Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

BYOK encryption

Jim Knepley - ReleaseTEAM
Jim Knepley - ReleaseTEAM
Atlassian Partner
October 5, 2023

Based on the recent announcement, I started to dig into the BYOK encryption.

I noticed the IAM role that customers apply to allow access to their KMS keys doesn't include kms:Encrypt or kms:Decrypt operations.

(protip: constrain that policy to only the keys you want to allow Atlassian to access, unlike the "*" it is by default)

Not having the encrypt or decrypt operations suggests to me that Atlassian is importing the key material, keeping a copy for themselves, and periodically checking KMS if the key has been invalidated.

Has anyone played with this enough to understand how it's operating?

Comment
Watch
Like Laurie Sciutti likes this
2564 views

1 comment

Comment

Log in or Sign up to comment
Hui Ren
Hui Ren
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 26, 2024

Jim - apologies for the delayed response. As I posted in the recent comment, IAM role in the template essentially allows to create grant operations including encryption and decryption.

To the earlier question where you linked, Atlassian does not and cannot import master key materials from AWS KMS. By AWS design, master keys will never leave KMS, and its key material is never exposed in plaintext.

Like
Reply

Recommended Learning For You

Level up your skills with Atlassian learning

Learning Path

Improve user experience across Jira with global settings

Jira Software

Learn how to set up and configure a Jira site, manage Jira permissions, and configure Jira apps and integrations.

1.5h Advanced
Free

Learning Path

Streamline projects across Jira with shared configurations

Jira Software

Build Jira work items with reusable configurations called schemes, and reduce administrative work with automation.

4.5h Advanced
Free

Learning Path

Become an effective Jira software project admin

Jira Software

Set up software projects and configure tools and agile boards to meet your team's needs.

8.4h Intermediate
Free
groups-icon
Jira Cloud Admins
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2026 Atlassian
    Privacy Policy Notice at Collection Terms Security