aws-cdk-lib 2.195.0__py3-none-any.whl → 2.224.0__py3-none-any.whl

aws_cdk/aws_datasync/__init__.py

@@ -68,9 +68,37 @@ from .. import (
     TagManager as _TagManager_0a598cb3,
     TreeInspector as _TreeInspector_488e0dd5,
 )
+from ..interfaces.aws_datasync import (
+    AgentReference as _AgentReference_4ce8de2b,
+    IAgentRef as _IAgentRef_7dc116ab,
+    ILocationAzureBlobRef as _ILocationAzureBlobRef_4f77cc54,
+    ILocationEFSRef as _ILocationEFSRef_6fba5e2e,
+    ILocationFSxLustreRef as _ILocationFSxLustreRef_af5bc776,
+    ILocationFSxONTAPRef as _ILocationFSxONTAPRef_f2d23af5,
+    ILocationFSxOpenZFSRef as _ILocationFSxOpenZFSRef_bf79198a,
+    ILocationFSxWindowsRef as _ILocationFSxWindowsRef_21eff906,
+    ILocationHDFSRef as _ILocationHDFSRef_7984fa07,
+    ILocationNFSRef as _ILocationNFSRef_01d78c69,
+    ILocationObjectStorageRef as _ILocationObjectStorageRef_76d6ff54,
+    ILocationS3Ref as _ILocationS3Ref_5240f1a4,
+    ILocationSMBRef as _ILocationSMBRef_b540cf9f,
+    ITaskRef as _ITaskRef_0571d67b,
+    LocationAzureBlobReference as _LocationAzureBlobReference_60bcd854,
+    LocationEFSReference as _LocationEFSReference_72d5c472,
+    LocationFSxLustreReference as _LocationFSxLustreReference_4b4c8fcd,
+    LocationFSxONTAPReference as _LocationFSxONTAPReference_696c1d88,
+    LocationFSxOpenZFSReference as _LocationFSxOpenZFSReference_ff06c64f,
+    LocationFSxWindowsReference as _LocationFSxWindowsReference_7de311b2,
+    LocationHDFSReference as _LocationHDFSReference_c3d0d6b5,
+    LocationNFSReference as _LocationNFSReference_163b2bab,
+    LocationObjectStorageReference as _LocationObjectStorageReference_5b3d36b8,
+    LocationS3Reference as _LocationS3Reference_113b17ee,
+    LocationSMBReference as _LocationSMBReference_9787936e,
+    TaskReference as _TaskReference_56755658,
+)
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IAgentRef_7dc116ab, _ITaggable_36806126)
 class CfnAgent(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -121,7 +149,8 @@ class CfnAgent(
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         vpc_endpoint_id: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::Agent``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param activation_key: Specifies your DataSync agent's activation key. If you don't have an activation key, see `Activating your agent <https://docs.aws.amazon.com/datasync/latest/userguide/activate-agent.html>`_ .
@@ -176,6 +205,12 @@ class CfnAgent(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="agentRef")
+    def agent_ref(self) -> _AgentReference_4ce8de2b:
+        '''A reference to a Agent resource.'''
+        return typing.cast(_AgentReference_4ce8de2b, jsii.get(self, "agentRef"))
+
     @builtins.property
     @jsii.member(jsii_name="attrAgentArn")
     def attr_agent_arn(self) -> builtins.str:
@@ -450,7 +485,7 @@ class CfnAgentProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
+@jsii.implements(_IInspectable_c2943556, _ILocationAzureBlobRef_4f77cc54, _ITaggableV2_4e6798f8)
 class CfnLocationAzureBlob(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -458,9 +493,9 @@ class CfnLocationAzureBlob(
 ):
     '''Creates a transfer *location* for a Microsoft Azure Blob Storage container.
 
-    AWS DataSync can use this location as a transfer source or destination.
+    AWS DataSync can use this location as a transfer source or destination. You can make transfers with or without a `DataSync agent <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-creating-agent>`_ that connects to your container.
 
-    Before you begin, make sure you know `how DataSync accesses Azure Blob Storage <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access>`_ and works with `access tiers <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers>`_ and `blob types <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#blob-types>`_ . You also need a `DataSync agent <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-creating-agent>`_ that can connect to your container.
+    Before you begin, make sure you know `how DataSync accesses Azure Blob Storage <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access>`_ and works with `access tiers <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers>`_ and `blob types <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#blob-types>`_ .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationazureblob.html
     :cloudformationResource: AWS::DataSync::LocationAzureBlob
@@ -473,16 +508,24 @@ class CfnLocationAzureBlob(
         from aws_cdk import aws_datasync as datasync
         
         cfn_location_azure_blob = datasync.CfnLocationAzureBlob(self, "MyCfnLocationAzureBlob",
-            agent_arns=["agentArns"],
             azure_blob_authentication_type="azureBlobAuthenticationType",
         
