Atlassian runs a global SaaS platform where security and customer privacy are critical. This talk focuses on the solution they built using KMS and IAM to provide resilient cross-region encryption and decryption, optimised for performance. Come and learn how Atlassian approached this challenge, and built a solution using a combination of AWS services and the AWS Encryption SDK.

1. S U M M I T
SYDNEY

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian's Solution for Multi-Region
Encryption and Decryption
Tom Knight
Developer
Atlassian
Martien Verbruggen
Architect
Atlassian

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
creates products for customers

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
creates customerscloud products for

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
creates more customerscloud products for

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
creates more customerscloud products for

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
cloud products for more customerscreates more

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian’s Platform as a Service
µ Micros

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Micros, our PaaS
µ Micros
Developers
Services
Resources

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Micros, our PaaS
µ Micros
Developers
Services
Resources

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Region 1
Cryptor use case: database credentials
Application
Region 2
Application
Region X
DB
Manager
config config
1 - create database
2 - store credentials
3 - get credentials4 - connect

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Region 4
Cryptor use case: confidential messages
Not a
Consumer
Region 1
Producer
MessagesMessages
Region 4
Consumer
Messages
Region 2
Consumer
Messages

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor optimises for
Security Resilience Performance Ease of use

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor optimises for
Security Resilience Performance Ease of use
Manage keys
and
authorisation

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor optimises for
Security Resilience Performance Ease of use
Manage keys
and
authorisation
Never™ fail

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor optimises for
Security Resilience Performance Ease of use
Manage keys
and
authorisation
Never™ fail Deal with
latency and
scale

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor optimises for
Security Resilience Performance Ease of use
Manage keys
and
authorisation
Never™ fail Deal with
latency and
scale
Simple API,
standard
metrics, multi-
region

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why not just use KMS?
Single-region
Performance
Resilience
Trusted
Secure
Powerful authZ

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Region 1
Solution: Use the SDK and customise
Region 2 Region 3
Any region
KMS 3KMS 2KMS 1
TTL
based
cache
encryption
envelope
Application

20. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Encryption SDK example
val cache = LocalCryptoMaterialsCache(KMS_MAX_CACHE_SIZE)
val keyProvider = MultipleProviderFactory.buildMultiProvider(KmsMasterKey::class.java, keys)
val cmm = CachingCryptoMaterialsManager
.newBuilder()
.withMasterKeyProvider(keyProvider)
.withCache(cache)
.withMaxAge(KMS_MAX_CACHE_AGE, TimeUnit.SECONDS)
.build()

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-region Fault
tolerance
Performance
Implementation

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Encryption
Multiple regions
Quorum: 2 out of 3 regions - configurable
Bespoke encryption context
Improve datakey reusage
Encryption pooling
Pre fetch data keys
Usage and TTL

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Encryption context
Meta data Extra layer of
security

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Encryption
Multiple regions
Quorum: 2 out of 3 regions - configurable
Bespoke encryption context
Improve datakey reusage
Encryption pooling
Pre fetch data keys
Usage and TTL

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Decryption
Decryption caching
Latency-based selection of KMS
Fetch keys in parallel
Datakeys are decrypted in parallel

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Integration
Java library
Most widely used language in Atlassian
Sidecar
Docker container with 2 API endpoints
Java library with Spring Boot

27. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample code for library call
// Setup
val cryptorClient = CryptorClientFactory.build(keyAliasList, config)
// Values
val originalPlainText = "Encrypt Me"
val encryptionContext = mapOf("CustomerId" to "123456")
// Encrypt and Decrypt
val cipherText = cryptorClient.encrypt(keyAlias, originalPlainText,
encryptionContext)
val plainText = cryptorClient.decrypt(cipherText, encryptionContext)

28. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample REST call

29. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Solution: service descriptor
name: encrypting-service
organization: foo
...
resources:
- type: cryptor
name: secret-key
decryptors:
- secret-reader
- secret-checker
- audit-agent
µ

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor account
Micros account
Solution: PaaS and resource provider
Keys
Roles
Policies
AWS IAM
AWS KMS
setup(@roles, key-alias)
µ Micros
Cryptor
provider

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Operational
Standard metrics and logs from sidecar
Visible to service owners, security and central team
Standard configuration
Standardised cache configurations
Multi-region configurations

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Metrics dashboard

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Summary
Security Resilience Performance Ease of use

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Summary
Security Resilience Performance Ease of use

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Summary
Security Resilience Performance Ease of use

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Summary
Security Resilience Performance Ease of use

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Summary
Security Resilience Performance Ease of use

38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Open source
Announcement when we ship it, at
https://www.atlassian.com/blog/technology

39. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tom Knight Martien Verbruggen