Revoke Atlassian access to your KMS encryption keys
Customer-managed keys (CMK) give you greater control and visibility over your encryption keys to protect your organization’s Atlassian Cloud data. CMK is currently in Open Beta, and customers not already enrolled in BYOK can enroll in it. BYOK will eventually be deprecated and migrated to CMK.
Key access revocation refers to terminating a key usage before the end of its authorized time span for use (also known as its cryptoperiod) without a replacement key. This action effectively halts the functionality of associated apps since access to plaintext data is lost once encryption key access is revoked. You may need to disable keys if you believe there has been a security breach of your encrypted data.
This measure should only be taken in emergency situations due to the potential for significant business disruptions. In the circumstances warranting it, you can unilaterally disable your KMS keys from your AWS accounts.
Disabling keys during a re-encryption process can lead to an unpredictable state of data access that is uneven across sites, meaning data in the system can end up in various states of the process. In the event of an incident, we advise deliberately assessing whether the situation necessitates re-encryption or revocation.
To revoke access to Customer-managed keys (CMK):
Log in to your AWS console. If you need help with your AWS account, contact AWS support.
Choose a region that you have chosen for Atlassian CMK.
Go to the Key Management Service console.
Select Customer Managed Keys from the left navigation bar, and you will see a list of available KMS keys.
Click on the key for disabling, that takes you to the details page to expose more options.
Select Key actions drop-down list at the top right corner.
Select Disable.
In the pop-up message that appears, check the confirmation box and select Disable key to disable the KMS keys.
If you previously chosen a dual-region realm for hosting your CMK-enabled app instances, i.e. United States or Europe, repeat the above steps for both regions.
It can take up to 30 minutes to initiate the revocation workflow in Atlassian Cloud.
What’s next?
Atlassian Cloud will detect the loss of access to the KMS keys and initiate a revocation process of your cloud app instances and your cloud sites will be suspended. The system will generate a support ticket, which will be forwarded to the registered organization admin. For further information regarding the revocation process, please refer to the Customer-managed keys whitepaper.
Restoring access after revocation
We support reinstating a suspended site within a limited timeframe following the revocation of key access. Understand how to restore access to CMK.
Was this helpful?