             # the properties below are optional
+            agent_arns=["agentArns"],
             azure_access_tier="azureAccessTier",
             azure_blob_container_url="azureBlobContainerUrl",
             azure_blob_sas_configuration=datasync.CfnLocationAzureBlob.AzureBlobSasConfigurationProperty(
                 azure_blob_sas_token="azureBlobSasToken"
             ),
             azure_blob_type="azureBlobType",
+            cmk_secret_config=datasync.CfnLocationAzureBlob.CmkSecretConfigProperty(
+                kms_key_arn="kmsKeyArn",
+                secret_arn="secretArn"
+            ),
+            custom_secret_config=datasync.CfnLocationAzureBlob.CustomSecretConfigProperty(
+                secret_access_role_arn="secretAccessRoleArn",
+                secret_arn="secretArn"
+            ),
             subdirectory="subdirectory",
             tags=[CfnTag(
                 key="key",
@@ -496,24 +539,29 @@ class CfnLocationAzureBlob(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
-        agent_arns: typing.Sequence[builtins.str],
         azure_blob_authentication_type: builtins.str,
+        agent_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
         azure_access_tier: typing.Optional[builtins.str] = None,
         azure_blob_container_url: typing.Optional[builtins.str] = None,
         azure_blob_sas_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLocationAzureBlob.AzureBlobSasConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         azure_blob_type: typing.Optional[builtins.str] = None,
+        cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLocationAzureBlob.CmkSecretConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLocationAzureBlob.CustomSecretConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationAzureBlob``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param agent_arns: Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container. You can specify more than one agent. For more information, see `Using multiple agents for your transfer <https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html>`_ .
         :param azure_blob_authentication_type: Specifies the authentication method DataSync uses to access your Azure Blob Storage. DataSync can access blob storage using a shared access signature (SAS). Default: - "SAS"
+        :param agent_arns: (Optional) Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter. You can specify more than one agent. For more information, see `Using multiple agents for your transfer <https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html>`_ . .. epigraph:: Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.
         :param azure_access_tier: Specifies the access tier that you want your objects or files transferred into. This only applies when using the location as a transfer destination. For more information, see `Access tiers <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers>`_ . Default: - "HOT"
         :param azure_blob_container_url: Specifies the URL of the Azure Blob Storage container involved in your transfer.
-        :param azure_blob_sas_configuration: Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.
+        :param azure_blob_sas_configuration: Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage. .. epigraph:: If you provide an authentication token using ``SasConfiguration`` , but do not provide secret configuration details using ``CmkSecretConfig`` or ``CustomSecretConfig`` , then DataSync stores the token using your AWS account's secrets manager secret.
         :param azure_blob_type: Specifies the type of blob that you want your objects or files to be when transferring them into Azure Blob Storage. Currently, DataSync only supports moving data into Azure Blob Storage as block blobs. For more information on blob types, see the `Azure Blob Storage documentation <https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs>`_ . Default: - "BLOCK"
+        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+        :param custom_secret_config: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
         :param subdirectory: Specifies path segments if you want to limit your transfer to a virtual directory in your container (for example, ``/my/images`` ).
         :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your transfer location.
         '''
@@ -522,12 +570,14 @@ class CfnLocationAzureBlob(
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = CfnLocationAzureBlobProps(
-            agent_arns=agent_arns,
             azure_blob_authentication_type=azure_blob_authentication_type,
+            agent_arns=agent_arns,
             azure_access_tier=azure_access_tier,
             azure_blob_container_url=azure_blob_container_url,
             azure_blob_sas_configuration=azure_blob_sas_configuration,
             azure_blob_type=azure_blob_type,
+            cmk_secret_config=cmk_secret_config,
+            custom_secret_config=custom_secret_config,
             subdirectory=subdirectory,
             tags=tags,
         )
@@ -564,6 +614,17 @@ class CfnLocationAzureBlob(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrCmkSecretConfigSecretArn")
+    def attr_cmk_secret_config_secret_arn(self) -> builtins.str:
+        '''Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location.
+
+        This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
+
+        :cloudformationAttribute: CmkSecretConfig.SecretArn
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrCmkSecretConfigSecretArn"))
+
     @builtins.property
     @jsii.member(jsii_name="attrLocationArn")
     def attr_location_arn(self) -> builtins.str:
@@ -582,6 +643,17 @@ class CfnLocationAzureBlob(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrLocationUri"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrManagedSecretConfig")
+    def attr_managed_secret_config(self) -> _IResolvable_da3f097b:
+        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location.
+
+        DataSync uses the default AWS-managed KMS key to encrypt this secret in AWS Secrets Manager.
+
+        :cloudformationAttribute: ManagedSecretConfig
+        '''
+        return typing.cast(_IResolvable_da3f097b, jsii.get(self, "attrManagedSecretConfig"))
+
     @builtins.property
     @jsii.member(jsii_name="cdkTagManager")
     def cdk_tag_manager(self) -> _TagManager_0a598cb3:
@@ -594,17 +666,10 @@ class CfnLocationAzureBlob(
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
     @builtins.property
-    @jsii.member(jsii_name="agentArns")
-    def agent_arns(self) -> typing.List[builtins.str]:
-        '''Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.'''
-        return typing.cast(typing.List[builtins.str], jsii.get(self, "agentArns"))
-
-    @agent_arns.setter
-    def agent_arns(self, value: typing.List[builtins.str]) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__04d94ab53395a58893ca5e5668d51e78b5d567de304ebc1b3c8937ab5824c459)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "agentArns", value) # pyright: ignore[reportArgumentType]
+    @jsii.member(jsii_name="locationAzureBlobRef")
+    def location_azure_blob_ref(self) -> _LocationAzureBlobReference_60bcd854:
+        '''A reference to a LocationAzureBlob resource.'''
+        return typing.cast(_LocationAzureBlobReference_60bcd854, jsii.get(self, "locationAzureBlobRef"))
 
     @builtins.property
     @jsii.member(jsii_name="azureBlobAuthenticationType")
@@ -619,6 +684,19 @@ class CfnLocationAzureBlob(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "azureBlobAuthenticationType", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="agentArns")
+    def agent_arns(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''(Optional) Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.'''
+        return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "agentArns"))
+
+    @agent_arns.setter
+    def agent_arns(self, value: typing.Optional[typing.List[builtins.str]]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__04d94ab53395a58893ca5e5668d51e78b5d567de304ebc1b3c8937ab5824c459)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "agentArns", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="azureAccessTier")
     def azure_access_tier(self) -> typing.Optional[builtins.str]:
@@ -676,6 +754,42 @@ class CfnLocationAzureBlob(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "azureBlobType", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="cmkSecretConfig")
+    def cmk_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationAzureBlob.CmkSecretConfigProperty"]]:
+        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationAzureBlob.CmkSecretConfigProperty"]], jsii.get(self, "cmkSecretConfig"))
+
+    @cmk_secret_config.setter
+    def cmk_secret_config(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationAzureBlob.CmkSecretConfigProperty"]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__bbe60c9e1409294412076468854254983957a988d2e0d53f2fa73767e4a48525)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "cmkSecretConfig", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="customSecretConfig")
+    def custom_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationAzureBlob.CustomSecretConfigProperty"]]:
+        '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationAzureBlob.CustomSecretConfigProperty"]], jsii.get(self, "customSecretConfig"))
+
+    @custom_secret_config.setter
+    def custom_secret_config(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationAzureBlob.CustomSecretConfigProperty"]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__3276084bb32edc8f06759cb50268fc7821cd740602d985f3b1b967d5267f90dc)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "customSecretConfig", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="subdirectory")
     def subdirectory(self) -> typing.Optional[builtins.str]:
@@ -760,17 +874,230 @@ class CfnLocationAzureBlob(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_datasync.CfnLocationAzureBlob.CmkSecretConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={"kms_key_arn": "kmsKeyArn", "secret_arn": "secretArn"},
+    )
+    class CmkSecretConfigProperty:
+        def __init__(
+            self,
+            *,
+            kms_key_arn: typing.Optional[builtins.str] = None,
+            secret_arn: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .
+
+            .. epigraph::
+
+               You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+            :param kms_key_arn: Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for ``SecretArn`` . DataSync provides this key to AWS Secrets Manager .
+            :param secret_arn: Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location. This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-cmksecretconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_datasync as datasync
+                
+                cmk_secret_config_property = datasync.CfnLocationAzureBlob.CmkSecretConfigProperty(
+                    kms_key_arn="kmsKeyArn",
+                    secret_arn="secretArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__d03d5287185c3e65174404788128d96c2205212b3aa189dc5803a4b4b4b8ab36)
+                check_type(argname="argument kms_key_arn", value=kms_key_arn, expected_type=type_hints["kms_key_arn"])
+                check_type(argname="argument secret_arn", value=secret_arn, expected_type=type_hints["secret_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if kms_key_arn is not None:
+                self._values["kms_key_arn"] = kms_key_arn
+            if secret_arn is not None:
+                self._values["secret_arn"] = secret_arn
+
+        @builtins.property
+        def kms_key_arn(self) -> typing.Optional[builtins.str]:
+            '''Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for ``SecretArn`` .
+
+            DataSync provides this key to AWS Secrets Manager .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-cmksecretconfig.html#cfn-datasync-locationazureblob-cmksecretconfig-kmskeyarn
+            '''
+            result = self._values.get("kms_key_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def secret_arn(self) -> typing.Optional[builtins.str]:
+            '''Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location.
+
+            This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-cmksecretconfig.html#cfn-datasync-locationazureblob-cmksecretconfig-secretarn
+            '''
+            result = self._values.get("secret_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "CmkSecretConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_datasync.CfnLocationAzureBlob.CustomSecretConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "secret_access_role_arn": "secretAccessRoleArn",
+            "secret_arn": "secretArn",
+        },
+    )
+    class CustomSecretConfigProperty:
+        def __init__(
+            self,
+            *,
+            secret_access_role_arn: builtins.str,
+            secret_arn: builtins.str,
+        ) -> None:
+            '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.
+
+            This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.
+            .. epigraph::
+
+               You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+            :param secret_access_role_arn: Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for ``SecretArn`` .
+            :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-customsecretconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_datasync as datasync
+                
+                custom_secret_config_property = datasync.CfnLocationAzureBlob.CustomSecretConfigProperty(
+                    secret_access_role_arn="secretAccessRoleArn",
+                    secret_arn="secretArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__0b2d06a0f90feb2e23667a772b3c70d85bf30ee5c9bef02d35fd7339fdffaf93)
+                check_type(argname="argument secret_access_role_arn", value=secret_access_role_arn, expected_type=type_hints["secret_access_role_arn"])
+                check_type(argname="argument secret_arn", value=secret_arn, expected_type=type_hints["secret_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "secret_access_role_arn": secret_access_role_arn,
+                "secret_arn": secret_arn,
+            }
+
+        @builtins.property
+        def secret_access_role_arn(self) -> builtins.str:
+            '''Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for ``SecretArn`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-customsecretconfig.html#cfn-datasync-locationazureblob-customsecretconfig-secretaccessrolearn
+            '''
+            result = self._values.get("secret_access_role_arn")
+            assert result is not None, "Required property 'secret_access_role_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def secret_arn(self) -> builtins.str:
+            '''Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-customsecretconfig.html#cfn-datasync-locationazureblob-customsecretconfig-secretarn
+            '''
+            result = self._values.get("secret_arn")
+            assert result is not None, "Required property 'secret_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "CustomSecretConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_datasync.CfnLocationAzureBlob.ManagedSecretConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={"secret_arn": "secretArn"},
+    )
+    class ManagedSecretConfigProperty:
+        def __init__(self, *, secret_arn: builtins.str) -> None:
+            '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location.
+
+            DataSync uses the default AWS -managed KMS key to encrypt this secret in AWS Secrets Manager .
+
+            :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-managedsecretconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_datasync as datasync
+                
+                managed_secret_config_property = datasync.CfnLocationAzureBlob.ManagedSecretConfigProperty(
+                    secret_arn="secretArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__8ed16453ba6567e90e7b3e0e37a7206cf71efddb64e1cca1af96064be80c9609)
+                check_type(argname="argument secret_arn", value=secret_arn, expected_type=type_hints["secret_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "secret_arn": secret_arn,
+            }
+
+        @builtins.property
+        def secret_arn(self) -> builtins.str:
+            '''Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-managedsecretconfig.html#cfn-datasync-locationazureblob-managedsecretconfig-secretarn
+            '''
+            result = self._values.get("secret_arn")
+            assert result is not None, "Required property 'secret_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "ManagedSecretConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_datasync.CfnLocationAzureBlobProps",
     jsii_struct_bases=[],
     name_mapping={
-        "agent_arns": "agentArns",
         "azure_blob_authentication_type": "azureBlobAuthenticationType",
+        "agent_arns": "agentArns",
         "azure_access_tier": "azureAccessTier",
         "azure_blob_container_url": "azureBlobContainerUrl",
         "azure_blob_sas_configuration": "azureBlobSasConfiguration",
         "azure_blob_type": "azureBlobType",
+        "cmk_secret_config": "cmkSecretConfig",
+        "custom_secret_config": "customSecretConfig",
         "subdirectory": "subdirectory",
         "tags": "tags",
     },
@@ -779,23 +1106,27 @@ class CfnLocationAzureBlobProps:
     def __init__(
         self,
         *,
-        agent_arns: typing.Sequence[builtins.str],
         azure_blob_authentication_type: builtins.str,
+        agent_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
         azure_access_tier: typing.Optional[builtins.str] = None,
         azure_blob_container_url: typing.Optional[builtins.str] = None,
         azure_blob_sas_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationAzureBlob.AzureBlobSasConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         azure_blob_type: typing.Optional[builtins.str] = None,
+        cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationAzureBlob.CmkSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+        custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationAzureBlob.CustomSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''Properties for defining a ``CfnLocationAzureBlob``.
 
