AWS Security ChangesHomeSearch

AWS datasync documentation change

Service: datasync · 2026-03-19 · Documentation low

File: datasync/latest/userguide/API_UpdateLocationHdfs.md

Summary

Added CmkSecretConfig and CustomSecretConfig configuration options for managing secrets with KMS keys and IAM roles in HDFS location updates

Security assessment

This change adds documentation for new secret management configurations (CmkSecretConfig and CustomSecretConfig) that enable secure handling of authentication credentials like KerberosKeytab. While this enhances security documentation by providing more secure ways to manage secrets, there's no evidence it addresses a specific security vulnerability.

Diff

diff --git a/datasync/latest/userguide/API_UpdateLocationHdfs.md b/datasync/latest/userguide/API_UpdateLocationHdfs.md
index 43914083d..4c6a11035 100644
--- a//datasync/latest/userguide/API_UpdateLocationHdfs.md
+++ b//datasync/latest/userguide/API_UpdateLocationHdfs.md
@@ -19,0 +20,8 @@ For more information, see [Configuring DataSync transfers with an HDFS cluster](
+       "CmkSecretConfig": { 
+          "[KmsKeyArn](./API_CmkSecretConfig.html#DataSync-Type-CmkSecretConfig-KmsKeyArn)": "string",
+          "[SecretArn](./API_CmkSecretConfig.html#DataSync-Type-CmkSecretConfig-SecretArn)": "string"
+       },
+       "CustomSecretConfig": { 
+          "[SecretAccessRoleArn](./API_CustomSecretConfig.html#DataSync-Type-CustomSecretConfig-SecretAccessRoleArn)": "string",
+          "[SecretArn](./API_CustomSecretConfig.html#DataSync-Type-CustomSecretConfig-SecretArn)": "string"
+       },
@@ -82,0 +91,18 @@ Required: No
+**CmkSecretConfig **
+    
+
+Specifies configuration information for a DataSync-managed secret, such as a `KerberosKeytab` or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key.
+
+Type: [CmkSecretConfig](./API_CmkSecretConfig.html) object
+
+Required: No
+
+**CustomSecretConfig **
+    
+
+Specifies configuration information for a customer-managed secret, such as a `KerberosKeytab` or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS Identity and Access Management (IAM) role that provides access to the secret.
+
+Type: [CustomSecretConfig](./API_CustomSecretConfig.html) object
+
+Required: No
+