AWS Security ChangesHomeSearch

AWS amazonq medium security documentation change

Service: amazonq · 2025-07-18 · Security-related medium

File: amazonq/latest/qbusiness-ug/confluence-cloud-credentials-basic.md

Summary

Added detailed Atlassian admin authentication requirements and API credential management

Security assessment

Introduces mandatory admin credential requirements to ensure proper access controls for user/group synchronization. Addresses potential security gap where insufficient permissions could lead to incomplete data synchronization

Diff

diff --git a/amazonq/latest/qbusiness-ug/confluence-cloud-credentials-basic.md b/amazonq/latest/qbusiness-ug/confluence-cloud-credentials-basic.md
index a1fa49df0..990ce742a 100644
--- a//amazonq/latest/qbusiness-ug/confluence-cloud-credentials-basic.md
+++ b//amazonq/latest/qbusiness-ug/confluence-cloud-credentials-basic.md
@@ -4,0 +5,2 @@
+Atlassian Admin Authentication
+
@@ -37,0 +40,64 @@ For more information, see [Manage API tokens for your Atlassian account](https:/
+## Atlassian Admin Authentication
+
+To ensure Amazon Q can access all user and group information from your Confluence (Cloud) instance, you must provide Atlassian admin credentials. These credentials allow Amazon Q to sync user information regardless of individual email visibility settings.
+
+###  Get your Atlassian admin credentials 
+
+  1. Sign in to the [Atlassian admin portal](https://admin.atlassian.com/) with administrator permissions.
+
+  2. Open the Administration app for your organization. The URL should look like: `https://admin.atlassian.com/o/{ORGANIZATION-UUID}/overview`
+
+  3. Choose **Settings** , then choose **API Keys**.
+
+  4. Choose **Create API key**.
+
+  5. Select all available scopes for the API key. 
+
+Note that the Confluence APIs that fetch user and group information require full scope access.
+
+  6. Copy and save both the **Organization ID** and **API Key**. Note that API keys expire. Monitor the expiration date and update your data source credentials before the key expires. 
+
+
+
+
+###  Get your Directory ID 
+
+  1. Use the Atlassian Admin Workspace API to get your Directory ID. Run the following command:
+    
+        curl --request POST \
+    --url 'https://api.atlassian.com/admin/v2/orgs/{ORGANIZATION-ID}/workspaces' \
+    --header 'Authorization: Bearer {API-KEY}' \
+    --header 'Accept: application/json' \
+    --header 'Content-Type: application/json'
+                                
+
+  2. In the API response, find the workspace entry that matches your Confluence Cloud instance. Look for `"type": "Confluence"`. Verify the workspace name matches your instance and then copy the directory value from the attributes section. If your instance isn't listed, use the pagination cursor in the `links.next` field to view additional pages.
+    
+        curl --request POST \
+    --url 'https://api.atlassian.com/admin/v2/orgs/{ORGANIZATION-ID}/workspaces' \
+    --header 'Authorization: Bearer {API-KEY}' \
+    --header 'Accept: application/json' \
+    --header 'Content-Type: application/json' \
+    --data '{"cursor": "{NEXT-PAGE-TOKEN}"}'
+                                
+
+
+
+
+###  Update your Confluence data source 
+
+When creating or updating your Confluence Cloud data source, provide these three values in your AWS Secrets Manager secret:
+
+  1. Admin API Key
+
+  2. Organization ID
+
+  3. Directory ID
+
+
+
+
+For more information about Atlassian admin API scopes, see [Atlassian API scopes documentation](https://developer.atlassian.com/cloud/admin/scopes/).
+
+For API details, see [Atlassian Admin Workspace API reference](https://developer.atlassian.com/cloud/admin/organization/rest/api-group-workspaces/#api-group-workspaces).
+