AWS datasync documentation change
Summary
Updated documentation to emphasize Secrets Manager integration for credential storage, added compatibility note for object/Azure Blob Storage, and standardized references to 'Secrets Manager' instead of 'AWS Secrets Manager'
Security assessment
The changes enhance documentation about using Secrets Manager for secure credential storage but do not indicate a specific security vulnerability being addressed. The updates clarify security best practices rather than patching an exploit.
Diff
diff --git a/datasync/latest/userguide/location-credentials.md b/datasync/latest/userguide/location-credentials.md index 28be766f8..96fe9946d 100644 --- a//datasync/latest/userguide/location-credentials.md +++ b//datasync/latest/userguide/location-credentials.md @@ -7 +7 @@ Using a service-managed secret encrypted with a default keyUsing a service-manag -# Securing storage location credentials +# Securing storage location credentials with Secrets Manager @@ -9 +9,5 @@ Using a service-managed secret encrypted with a default keyUsing a service-manag -DataSync uses [locations](https://docs.aws.amazon.com/datasync/latest/userguide/how-datasync-transfer-works.html#sync-locations) to access your storage resources located on premises, in other clouds, or in AWS. Some location types require you to provide credentials, such as an access key and secret key or a user name and password, to authenticate with your storage system. When you create a DataSync location that requires credentials for authentication, you can choose one of the following options to control how the secret for your credentials is stored: +###### Note + +Secrets Manager integration is available for object storage and Microsoft Azure Blob Storage. + +DataSync uses [locations](https://docs.aws.amazon.com/datasync/latest/userguide/how-datasync-transfer-works.html#sync-locations) to access your storage resources located on premises, in other clouds, or in AWS. Some location types require you to provide credentials, such as an access key and secret key or a user name and password, to authenticate with your storage system. When you create a DataSync location that requires credentials for authentication, you can use AWS Secrets Manager (Secrets Manager) to store the secret for your credentials. The following options are available: @@ -11 +15 @@ DataSync uses [locations](https://docs.aws.amazon.com/datasync/latest/userguide/ - * Store the secret in AWS Secrets Manager using a service-managed secret encrypted with a default key. + * Store the secret in Secrets Manager using a service-managed secret encrypted with a default key. @@ -13 +17 @@ DataSync uses [locations](https://docs.aws.amazon.com/datasync/latest/userguide/ - * Store the secret in AWS Secrets Manager using a service-managed secret encrypted with an AWS KMS key that you manage. + * Store the secret in Secrets Manager using a service-managed secret encrypted with an AWS KMS key that you manage. @@ -15 +19 @@ DataSync uses [locations](https://docs.aws.amazon.com/datasync/latest/userguide/ - * Store the secret in AWS Secrets Manager using a secret and key that you create and manage. DataSync accesses this secret using an IAM role that you provide. + * Store the secret in Secrets Manager using a secret and key that you create and manage. DataSync accesses this secret using an IAM role that you provide. @@ -24 +28 @@ In all cases, the Secrets Manager secret is stored in your account, allowing you -When you create your DataSync location, you simply provide the secret string. DataSync creates a secret resource in AWS Secrets Manager to store the secret you provide, and encrypts the secret with the default Secrets Manager KMS key for your account. You can change the secret value directly in Secrets Manager, or by updating the location using the DataSync console, AWS CLI, or SDK. When you delete the location resource or update it to use a custom secret, DataSync deletes the secret resource automatically. +When you create your DataSync location, you simply provide the secret string. DataSync creates a secret resource in Secrets Manager to store the secret you provide, and encrypts the secret with the default Secrets Manager KMS key for your account. You can change the secret value directly in Secrets Manager, or by updating the location using the DataSync console, AWS CLI, or SDK. When you delete the location resource or update it to use a custom secret, DataSync deletes the secret resource automatically. @@ -32 +36 @@ To create, modify, and delete secret resources in Secrets Manager, DataSync must -When you create your DataSync location, you provide the secret and the ARN of your AWS KMS key. DataSync automatically creates a secret resource in AWS Secrets Manager to store the secret you provide, and encrypts it using your AWS KMS key. You can change the secret value directly in Secrets Manager, or by updating the location using the DataSync console, AWS CLI, or SDK. When you delete the location resource or update it to use a custom secret, DataSync deletes the secret resource automatically. +When you create your DataSync location, you provide the secret and the ARN of your AWS KMS key. DataSync automatically creates a secret resource in Secrets Manager to store the secret you provide, and encrypts it using your AWS KMS key. You can change the secret value directly in Secrets Manager, or by updating the location using the DataSync console, AWS CLI, or SDK. When you delete the location resource or update it to use a custom secret, DataSync deletes the secret resource automatically. @@ -78 +82 @@ Replace `accountid` with your AWS account ID. -Before you create your DataSync location, [create a secret in AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html). The value for the secret must only contain the secret string itself in plain text. When you create your DataSync location, you provide the ARN of your secret and an IAM role that DataSync uses to access both your secret and the AWS KMS key used to encrypt your secret. To create an IAM role with the appropriate permissions, do the following: +Before you create your DataSync location, [create a secret in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html). The value for the secret must only contain the secret string itself in plain text. When you create your DataSync location, you provide the ARN of your secret and an IAM role that DataSync uses to access both your secret and the AWS KMS key used to encrypt your secret. To create an IAM role with the appropriate permissions, do the following: