Australian Government Hosting Framework - "Strategic" certification level hosting - Confluence Cloud

For Australian Government clients, who have SENSITIVE to PROTECTED class information, they need a Guarantee that they can meet the required hosting certification of "Assured" or "Strategic" within the Australian Government Hosting Framework depending how sensitive their data is.

This is a legal requirment of the framework if you have sensitive data.

The issue here is that Atlassian has a tonne of information about their many certificates and awards but these aren't the ones that mean anything to Australian Government clients regarding the Australian Government Hosting Framework.  Considering Atlassian is Aussie, it's weird that there is 0 info on this on their website.  (Lucikly AWS covers it on their website, which automatically covers Atlassian Cloud also).

So after my own research I think I'll share that information here.

1. Your Confluence Cloud subsription will need to be Premium or Enterprise, or you won't have the features to lock down your instance and meet the required certification level within the framework.

2. In your Confluence Cloud settings you will need to ensure your Data Residency is Pinned to the Australia region to ensure it never moves out of that region.  This will guarantee you stay in the AWS (Amazon Web Services) Sydney Region.  

Atlassian uses AWS to host client Confluence Cloud instances.

AWS Meets the Strategic level of certification in the Australia region, but not outside of it, and remember, even redundancy / HA that comes with your hosting needs to stay in the certified region to stay compliant.  So make sure you pin it!

Configure IP restricted access to your confluence cloud access
(not necessary if you don't use anonymous user access to anything in your Confluence Cloud, but do it anyway, just in case!).

Speak to your company network adminstrator to make sure you are using static outbound IP addresses that are registered with your ISP (Internet Service Provider) as under your organisation's control, you don't want these addresses to change they need to be static.

All you need to do now is add the Outbound IP addresses into the IP Allow List inside Confluence Cloud settings.

Now, only users that have access to your organisation's network can access your Confluence Cloud instance.

And that is how you lock down Confluence Cloud to meet the requirements of the Australian Government Hosting Framework.