Currently, a single AWS account ID can only be used for one CMK encryption policy in one Atlassian organization. When multiple organizations are used (for example, for different business units, environments, or subsidiaries), a separate AWS account must be created and managed for each CMK-enabled org.

This results in:

• Additional AWS accounts to manage

• More complex IAM, auditing, and compliance setup

• Friction when setting up CMK in test and production orgs

Proposed change

Allow the same AWS account ID to be associated with CMK encryption policies in multiple Atlassian organizations, while keeping separate KMS keys and isolation per org.