-        :param agent_arns: Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container. You can specify more than one agent. For more information, see `Using multiple agents for your transfer <https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html>`_ .
         :param azure_blob_authentication_type: Specifies the authentication method DataSync uses to access your Azure Blob Storage. DataSync can access blob storage using a shared access signature (SAS). Default: - "SAS"
+        :param agent_arns: (Optional) Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter. You can specify more than one agent. For more information, see `Using multiple agents for your transfer <https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html>`_ . .. epigraph:: Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.
         :param azure_access_tier: Specifies the access tier that you want your objects or files transferred into. This only applies when using the location as a transfer destination. For more information, see `Access tiers <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers>`_ . Default: - "HOT"
         :param azure_blob_container_url: Specifies the URL of the Azure Blob Storage container involved in your transfer.
-        :param azure_blob_sas_configuration: Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.
+        :param azure_blob_sas_configuration: Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage. .. epigraph:: If you provide an authentication token using ``SasConfiguration`` , but do not provide secret configuration details using ``CmkSecretConfig`` or ``CustomSecretConfig`` , then DataSync stores the token using your AWS account's secrets manager secret.
         :param azure_blob_type: Specifies the type of blob that you want your objects or files to be when transferring them into Azure Blob Storage. Currently, DataSync only supports moving data into Azure Blob Storage as block blobs. For more information on blob types, see the `Azure Blob Storage documentation <https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs>`_ . Default: - "BLOCK"
+        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+        :param custom_secret_config: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
         :param subdirectory: Specifies path segments if you want to limit your transfer to a virtual directory in your container (for example, ``/my/images`` ).
         :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your transfer location.
 
@@ -809,16 +1140,24 @@ class CfnLocationAzureBlobProps:
             from aws_cdk import aws_datasync as datasync
             
             cfn_location_azure_blob_props = datasync.CfnLocationAzureBlobProps(
-                agent_arns=["agentArns"],
                 azure_blob_authentication_type="azureBlobAuthenticationType",
             
                 # the properties below are optional
+                agent_arns=["agentArns"],
                 azure_access_tier="azureAccessTier",
                 azure_blob_container_url="azureBlobContainerUrl",
                 azure_blob_sas_configuration=datasync.CfnLocationAzureBlob.AzureBlobSasConfigurationProperty(
                     azure_blob_sas_token="azureBlobSasToken"
                 ),
                 azure_blob_type="azureBlobType",
+                cmk_secret_config=datasync.CfnLocationAzureBlob.CmkSecretConfigProperty(
+                    kms_key_arn="kmsKeyArn",
+                    secret_arn="secretArn"
+                ),
+                custom_secret_config=datasync.CfnLocationAzureBlob.CustomSecretConfigProperty(
+                    secret_access_role_arn="secretAccessRoleArn",
+                    secret_arn="secretArn"
+                ),
                 subdirectory="subdirectory",
                 tags=[CfnTag(
                     key="key",
@@ -828,18 +1167,21 @@ class CfnLocationAzureBlobProps:
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__d386b9f5845962fa66385393ccc6424f66b9aee312fecdc96fe3ec242f754bf1)
-            check_type(argname="argument agent_arns", value=agent_arns, expected_type=type_hints["agent_arns"])
             check_type(argname="argument azure_blob_authentication_type", value=azure_blob_authentication_type, expected_type=type_hints["azure_blob_authentication_type"])
+            check_type(argname="argument agent_arns", value=agent_arns, expected_type=type_hints["agent_arns"])
             check_type(argname="argument azure_access_tier", value=azure_access_tier, expected_type=type_hints["azure_access_tier"])
             check_type(argname="argument azure_blob_container_url", value=azure_blob_container_url, expected_type=type_hints["azure_blob_container_url"])
             check_type(argname="argument azure_blob_sas_configuration", value=azure_blob_sas_configuration, expected_type=type_hints["azure_blob_sas_configuration"])
             check_type(argname="argument azure_blob_type", value=azure_blob_type, expected_type=type_hints["azure_blob_type"])
+            check_type(argname="argument cmk_secret_config", value=cmk_secret_config, expected_type=type_hints["cmk_secret_config"])
+            check_type(argname="argument custom_secret_config", value=custom_secret_config, expected_type=type_hints["custom_secret_config"])
             check_type(argname="argument subdirectory", value=subdirectory, expected_type=type_hints["subdirectory"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
-            "agent_arns": agent_arns,
             "azure_blob_authentication_type": azure_blob_authentication_type,
         }
+        if agent_arns is not None:
+            self._values["agent_arns"] = agent_arns
         if azure_access_tier is not None:
             self._values["azure_access_tier"] = azure_access_tier
         if azure_blob_container_url is not None:
@@ -848,23 +1190,15 @@ class CfnLocationAzureBlobProps:
             self._values["azure_blob_sas_configuration"] = azure_blob_sas_configuration
         if azure_blob_type is not None:
             self._values["azure_blob_type"] = azure_blob_type
+        if cmk_secret_config is not None:
+            self._values["cmk_secret_config"] = cmk_secret_config
+        if custom_secret_config is not None:
+            self._values["custom_secret_config"] = custom_secret_config
         if subdirectory is not None:
             self._values["subdirectory"] = subdirectory
         if tags is not None:
             self._values["tags"] = tags
 
