Wolvenware / ConfluOps

Security Policy

ConfluOps: CloudWatch Alarms for Confluence  ·  Last updated: 1 March 2026

Overview

ConfluOps is built on the Atlassian Forge platform and connects to AWS on your behalf using either IAM role assumption or IAM user credentials. All secrets are stored within Atlassian’s encrypted Forge infrastructure, and no data passes through Wolvenware infrastructure.

AWS Authentication

ConfluOps supports two authentication methods:

IAM Role (recommended)

ConfluOps accesses your AWS account using IAM role assumption via AWS STS. Each Confluence site is issued a unique External ID at setup time, which is required as a condition of the role assumption. This prevents confused deputy attacks.

Temporary credentials obtained via STS:AssumeRole are valid for up to one hour, are used for a single CloudWatch API call, and are immediately discarded — they are never stored or logged.

IAM User

An AWS Access Key ID and Secret Access Key can be configured as an alternative. These long-lived credentials are stored persistently in Forge KVS Secrets, encrypted at rest by Atlassian, and retrieved on each CloudWatch API call. The IAM Role method is recommended where possible to avoid storing long-lived credentials.

Data Storage

All app data is stored exclusively within Atlassian’s Forge platform:

No data is transmitted to or stored on Wolvenware servers. Wolvenware operates no backend infrastructure of its own.

Atlassian Forge Platform

Because ConfluOps runs entirely on Atlassian Forge, the security properties of the underlying platform — including network isolation, secret encryption, and access controls — are governed by Atlassian. See Atlassian Forge Security for details.

Vulnerability Disclosure

If you discover a security vulnerability in ConfluOps, please report it responsibly by emailing:

Wolvenware — Security Contact

Email: [email protected]

Please include a description of the issue and steps to reproduce. We aim to respond within 5 business days.