AWS Security ChangesHomeSearch

AWS datasync documentation change

Service: datasync · 2026-03-19 · Documentation medium

File: datasync/latest/userguide/API_CreateLocationHdfs.md

Summary

Added CmkSecretConfig and CustomSecretConfig parameters to allow storing HDFS Kerberos keytab credentials in AWS Secrets Manager with customer-managed KMS keys or custom secrets.

Security assessment

This change adds support for secure credential storage options for HDFS locations but doesn't reference any specific security vulnerability. It provides enhanced security features for credential management without evidence of addressing a security incident.

Diff

diff --git a/datasync/latest/userguide/API_CreateLocationHdfs.md b/datasync/latest/userguide/API_CreateLocationHdfs.md
index 3cafd6a86..440a80271 100644
--- a//datasync/latest/userguide/API_CreateLocationHdfs.md
+++ b//datasync/latest/userguide/API_CreateLocationHdfs.md
@@ -19,0 +20,8 @@ Before you begin, make sure that you understand how DataSync [accesses HDFS clus
+       "CmkSecretConfig": { 
+          "[KmsKeyArn](./API_CmkSecretConfig.html#DataSync-Type-CmkSecretConfig-KmsKeyArn)": "string",
+          "[SecretArn](./API_CmkSecretConfig.html#DataSync-Type-CmkSecretConfig-SecretArn)": "string"
+       },
+       "CustomSecretConfig": { 
+          "[SecretAccessRoleArn](./API_CustomSecretConfig.html#DataSync-Type-CustomSecretConfig-SecretAccessRoleArn)": "string",
+          "[SecretArn](./API_CustomSecretConfig.html#DataSync-Type-CustomSecretConfig-SecretArn)": "string"
+       },
@@ -87,0 +96,30 @@ Required: No
+**CmkSecretConfig **
+    
+
+Specifies configuration information for a DataSync-managed secret, which includes the Kerberos keytab that DataSync uses to access a specific Hadoop Distributed File System (HDFS) storage location, with a customer-managed AWS KMS key.
+
+When you include this parameter as part of a `CreateLocationHdfs` request, you provide only the KMS key ARN. DataSync uses this KMS key together with the `KerberosKeytab` you specify for to create a DataSync-managed secret to store the location access credentials.
+
+Make sure that DataSync has permission to access the KMS key that you specify. For more information, see [ Using a service-managed secret encrypted with a custom AWS KMS key](https://docs.aws.amazon.com/datasync/latest/userguide/location-credentials.html#service-secret-custom-key).
+
+###### Note
+
+You can use either `CmkSecretConfig` (with `KerberosKeytab`) or `CustomSecretConfig` (without `KerberosKeytab`) to provide credentials for a `CreateLocationHdfs` request. Do not provide both parameters for the same request.
+
+Type: [CmkSecretConfig](./API_CmkSecretConfig.html) object
+
+Required: No
+
+**CustomSecretConfig **
+    
+
+Specifies configuration information for a customer-managed Secrets Manager secret where the Kerberos keytab for the HDFS storage location is stored in binary, in Secrets Manager. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. For more information, see [ Using a secret that you manage](https://docs.aws.amazon.com/datasync/latest/userguide/location-credentials.html#custom-secret-custom-key).
+
+###### Note
+
+You can use either `CmkSecretConfig` (with `KerberosKeytab`) or `CustomSecretConfig` (without `KerberosKeytab`) to provide credentials for a `CreateLocationHdfs` request. Do not provide both parameters for the same request.
+
+Type: [CustomSecretConfig](./API_CustomSecretConfig.html) object
+
+Required: No
+