-    @builtins.property
-    def agent_arns(self) -> typing.List[builtins.str]:
-        '''Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.
-
-        You can specify more than one agent. For more information, see `Using multiple agents for your transfer <https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html>`_ .
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationazureblob.html#cfn-datasync-locationazureblob-agentarns
-        '''
-        result = self._values.get("agent_arns")
-        assert result is not None, "Required property 'agent_arns' is missing"
-        return typing.cast(typing.List[builtins.str], result)
-
     @builtins.property
     def azure_blob_authentication_type(self) -> builtins.str:
         '''Specifies the authentication method DataSync uses to access your Azure Blob Storage.
@@ -879,6 +1213,22 @@ class CfnLocationAzureBlobProps:
         assert result is not None, "Required property 'azure_blob_authentication_type' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def agent_arns(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''(Optional) Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.
+
+        If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter.
+
+        You can specify more than one agent. For more information, see `Using multiple agents for your transfer <https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html>`_ .
+        .. epigraph::
+
+           Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationazureblob.html#cfn-datasync-locationazureblob-agentarns
+        '''
+        result = self._values.get("agent_arns")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
     @builtins.property
     def azure_access_tier(self) -> typing.Optional[builtins.str]:
         '''Specifies the access tier that you want your objects or files transferred into.
@@ -907,6 +1257,10 @@ class CfnLocationAzureBlobProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationAzureBlob.AzureBlobSasConfigurationProperty]]:
         '''Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.
 
+        .. epigraph::
+
+           If you provide an authentication token using ``SasConfiguration`` , but do not provide secret configuration details using ``CmkSecretConfig`` or ``CustomSecretConfig`` , then DataSync stores the token using your AWS account's secrets manager secret.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationazureblob.html#cfn-datasync-locationazureblob-azureblobsasconfiguration
         '''
         result = self._values.get("azure_blob_sas_configuration")
@@ -925,6 +1279,37 @@ class CfnLocationAzureBlobProps:
         result = self._values.get("azure_blob_type")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def cmk_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationAzureBlob.CmkSecretConfigProperty]]:
+        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .
+
+        .. epigraph::
+
+           You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationazureblob.html#cfn-datasync-locationazureblob-cmksecretconfig
+        '''
+        result = self._values.get("cmk_secret_config")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationAzureBlob.CmkSecretConfigProperty]], result)
+
+    @builtins.property
+    def custom_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationAzureBlob.CustomSecretConfigProperty]]:
+        '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.
+
+        This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.
+        .. epigraph::
+
+           You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationazureblob.html#cfn-datasync-locationazureblob-customsecretconfig
+        '''
+        result = self._values.get("custom_secret_config")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationAzureBlob.CustomSecretConfigProperty]], result)
+
     @builtins.property
     def subdirectory(self) -> typing.Optional[builtins.str]:
         '''Specifies path segments if you want to limit your transfer to a virtual directory in your container (for example, ``/my/images`` ).
@@ -957,7 +1342,7 @@ class CfnLocationAzureBlobProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationEFSRef_6fba5e2e, _ITaggable_36806126)
 class CfnLocationEFS(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -1009,7 +1394,8 @@ class CfnLocationEFS(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationEFS``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param ec2_config: Specifies the subnet and security groups DataSync uses to connect to one of your Amazon EFS file system's `mount targets <https://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html>`_ .
@@ -1089,6 +1475,12 @@ class CfnLocationEFS(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationEfsRef")
+    def location_efs_ref(self) -> _LocationEFSReference_72d5c472:
+        '''A reference to a LocationEFS resource.'''
+        return typing.cast(_LocationEFSReference_72d5c472, jsii.get(self, "locationEfsRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -1209,7 +1601,7 @@ class CfnLocationEFS(
             '''The subnet and security groups that AWS DataSync uses to connect to one of your Amazon EFS file system's `mount targets <https://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html>`_ .
 
             :param security_group_arns: Specifies the Amazon Resource Names (ARNs) of the security groups associated with an Amazon EFS file system's mount target.
-            :param subnet_arn: Specifies the ARN of a subnet where DataSync creates the `network interfaces <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-network.html#required-network-interfaces>`_ for managing traffic during your transfer. The subnet must be located: - In the same virtual private cloud (VPC) as the Amazon EFS file system. - In the same Availability Zone as at least one mount target for the Amazon EFS file system. .. epigraph:: You don't need to specify a subnet that includes a file system mount target.
+            :param subnet_arn: Specifies the ARN of a subnet where DataSync creates the `network interfaces <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-network.html#required-network-interfaces.html>`_ for managing traffic during your transfer. The subnet must be located: - In the same virtual private cloud (VPC) as the Amazon EFS file system. - In the same Availability Zone as at least one mount target for the Amazon EFS file system. .. epigraph:: You don't need to specify a subnet that includes a file system mount target.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationefs-ec2config.html
             :exampleMetadata: fixture=_generated
@@ -1246,7 +1638,7 @@ class CfnLocationEFS(
 
         @builtins.property
         def subnet_arn(self) -> builtins.str:
-            '''Specifies the ARN of a subnet where DataSync creates the `network interfaces <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-network.html#required-network-interfaces>`_ for managing traffic during your transfer.
+            '''Specifies the ARN of a subnet where DataSync creates the `network interfaces <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-network.html#required-network-interfaces.html>`_ for managing traffic during your transfer.
 
