AWS Security ChangesHomeSearch

AWS datasync high security documentation change

Service: datasync · 2025-05-22 · Security-related high

File: datasync/latest/userguide/security-iam-awsmanpol.md

Summary

Updated AWSDataSyncFullAccess policy to restrict Secrets Manager permissions, removed AWSDataSyncDiscoveryServiceRolePolicy documentation, and added policy change notes

Security assessment

The change reduces Secrets Manager permissions by splitting actions into create vs. modify/delete operations with resource constraints. Added account condition and ARN restrictions limit privilege escalation risks. Removal of tagging conditions in Secrets Manager access addresses potential over-permission issues.

Diff

diff --git a/datasync/latest/userguide/security-iam-awsmanpol.md b/datasync/latest/userguide/security-iam-awsmanpol.md
index 094ea8133..d60d129c6 100644
--- a//datasync/latest/userguide/security-iam-awsmanpol.md
+++ b//datasync/latest/userguide/security-iam-awsmanpol.md
@@ -5 +5 @@
-AWSDataSyncReadOnlyAccessAWSDataSyncFullAccessAWSDataSyncDiscoveryServiceRolePolicyAWSDataSyncServiceRolePolicyPolicy updates
+AWSDataSyncReadOnlyAccessAWSDataSyncFullAccessAWSDataSyncServiceRolePolicyPolicy updates
@@ -50 +50 @@ You can attach the `AWSDataSyncFullAccess` policy to your IAM identities.
-This policy grants administrative permissions for DataSync and is required for AWS Management Console access to the service. `AWSDataSyncFullAccess` provides full access to DataSync API operations and the operations that describe related resources (such as Amazon S3 buckets, Amazon EFS file systems, AWS KMS keys, and Secrets Manager secrets). The policy also grants permissions for Amazon CloudWatch, including creating log groups and creating or updating a resource policy.
+This policy grants administrative permissions for DataSync and is required for AWS Management Console access to the service. `AWSDataSyncFullAccess` provides full access to DataSync API operations and the operations that interact with related resources (such as Amazon S3 buckets, Amazon EFS file systems, AWS KMS keys, and Secrets Manager secrets). The policy also grants permissions for Amazon CloudWatch, including creating log groups and creating or updating a resource policy.
@@ -121 +121 @@ This policy grants administrative permissions for DataSync and is required for A
-                "Sid": "DataSyncSecretsManagerWriteAccess",
+                "Sid": "DataSyncSecretsManagerCreateAccess",
@@ -124,4 +124 @@ This policy grants administrative permissions for DataSync and is required for A
-                    "secretsmanager:CreateSecret",
-                    "secretsmanager:PutSecretValue",
-                    "secretsmanager:DeleteSecret",
-                    "secretsmanager:UpdateSecret"
+                    "secretsmanager:CreateSecret"
@@ -131,0 +129,18 @@ This policy grants administrative permissions for DataSync and is required for A
+                "Condition": {
+                    "StringEquals": {
+                        "aws:ResourceAccount": "${aws:PrincipalAccount}"
+                    }
+                }
+            },
+            {
+                "Sid": "DataSyncSecretsManagerAccess",
+                "Effect": "Allow",
+                "Action": [
+    
+                    "secretsmanager:DeleteSecret",
+                    "secretsmanager:UpdateSecret",
+                    "secretsmanager:PutSecretValue"
+                ],
+                "Resource": [
+                    "arn:aws:secretsmanager:*:*:secret:aws-datasync!*"
+                ],
@@ -142,4 +156,0 @@ This policy grants administrative permissions for DataSync and is required for A
-## AWS managed policy: AWSDataSyncDiscoveryServiceRolePolicy
-
-You can't attach the `AWSDataSyncDiscoveryServiceRolePolicy` policy to your IAM identities. This policy is attached to a service-linked role that allows DataSync to perform actions on your behalf. For more information, see [Using service-linked roles for DataSync](./using-service-linked-roles.html).
-
@@ -155,0 +167 @@ Change | Description | Date
+AWSDataSyncFullAccess – Change |  DataSync modified permission statements for `AWSDataSyncFullAccess`: The updated statements remove tagging conditions from the permissions DataSync uses to create Secrets Manager secrets. | May 13, 2025