Restore access to your BYOK encryption keys

If access to your BYOK encryption keys is revoked, you can restore the access within 15 days of revocation. This will restore access to your Atlassian products both for your end users and for Atlassian systems. Learn how to revoke access to BYOK encryption keys

To restore access to BYOK encryption keys:

1. Log in to your AWS console. If you need help with your AWS account, contact AWS support.

2. Make sure that your Amazon account region is set to a region in the location chosen for the BYOK encryption. Read about the locations and regions after the final step.

3. Go to the IAM console.

4. Search for atlassian-key-management on the left side of the dashboard.

5. Go to Trust relationships.

6. In the Trusted entities section, select Edit trust policy.

7. Change the Cryptor-OSB-Provider statement from Deny to Allow:

   1 2 3 4 5 6 7 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::279766244153:role/Cryptor-OSB-Provider" }, "Action": "sts:AssumeRole" }

8. Select Update policy.

9. Go to the KMS console and make sure to select the correct region.

10. Select the checkboxes next to the KMS keys prefixed with cryptor.

11. Select the Key actions drop-down list at the top right corner.

12. Select Enable.

13. Let us know you’re ready for restoration so we can start the process on our end. Do this via the support ticket we created for your organization for revoking access to your encryption keys. The support ticket is titled BYOK revocation started for AWS account.

When admins request to set up BYOK encryption, they choose a location for the product data. For multiple-region locations, repeat this restoration process for all regions within your location. See the supported locations and their regions