• Documentation

We’re renaming ‘products’ to ‘apps’

Atlassian 'products’ are now ‘apps’. You may see both terms used across our documentation as we roll out this terminology change. Here’s why we’re making this change

Revoke Atlassian access to your KMS encryption keys

CMK gives greater control over encryption keys to protect your Atlassian Cloud data. Currently you can create only one CMK encryption (policy) per organization for all data in scope. Customers not using BYOK can enroll in CMK. BYOK customers will eventually be migrated to CMK.

Key access revocation refers to terminating a key usage before the end of its authorized time span for use (also known as its cryptoperiod) without a replacement key. This action effectively halts the functionality of associated apps since access to plaintext data is lost once encryption key access is revoked. You may need to disable keys if you believe there has been a security breach of your encrypted data.

This measure should only be taken in emergency situations due to the potential for significant business disruptions. In the circumstances warranting it, you can unilaterally disable your KMS keys from your AWS accounts.

Disabling keys during a re-encryption process can lead to an unpredictable state of data access that is uneven across sites, meaning data in the system can end up in various states of the process. In the event of an incident, we advise deliberately assessing whether the situation necessitates re-encryption or revocation.

To revoke access to Customer-managed keys (CMK):

  1. Log in to your AWS console. If you need help with your AWS account, contact AWS support.

  2. Choose a region that you have chosen for Atlassian CMK.

  3. Go to the Key Management Service console.

  4. Select Customer Managed Keys from the left navigation bar, and you will see a list of available KMS keys.

  5. Click on the key for disabling, that takes you to the details page to expose more options.

  6. Select Key actions drop-down list at the top right corner.

  7. Select Disable.

  8. In the pop-up message that appears, check the confirmation box and select Disable key to disable the KMS keys.

If you previously chosen a dual-region realm for hosting your CMK-enabled app instances, i.e. United States or Europe, repeat the above steps for both regions.

After you revokes access from your AWS account, it typically takes up to 30 minutes or 1 hour for the suspension of CMK-enabled cloud sites to take effect. Please note that there may be a potential data loss of up to 1 hour leading up to the revocation event.

What’s next?

Atlassian Cloud will detect the loss of access to the KMS keys and initiate a revocation process of your cloud app instances and your cloud sites will be suspended. The system will generate a support ticket, which will be forwarded to the registered organization admin. For further information regarding the revocation process, please refer to the Customer-managed keys whitepaper.

Restoring access after revocation

We support reinstating a suspended site within a limited timeframe following the revocation of key access. Understand how to restore access to CMK.

 

Still need help?

The Atlassian Community is here for you.
Ask the Community
On this pageWhat’s next?Restoring access after revocation
CommunityQuestions, discussions, and articles