             The subnet must be located:
 
@@ -1452,7 +1844,7 @@ class CfnLocationEFSProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationFSxLustreRef_af5bc776, _ITaggable_36806126)
 class CfnLocationFSxLustre(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -1493,7 +1885,8 @@ class CfnLocationFSxLustre(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationFSxLustre``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param security_group_arns: The ARNs of the security groups that are used to configure the FSx for Lustre file system. *Pattern* : ``^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):ec2:[a-z\\-0-9]*:[0-9]{12}:security-group/.*$`` *Length constraints* : Maximum length of 128.
@@ -1567,6 +1960,12 @@ class CfnLocationFSxLustre(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationFSxLustreRef")
+    def location_f_sx_lustre_ref(self) -> _LocationFSxLustreReference_4b4c8fcd:
+        '''A reference to a LocationFSxLustre resource.'''
+        return typing.cast(_LocationFSxLustreReference_4b4c8fcd, jsii.get(self, "locationFSxLustreRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -1749,7 +2148,7 @@ class CfnLocationFSxLustreProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationFSxONTAPRef_f2d23af5, _ITaggable_36806126)
 class CfnLocationFSxONTAP(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -1810,7 +2209,8 @@ class CfnLocationFSxONTAP(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationFSxONTAP``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param security_group_arns: Specifies the Amazon Resource Names (ARNs) of the security groups that DataSync can use to access your FSx for ONTAP file system. You must configure the security groups to allow outbound traffic on the following ports (depending on the protocol that you're using): - *Network File System (NFS)* : TCP ports 111, 635, and 2049 - *Server Message Block (SMB)* : TCP port 445 Your file system's security groups must also allow inbound traffic on the same port.
@@ -1895,6 +2295,12 @@ class CfnLocationFSxONTAP(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationFSxOntapRef")
+    def location_f_sx_ontap_ref(self) -> _LocationFSxONTAPReference_696c1d88:
+        '''A reference to a LocationFSxONTAP resource.'''
+        return typing.cast(_LocationFSxONTAPReference_696c1d88, jsii.get(self, "locationFSxOntapRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -2541,7 +2947,7 @@ class CfnLocationFSxONTAPProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationFSxOpenZFSRef_bf79198a, _ITaggable_36806126)
 class CfnLocationFSxOpenZFS(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -2590,7 +2996,8 @@ class CfnLocationFSxOpenZFS(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationFSxOpenZFS``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param protocol: The type of protocol that AWS DataSync uses to access your file system.
@@ -2667,7 +3074,13 @@ class CfnLocationFSxOpenZFS(
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
     @builtins.property
-    @jsii.member(jsii_name="tags")
+    @jsii.member(jsii_name="locationFSxOpenZfsRef")
+    def location_f_sx_open_zfs_ref(self) -> _LocationFSxOpenZFSReference_ff06c64f:
+        '''A reference to a LocationFSxOpenZFS resource.'''
+        return typing.cast(_LocationFSxOpenZFSReference_ff06c64f, jsii.get(self, "locationFSxOpenZfsRef"))
+
+    @builtins.property
+    @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
         '''Tag Manager which manages the tags for this resource.'''
         return typing.cast(_TagManager_0a598cb3, jsii.get(self, "tags"))
@@ -3067,7 +3480,7 @@ class CfnLocationFSxOpenZFSProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationFSxWindowsRef_21eff906, _ITaggable_36806126)
 class CfnLocationFSxWindows(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -3114,7 +3527,8 @@ class CfnLocationFSxWindows(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationFSxWindows``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param security_group_arns: The Amazon Resource Names (ARNs) of the security groups that are used to configure the FSx for Windows File Server file system. *Pattern* : ``^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):ec2:[a-z\\-0-9]*:[0-9]{12}:security-group/.*$`` *Length constraints* : Maximum length of 128.
@@ -3194,6 +3608,12 @@ class CfnLocationFSxWindows(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationFSxWindowsRef")
+    def location_f_sx_windows_ref(self) -> _LocationFSxWindowsReference_7de311b2:
+        '''A reference to a LocationFSxWindows resource.'''
+        return typing.cast(_LocationFSxWindowsReference_7de311b2, jsii.get(self, "locationFSxWindowsRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -3464,7 +3884,7 @@ class CfnLocationFSxWindowsProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationHDFSRef_7984fa07, _ITaggable_36806126)
 class CfnLocationHDFS(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -3529,7 +3949,8 @@ class CfnLocationHDFS(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationHDFS``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param agent_arns: The Amazon Resource Names (ARNs) of the DataSync agents that can connect to your HDFS cluster.
@@ -3621,6 +4042,12 @@ class CfnLocationHDFS(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationHdfsRef")
+    def location_hdfs_ref(self) -> _LocationHDFSReference_c3d0d6b5:
+        '''A reference to a LocationHDFS resource.'''
+        return typing.cast(_LocationHDFSReference_c3d0d6b5, jsii.get(self, "locationHdfsRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -4248,7 +4675,7 @@ class CfnLocationHDFSProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationNFSRef_01d78c69, _ITaggable_36806126)
 class CfnLocationNFS(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -4295,12 +4722,13 @@ class CfnLocationNFS(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationNFS``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param on_prem_config: Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect to your NFS file server. You can specify more than one agent. For more information, see `Using multiple DataSync agents <https://docs.aws.amazon.com/datasync/latest/userguide/do-i-need-datasync-agent.html#multiple-agents>`_ .
         :param mount_options: Specifies the options that DataSync can use to mount your NFS file server.
-        :param server_hostname: Specifies the DNS name or IP version 4 address of the NFS file server that your DataSync agent connects to.
+        :param server_hostname: Specifies the DNS name or IP address (IPv4 or IPv6) of the NFS file server that your DataSync agent connects to.
         :param subdirectory: Specifies the export path in your NFS file server that you want DataSync to mount. This path (or a subdirectory of the path) is where DataSync transfers data to or from. For information on configuring an export for DataSync, see `Accessing NFS file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#accessing-nfs>`_ .
         :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.
         '''
@@ -4371,6 +4799,12 @@ class CfnLocationNFS(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationNfsRef")
+    def location_nfs_ref(self) -> _LocationNFSReference_163b2bab:
+        '''A reference to a LocationNFS resource.'''
+        return typing.cast(_LocationNFSReference_163b2bab, jsii.get(self, "locationNfsRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -4416,7 +4850,7 @@ class CfnLocationNFS(
     @builtins.property
     @jsii.member(jsii_name="serverHostname")
     def server_hostname(self) -> typing.Optional[builtins.str]:
-        '''Specifies the DNS name or IP version 4 address of the NFS file server that your DataSync agent connects to.'''
+        '''Specifies the DNS name or IP address (IPv4 or IPv6) of the NFS file server that your DataSync agent connects to.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "serverHostname"))
 
