Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

BYOK encryption

Jim Knepley - ReleaseTEAM
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
October 5, 2023

Based on the recent announcement, I started to dig into the BYOK encryption.

I noticed the IAM role that customers apply to allow access to their KMS keys doesn't include kms:Encrypt or kms:Decrypt operations.

(protip: constrain that policy to only the keys you want to allow Atlassian to access, unlike the "*" it is by default)

Not having the encrypt or decrypt operations suggests to me that Atlassian is importing the key material, keeping a copy for themselves, and periodically checking KMS if the key has been invalidated.

Has anyone played with this enough to understand how it's operating?

1 comment

Comment

Log in or Sign up to comment
Hui Ren
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 26, 2024

Jim - apologies for the delayed response. As I posted in the recent comment, IAM role in the template essentially allows to create grant operations including encryption and decryption.

To the earlier question where you linked, Atlassian does not and cannot import master key materials from AWS KMS. By AWS design, master keys will never leave KMS, and its key material is never exposed in plaintext.

TAGS
AUG Leaders

Atlassian Community Events