AWS datasync high security documentation change
Summary
Added new Secrets Manager permissions to AWSDataSyncFullAccess policy documentation
Security assessment
Explicitly adds permissions for secret management operations (CreateSecret, PutSecretValue, etc.) with resource constraints, directly impacting security posture by expanding IAM capabilities
Diff
diff --git a/datasync/latest/userguide/security-iam-awsmanpol.md b/datasync/latest/userguide/security-iam-awsmanpol.md index d0c83bc60..094ea8133 100644 --- a//datasync/latest/userguide/security-iam-awsmanpol.md +++ b//datasync/latest/userguide/security-iam-awsmanpol.md @@ -118,0 +119,19 @@ This policy grants administrative permissions for DataSync and is required for A + }, + { + "Sid": "DataSyncSecretsManagerWriteAccess", + "Effect": "Allow", + "Action": [ + "secretsmanager:CreateSecret", + "secretsmanager:PutSecretValue", + "secretsmanager:DeleteSecret", + "secretsmanager:UpdateSecret" + ], + "Resource": [ + "arn:*:secretsmanager:*:*:secret:aws-datasync!*" + ], + "Condition": { + "StringEquals": { + "secretsmanager:ResourceTag/aws:secretsmanager:owningService": "aws-datasync", + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } @@ -136,0 +156,8 @@ Change | Description | Date +AWSDataSyncFullAccess – Change | DataSync added new permissions to `AWSDataSyncFullAccess`: + + * `secretsmanager:CreateSecret` + * `secretsmanager:PutSecretValue` + * `secretsmanager:DeleteSecret` + * `secretsmanager:UpdateSecret` + +These permissions let DataSync create, edit, and delete AWS Secrets Manager secrets. | May 7, 2025