     @server_hostname.setter
@@ -4596,7 +5030,7 @@ class CfnLocationNFSProps:
 
         :param on_prem_config: Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect to your NFS file server. You can specify more than one agent. For more information, see `Using multiple DataSync agents <https://docs.aws.amazon.com/datasync/latest/userguide/do-i-need-datasync-agent.html#multiple-agents>`_ .
         :param mount_options: Specifies the options that DataSync can use to mount your NFS file server.
-        :param server_hostname: Specifies the DNS name or IP version 4 address of the NFS file server that your DataSync agent connects to.
+        :param server_hostname: Specifies the DNS name or IP address (IPv4 or IPv6) of the NFS file server that your DataSync agent connects to.
         :param subdirectory: Specifies the export path in your NFS file server that you want DataSync to mount. This path (or a subdirectory of the path) is where DataSync transfers data to or from. For information on configuring an export for DataSync, see `Accessing NFS file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#accessing-nfs>`_ .
         :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.
 
@@ -4672,7 +5106,7 @@ class CfnLocationNFSProps:
 
     @builtins.property
     def server_hostname(self) -> typing.Optional[builtins.str]:
-        '''Specifies the DNS name or IP version 4 address of the NFS file server that your DataSync agent connects to.
+        '''Specifies the DNS name or IP address (IPv4 or IPv6) of the NFS file server that your DataSync agent connects to.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationnfs.html#cfn-datasync-locationnfs-serverhostname
         '''
@@ -4713,7 +5147,7 @@ class CfnLocationNFSProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationObjectStorageRef_76d6ff54, _ITaggable_36806126)
 class CfnLocationObjectStorage(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -4734,11 +5168,17 @@ class CfnLocationObjectStorage(
         from aws_cdk import aws_datasync as datasync
         
         cfn_location_object_storage = datasync.CfnLocationObjectStorage(self, "MyCfnLocationObjectStorage",
-            agent_arns=["agentArns"],
-        
-            # the properties below are optional
             access_key="accessKey",
+            agent_arns=["agentArns"],
             bucket_name="bucketName",
+            cmk_secret_config=datasync.CfnLocationObjectStorage.CmkSecretConfigProperty(
+                kms_key_arn="kmsKeyArn",
+                secret_arn="secretArn"
+            ),
+            custom_secret_config=datasync.CfnLocationObjectStorage.CustomSecretConfigProperty(
+                secret_access_role_arn="secretAccessRoleArn",
+                secret_arn="secretArn"
+            ),
             secret_key="secretKey",
             server_certificate="serverCertificate",
             server_hostname="serverHostname",
@@ -4757,9 +5197,11 @@ class CfnLocationObjectStorage(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
-        agent_arns: typing.Sequence[builtins.str],
         access_key: typing.Optional[builtins.str] = None,
+        agent_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
         bucket_name: typing.Optional[builtins.str] = None,
+        cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLocationObjectStorage.CmkSecretConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLocationObjectStorage.CustomSecretConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         secret_key: typing.Optional[builtins.str] = None,
         server_certificate: typing.Optional[builtins.str] = None,
         server_hostname: typing.Optional[builtins.str] = None,
@@ -4768,17 +5210,20 @@ class CfnLocationObjectStorage(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationObjectStorage``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param agent_arns: Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.
         :param access_key: Specifies the access key (for example, a user name) if credentials are required to authenticate with the object storage server.
+        :param agent_arns: (Optional) Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter. .. epigraph:: Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.
         :param bucket_name: Specifies the name of the object storage bucket involved in the transfer.
-        :param secret_key: Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server.
+        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, which includes the ``SecretKey`` that DataSync uses to access a specific object storage location, with a customer-managed AWS KMS key . When you include this paramater as part of a ``CreateLocationObjectStorage`` request, you provide only the KMS key ARN. DataSync uses this KMS key together with the value you specify for the ``SecretKey`` parameter to create a DataSync-managed secret to store the location access credentials. Make sure the DataSync has permission to access the KMS key that you specify. .. epigraph:: You can use either ``CmkSecretConfig`` (with ``SecretKey`` ) or ``CustomSecretConfig`` (without ``SecretKey`` ) to provide credentials for a ``CreateLocationObjectStorage`` request. Do not provide both parameters for the same request.
+        :param custom_secret_config: Specifies configuration information for a customer-managed Secrets Manager secret where the secret key for a specific object storage location is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. .. epigraph:: You can use either ``CmkSecretConfig`` (with ``SecretKey`` ) or ``CustomSecretConfig`` (without ``SecretKey`` ) to provide credentials for a ``CreateLocationObjectStorage`` request. Do not provide both parameters for the same request.
+        :param secret_key: Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server. .. epigraph:: If you provide a secret using ``SecretKey`` , but do not provide secret configuration details using ``CmkSecretConfig`` or ``CustomSecretConfig`` , then DataSync stores the token using your AWS account's Secrets Manager secret.
         :param server_certificate: Specifies a certificate chain for DataSync to authenticate with your object storage system if the system uses a private or self-signed certificate authority (CA). You must specify a single ``.pem`` file with a full certificate chain (for example, ``file:///home/user/.ssh/object_storage_certificates.pem`` ). The certificate chain might include: - The object storage system's certificate - All intermediate certificates (if there are any) - The root certificate of the signing CA You can concatenate your certificates into a ``.pem`` file (which can be up to 32768 bytes before base64 encoding). The following example ``cat`` command creates an ``object_storage_certificates.pem`` file that includes three certificates: ``cat object_server_certificate.pem intermediate_certificate.pem ca_root_certificate.pem > object_storage_certificates.pem`` To use this parameter, configure ``ServerProtocol`` to ``HTTPS`` .
-        :param server_hostname: Specifies the domain name or IP version 4 (IPv4) address of the object storage server that your DataSync agent connects to.
+        :param server_hostname: Specifies the domain name or IP address (IPv4 or IPv6) of the object storage server that your DataSync agent connects to.
         :param server_port: Specifies the port that your object storage server accepts inbound network traffic on (for example, port 443).
-        :param server_protocol: Specifies the protocol that your object storage server uses to communicate.
+        :param server_protocol: Specifies the protocol that your object storage server uses to communicate. If not specified, the default value is ``HTTPS`` .
         :param subdirectory: Specifies the object prefix for your object storage server. If this is a source location, DataSync only copies objects with this prefix. If this is a destination location, DataSync writes all objects with this prefix.
         :param tags: Specifies the key-value pair that represents a tag that you want to add to the resource. Tags can help you manage, filter, and search for your resources. We recommend creating a name tag for your location.
         '''
@@ -4787,9 +5232,11 @@ class CfnLocationObjectStorage(
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = CfnLocationObjectStorageProps(
-            agent_arns=agent_arns,
             access_key=access_key,
+            agent_arns=agent_arns,
             bucket_name=bucket_name,
+            cmk_secret_config=cmk_secret_config,
+            custom_secret_config=custom_secret_config,
             secret_key=secret_key,
             server_certificate=server_certificate,
             server_hostname=server_hostname,
@@ -4831,6 +5278,17 @@ class CfnLocationObjectStorage(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrCmkSecretConfigSecretArn")
+    def attr_cmk_secret_config_secret_arn(self) -> builtins.str:
+        '''Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location.
+
+        This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
+
+        :cloudformationAttribute: CmkSecretConfig.SecretArn
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrCmkSecretConfigSecretArn"))
+
     @builtins.property
     @jsii.member(jsii_name="attrLocationArn")
     def attr_location_arn(self) -> builtins.str:
@@ -4849,30 +5307,34 @@ class CfnLocationObjectStorage(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrLocationUri"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrManagedSecretConfig")
+    def attr_managed_secret_config(self) -> _IResolvable_da3f097b:
+        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location.
+
+        DataSync uses the default AWS-managed KMS key to encrypt this secret in AWS Secrets Manager.
+
+        :cloudformationAttribute: ManagedSecretConfig
+        '''
+        return typing.cast(_IResolvable_da3f097b, jsii.get(self, "attrManagedSecretConfig"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationObjectStorageRef")
+    def location_object_storage_ref(self) -> _LocationObjectStorageReference_5b3d36b8:
+        '''A reference to a LocationObjectStorage resource.'''
+        return typing.cast(_LocationObjectStorageReference_5b3d36b8, jsii.get(self, "locationObjectStorageRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
         '''Tag Manager which manages the tags for this resource.'''
         return typing.cast(_TagManager_0a598cb3, jsii.get(self, "tags"))
 
