com:
http://admin.atlassian.com/o/my-organization-id-xxxxx-xxxxxxx-xxxxxx/overviewName and e-mail address of the organization admin or billing admin.
Cloud site name(s): Cloud site URL(s), for example, acme-cmk.atlassian.net. URL(s) should be unused. We'll provision your CMK-enabled apps under their corresponding site name(s).
Apps that you want to create the CMK-enabled cloud instances for. This can be Jira, Confluence and/or Jira Service Management.[Optional] Under Want faster, more accurate help? Upload screenshots or videos that show your issue and where it happened. Review our retention policy add any relevant attachments.
[Optional] Under Your phone number enter any relevant phone number.
Under Which is closest to your normal working hours? select the working hours that fit your business needs.
Select Submit Ticket to create the ticket.
After the initial enrolment and app provisioning process, follow the steps above for any future requests to add additional CMK-enabled apps. Subsequent requests for app provisioning are generally fulfilled within two business days after the corresponding support ticket is processed.
CMK-enabled app instances must be provisioned by Atlassian. If you add a app directly via admin.atlassian.com, it will not be set up using CMK but with Atlassian-managed keys.
Enforce additional security controls in your KMS key policy
During this enrollment process, you have the option to enforce encryption context identifier-tag pair, and VPC endpoint restriction on your KMS access through your AWS key policy. Understand how to enforce additional controls in your key policy.
Whether you have completed this optional step or decided to skip, you need to confirm back in the support ticket before we proceed with provisioning your app instances.
Next: If you haven’t already Update AWS KMS key policy for your Atlassian cloud organization.
Was this helpful?