AWS cli documentation change
Summary
Updated AWS CLI version reference from 2.34.5 to 2.34.8. Changed the 'Password' field from required to optional in the Protocol structure. Added documentation for three new secret configuration structures: ManagedSecretConfig, CmkSecretConfig, and CustomSecretConfig, detailing how DataSync can manage secrets for storage location credentials using AWS Secrets Manager with different encryption and access options.
Security assessment
The change introduces new secret management configurations (ManagedSecretConfig, CmkSecretConfig, CustomSecretConfig) that enhance security by allowing credentials to be stored and managed via AWS Secrets Manager instead of being passed directly. This improves credential security through encryption (using AWS-managed or customer-managed KMS keys) and proper access control via IAM roles. However, there is no evidence that this change addresses a specific security vulnerability or incident; it appears to be a feature enhancement for better security practices.
Diff
diff --git a/cli/latest/reference/datasync/describe-location-fsx-open-zfs.md b/cli/latest/reference/datasync/describe-location-fsx-open-zfs.md index 8eacc09f8..7f8395902 100644 --- a//cli/latest/reference/datasync/describe-location-fsx-open-zfs.md +++ b//cli/latest/reference/datasync/describe-location-fsx-open-zfs.md @@ -15 +15 @@ - * [AWS CLI 2.34.5 Command Reference](../../index.html) » + * [AWS CLI 2.34.8 Command Reference](../../index.html) » @@ -354 +354 @@ Protocol -> (structure) ->> Password -> (string) [required] +>> Password -> (string) @@ -376,0 +377,83 @@ Protocol -> (structure) +>> +>> ManagedSecretConfig -> (structure) +>> +>>> Describes configuration information for a DataSync-managed secret, such as a `Password` that DataSync uses to access a specific storage location. DataSync uses the default Amazon Web Services-managed KMS key to encrypt this secret in Secrets Manager. +>>> +>>> ### Note +>>> +>>> Do not provide this for a `CreateLocation` request. `ManagedSecretConfig` is a ReadOnly property and is only be populated in the `DescribeLocation` response. +>>> +>>> SecretArn -> (string) +>>> +>>>> Specifies the ARN for an Secrets Manager secret. +>>>> +>>>> Constraints: +>>>> +>>>> * max: `2048` +>>>> * pattern: `^(arn:(aws|aws-cn|aws-us-gov|aws-eusc|aws-iso|aws-iso-b):secretsmanager:[a-z\-0-9]+:[0-9]{12}:secret:.*|)$` +>>>> + +>> +>> CmkSecretConfig -> (structure) +>> +>>> Specifies configuration information for a DataSync-managed secret, which includes the password that DataSync uses to access a specific FSx for ONTAP storage location (using SMB), with a customer-managed KMS key. +>>> +>>> When you include this parameter as part of a `CreateLocationFsxOntap` request, you provide only the KMS key ARN. DataSync uses this KMS key together with the `Password` you specify for to create a DataSync-managed secret to store the location access credentials. +>>> +>>> Make sure that DataSync has permission to access the KMS key that you specify. For more information, see [Using a service-managed secret encrypted with a custom KMS key](https://docs.aws.amazon.com/datasync/latest/userguide/location-credentials.html#service-secret-custom-key) . +>>> +>>> ### Note +>>> +>>> You can use either `CmkSecretConfig` (with `Password` ) or `CustomSecretConfig` (without `Password` ) to provide credentials for a `CreateLocationFsxOntap` request. Do not provide both parameters for the same request. +>>> +>>> SecretArn -> (string) +>>> +>>>> Specifies the ARN for the DataSync-managed Secrets Manager secret that that is used to access a specific storage location. This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for `KmsKeyArn` . +>>>> +>>>> Constraints: +>>>> +>>>> * max: `2048` +>>>> * pattern: `^(arn:(aws|aws-cn|aws-us-gov|aws-eusc|aws-iso|aws-iso-b):secretsmanager:[a-z\-0-9]+:[0-9]{12}:secret:.*|)$` +>>>> + +>>> +>>> KmsKeyArn -> (string) +>>> +>>>> Specifies the ARN for the customer-managed KMS key that DataSync uses to encrypt the DataSync-managed secret stored for `SecretArn` . DataSync provides this key to Secrets Manager. +>>>> +>>>> Constraints: +>>>> +>>>> * max: `2048` +>>>> * pattern: `^(arn:(aws|aws-cn|aws-us-gov|aws-eusc|aws-iso|aws-iso-b):kms:[a-z\-0-9]+:[0-9]{12}:key/.*|)$` +>>>> + +>> +>> CustomSecretConfig -> (structure) +>> +>>> Specifies configuration information for a customer-managed Secrets Manager secret where the password for an FSx for ONTAP storage location (using SMB) is stored in plain text, in Secrets Manager. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. For more information, see [Using a secret that you manage](https://docs.aws.amazon.com/datasync/latest/userguide/location-credentials.html#custom-secret-custom-key) . +>>> +>>> ### Note +>>> +>>> You can use either `CmkSecretConfig` (with `Password` ) or `CustomSecretConfig` (without `Password` ) to provide credentials for a `CreateLocationFsxOntap` request. Do not provide both parameters for the same request. +>>> +>>> SecretArn -> (string) +>>> +>>>> Specifies the ARN for an Secrets Manager secret. +>>>> +>>>> Constraints: +>>>> +>>>> * max: `2048` +>>>> * pattern: `^(arn:(aws|aws-cn|aws-us-gov|aws-eusc|aws-iso|aws-iso-b):secretsmanager:[a-z\-0-9]+:[0-9]{12}:secret:.*|)$` +>>>> + +>>> +>>> SecretAccessRoleArn -> (string) +>>> +>>>> Specifies the ARN for the Identity and Access Management role that DataSync uses to access the secret specified for `SecretArn` . +>>>> +>>>> Constraints: +>>>> +>>>> * max: `2048` +>>>> * pattern: `^(arn:(aws|aws-cn|aws-us-gov|aws-eusc|aws-iso|aws-iso-b):iam::[0-9]{12}:role/[a-zA-Z0-9+=,.@_-]+|)$` +>>>> + @@ -392 +475 @@ CreationTime -> (timestamp) - * [AWS CLI 2.34.5 Command Reference](../../index.html) » + * [AWS CLI 2.34.8 Command Reference](../../index.html) »