AWS Security ChangesHomeSearch

AWS datasync documentation change

Service: datasync · 2025-04-18 · Documentation low

File: datasync/latest/userguide/using-service-linked-roles-service-action-2.md

Summary

Added SecretsManager read permissions to DataSync service-linked role policy for secret value retrieval.

Security assessment

Documents new security capabilities for handling secrets through service roles but does not indicate remediation of a vulnerability.

Diff

diff --git a/datasync/latest/userguide/using-service-linked-roles-service-action-2.md b/datasync/latest/userguide/using-service-linked-roles-service-action-2.md
index 4e8dffa92..055dd7c95 100644
--- a//datasync/latest/userguide/using-service-linked-roles-service-action-2.md
+++ b//datasync/latest/userguide/using-service-linked-roles-service-action-2.md
@@ -52,0 +53,17 @@ The service-linked role uses the AWS managed policy named [AWSDataSyncServiceRol
+            },
+            {
+                "Sid": "DataSyncSecretsManagerReadAccess",
+                "Effect": "Allow",
+                "Action": [
+                    "secretsmanager:DescribeSecret",
+                    "secretsmanager:GetSecretValue"
+                ],
+                "Resource": [
+                    "arn:*:secretsmanager:*:*:secret:aws-datasync!*"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "secretsmanager:ResourceTag/aws:secretsmanager:owningService": "aws-datasync",
+                        "aws:ResourceAccount": "${aws:PrincipalAccount}"
+                    }
+                }