• Products
  • Documentation
  • Resources

Set up an AWS account and create IAM roles

The BYOK encryption feature is available through an early access program (EAP) to a number of customers with Enterprise plans for Jira Software. For any issues, contact support.

For any AWS-related questions, contact AWS support.

Set up an AWS account

Create an AWS account that is dedicated to managing BYOK encryption for your Atlassian products. Make sure that this AWS account is used only for the purpose of managing encryption keys for Atlassian Cloud products. Learn how to create and activate an AWS account

If you need help creating an AWS account, contact AWS support.

Create an AWS Identity and Access Management (IAM) role

Set up an AWS Identity and Access Management (IAM) role that provides Atlassian with the necessary permissions to manage the encryption keys on your organization's AWS account via AWS KMS.

To create an IAM role:

  1. Go to https://aws.amazon.com/ and sign into your account.

  2. Select the IAM user option (with admin-level permissions) or the Root user option, and enter your credentials.

  3. On your dashboard, search for CloudFormation.

  4. From the search results, hover on CloudFormation and select Stacks from the list of top features, or select CloudFormation, then select Stacks from the side menu.

  5. On the Stacks page, select the Create stack drop-down menu on the right corner, then select with new resources (standard).

  6. Specify the S3 URL as: https://byok-atlassian.s3.amazonaws.com/atlassian-key-management-template.json, then select Next.

  7. Under Stack name, enter atlassian-key-management-role. Under Parameters, AtlassianKeyManagementAccount is pre-populated with 709587835243. There is no need to change this. Select Next.

  8. Under the Stack failure options section, select Roll back all stack resources and then select Next.

  9. Review all entries again, select the acknowledgement declaration in the information panel, then select Submit.

When you click Submit you might be notified that Stack [atlassian-key-management-role] already exists. If this happens, exit the page without taking any further action.

Once completed, the state of the stack will move from CREATE_IN_PROGRESS to CREATE_COMPLETE. The IAM role is now set up. To verify this, search for IAM on your dashboard, select Roles, and check for the atlassian-key-management

  • Don't delete the stack once complete. Deleting the stack deletes the atlassian-key-management role as well.

  • Any configurations changes you make to your AWS account after this setup can result in products not working as expected.

Security considerations

In addition to configuring a dedicated AWS account for BYOK purposes, you need to utilize Two-factor authentication (2FA) for the account. This is to reduce the risk of unintentional functional or security-related issues, and to ensure access is properly restricted.

Atlassian's access to manage KMS keys is sufficiently limited to only perform relevant operations, but it's important to also ensure that access to the AWS account itself is properly restricted. Follow AWS security guidelines for managing access to your BYOK AWS account.

Next step

Once you have set up an AWS account and created IAM roles, you need to set up your BYOK encryption.


Additional Help