AWS Security ChangesHomeSearch

AWS datasync documentation change

Service: datasync · 2026-03-22 · Documentation low

File: datasync/latest/userguide/location-credentials.md

Summary

Updated documentation to clarify credential storage options for DataSync locations, replacing generic descriptions with specific API references and structured bullet points for ManagedSecretConfig, CmkSecretConfig, and CustomSecretConfig.

Security assessment

The change enhances documentation about secure credential management options using AWS Secrets Manager, including customer-managed keys (CMK) and IAM roles. It provides clearer guidance on security best practices but does not indicate a specific security vulnerability being addressed.

Diff

diff --git a/datasync/latest/userguide/location-credentials.md b/datasync/latest/userguide/location-credentials.md
index e0b1444e5..6930b4625 100644
--- a//datasync/latest/userguide/location-credentials.md
+++ b//datasync/latest/userguide/location-credentials.md
@@ -9 +9 @@ Using a service-managed secret encrypted with a default keyUsing a service-manag
-###### Note
+DataSync uses [locations](https://docs.aws.amazon.com/datasync/latest/userguide/how-datasync-transfer-works.html#sync-locations) to access your storage resources located on premises, in other clouds, or in AWS. Some location types require you to provide credentials (examples such as, access key and secret key, user name and password, Kerberos keytab, SAS token, etc.) to authenticate with your storage system. When you create a DataSync location that requires credentials for authentication, you can use AWS Secrets Manager (Secrets Manager) to store the secret for your credentials. The following options are available:
@@ -11 +11 @@ Using a service-managed secret encrypted with a default keyUsing a service-manag
-Secrets Manager integration is available for object storage and Microsoft Azure Blob Storage.
+  * [ManagedSecretConfig](https://docs.aws.amazon.com/datasync/latest/userguide/API_ManagedSecretConfig.html): DataSync-Managed Secret configuration. Store the secret in Secrets Manager using a DataSync service-managed secret encrypted with a default key.
@@ -13 +13 @@ Secrets Manager integration is available for object storage and Microsoft Azure
-DataSync uses [locations](https://docs.aws.amazon.com/datasync/latest/userguide/how-datasync-transfer-works.html#sync-locations) to access your storage resources located on premises, in other clouds, or in AWS. Some location types require you to provide credentials, such as an access key and secret key or a user name and password, to authenticate with your storage system. When you create a DataSync location that requires credentials for authentication, you can use AWS Secrets Manager (Secrets Manager) to store the secret for your credentials. The following options are available:
+  * [CmkSecretConfig](https://docs.aws.amazon.com/datasync/latest/userguide/API_CmkSecretConfig.html): DataSync-Managed Secret with Customer-Managed Key (CMK) configuration. Store the secret in Secrets Manager using a DataSync service-managed secret encrypted with an AWS KMS key that you manage.
@@ -15,5 +15 @@ DataSync uses [locations](https://docs.aws.amazon.com/datasync/latest/userguide/
-  * Store the secret in Secrets Manager using a service-managed secret encrypted with a default key.
-
-  * Store the secret in Secrets Manager using a service-managed secret encrypted with an AWS KMS key that you manage.
-
-  * Store the secret in Secrets Manager using a secret and key that you create and manage. DataSync accesses this secret using an IAM role that you provide.
+  * [CustomSecretConfig](https://docs.aws.amazon.com/datasync/latest/userguide/API_CustomSecretConfig.html): Customer-Managed Secret configuration. Store the secret in Secrets Manager using a secret and key that you create and manage. DataSync accesses this secret using an IAM role that you provide.