AWS datasync documentation change
Summary
Added SecretsManager read permissions to DataSync service-linked role policy for secret value retrieval.
Security assessment
Documents new security capabilities for handling secrets through service roles but does not indicate remediation of a vulnerability.
Diff
diff --git a/datasync/latest/userguide/using-service-linked-roles-service-action-2.md b/datasync/latest/userguide/using-service-linked-roles-service-action-2.md index 4e8dffa92..055dd7c95 100644 --- a//datasync/latest/userguide/using-service-linked-roles-service-action-2.md +++ b//datasync/latest/userguide/using-service-linked-roles-service-action-2.md @@ -52,0 +53,17 @@ The service-linked role uses the AWS managed policy named [AWSDataSyncServiceRol + }, + { + "Sid": "DataSyncSecretsManagerReadAccess", + "Effect": "Allow", + "Action": [ + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue" + ], + "Resource": [ + "arn:*:secretsmanager:*:*:secret:aws-datasync!*" + ], + "Condition": { + "StringEquals": { + "secretsmanager:ResourceTag/aws:secretsmanager:owningService": "aws-datasync", + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }