• Products
  • Documentation
  • Resources

Set up an AWS account and create an IAM role

BYOK encryption for Jira Software and Confluence is available to all customers with Enterprise plans.

BYOK encryption for Jira Service Management is available through an early access program (EAP) to a number of customers with Enterprise plans. If you're interested in participating in the EAP, reach out to your Enterprise account representative.

Set up an AWS account

Create an AWS account that is dedicated to managing BYOK encryption for your Atlassian products. Make sure that this AWS account is used only for the purpose of managing encryption keys for Atlassian Cloud products. Learn how to create and activate an AWS account

If you need help creating an AWS account, contact AWS support.

Expected AWS costs

Since you’re using your own KMS keys in your AWS accounts, additional AWS costs may be incurred. Based on AWS KMS key pricing, you will only need to pay for key storage costs, which are $1/month per KMS key. You don’t have to pay for usage, Atlassian will cover all KMS API requests costs that come with key usage.

Create an AWS Identity and Access Management (IAM) role

Set up an AWS Identity and Access Management (IAM) role that gives Atlassian the necessary permissions to manage the encryption keys on your organization's AWS account via AWS KMS.

To create an IAM role:

  1. Go to https://aws.amazon.com/ and sign into your account.

  2. Select the IAM user option (with admin-level permissions) or the Root user option, and enter your credentials.

  3. On your dashboard, search for CloudFormation.

  4. From the search results, hover on CloudFormation and select Stacks from the list of top features, or select CloudFormation, then select Stacks from the side menu.

  5. On the Stacks page, select the Create stack drop-down menu on the right corner, then select with new resources (standard).

  6. Specify the S3 URL as: https://byok-atlassian.s3.amazonaws.com/atlassian-key-management-template.json, then select Next.

  7. Under Stack name, enter atlassian-key-management-role. Under Parameters, AtlassianKeyManagementAccount is pre-populated with 709587835243. There is no need to change this. Select Next.

  8. Under the Stack failure options section, select Roll back all stack resources and then select Next.

  9. Review all entries again, select the acknowledgement declaration in the information panel, then select Submit.

When you click Submit you might be notified that Stack [atlassian-key-management-role] already exists. If this happens, exit the page without taking any further action.

Once completed, the state of the stack will change from CREATE_IN_PROGRESS to CREATE_COMPLETE. The IAM role is now set up. To verify this, search for IAM on your dashboard, select Roles, and check for the atlassian-key-management

  • Don't delete the stack once complete. Deleting the stack deletes the atlassian-key-management role as well.

  • Any configurations changes you make to your AWS account after this setup can result in products not working as expected.

Reset IAM role when notified

If we detect an error in your AWS KMS configuration, we notify you via a support ticket titled Misconfiguration detected for AWS account. A configuration error is likely to cause issues with your product’s functionality, so we recommend you reset the IAM role.

To reset the IAM role:

  1. Go to https://aws.amazon.com/ and sign into your account.

  2. Select the IAM user option (with admin-level permissions) or the Root user option, and enter your credentials.

  3. Go to CloudFormation > Stacks > atlassian-key-management-role and select Update.

  4. Select Replace current template.

  5. Specify the S3 URL as: https://byok-atlassian.s3.amazonaws.com/atlassian-key-management-template.json, then select Next.

  6. Under Parameters, AtlassianKeyManagementAccount is pre-populated with 709587835243. There is no need to change this. Select Next.

  7. Leave the Stack failure options section as is and select Next.

  8. Select Submit to apply the change.

If you need assistance with this configuration, respond to the support ticket we sent you.

Security considerations

In addition to configuring a dedicated AWS account for BYOK purposes, you need to utilize two-factor authentication (2FA) for the account. This is to reduce the risk of unintentional functional or security-related issues, and to ensure access is properly restricted.

Atlassian's access to manage KMS keys is sufficiently limited to only perform relevant operations, but it's important to also ensure that access to your AWS account itself is secured. Follow AWS security guidelines for managing access to your BYOK AWS account.

Next step

Once you've set up your AWS account and created the IAM role we can set up your BYOK encryption for Atlassian products.

Additional Help