-    @builtins.property
-    @jsii.member(jsii_name="agentArns")
-    def agent_arns(self) -> typing.List[builtins.str]:
-        '''Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.'''
-        return typing.cast(typing.List[builtins.str], jsii.get(self, "agentArns"))
-
-    @agent_arns.setter
-    def agent_arns(self, value: typing.List[builtins.str]) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__af42e226779e989fe6f4a4e7403f44c0a7f4048f3185f2bd0fdbbe0f191363ec)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "agentArns", value) # pyright: ignore[reportArgumentType]
-
     @builtins.property
     @jsii.member(jsii_name="accessKey")
     def access_key(self) -> typing.Optional[builtins.str]:
@@ -4886,6 +5348,19 @@ class CfnLocationObjectStorage(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "accessKey", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="agentArns")
+    def agent_arns(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''(Optional) Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.'''
+        return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "agentArns"))
+
+    @agent_arns.setter
+    def agent_arns(self, value: typing.Optional[typing.List[builtins.str]]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__af42e226779e989fe6f4a4e7403f44c0a7f4048f3185f2bd0fdbbe0f191363ec)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "agentArns", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="bucketName")
     def bucket_name(self) -> typing.Optional[builtins.str]:
@@ -4899,6 +5374,42 @@ class CfnLocationObjectStorage(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "bucketName", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="cmkSecretConfig")
+    def cmk_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationObjectStorage.CmkSecretConfigProperty"]]:
+        '''Specifies configuration information for a DataSync-managed secret, which includes the ``SecretKey`` that DataSync uses to access a specific object storage location, with a customer-managed AWS KMS key .'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationObjectStorage.CmkSecretConfigProperty"]], jsii.get(self, "cmkSecretConfig"))
+
+    @cmk_secret_config.setter
+    def cmk_secret_config(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationObjectStorage.CmkSecretConfigProperty"]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__750d7a103b8b00f0ab06ca1128b92bb839b2b91e71e5a388ec467dacd0fb58b6)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "cmkSecretConfig", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="customSecretConfig")
+    def custom_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationObjectStorage.CustomSecretConfigProperty"]]:
+        '''Specifies configuration information for a customer-managed Secrets Manager secret where the secret key for a specific object storage location is stored in plain text.'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationObjectStorage.CustomSecretConfigProperty"]], jsii.get(self, "customSecretConfig"))
+
+    @custom_secret_config.setter
+    def custom_secret_config(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationObjectStorage.CustomSecretConfigProperty"]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f8e807a4053a1cf75e73e9841ea082806de0e3097bc4b377492cf4268c03a8c5)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "customSecretConfig", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="secretKey")
     def secret_key(self) -> typing.Optional[builtins.str]:
@@ -4928,7 +5439,7 @@ class CfnLocationObjectStorage(
     @builtins.property
     @jsii.member(jsii_name="serverHostname")
     def server_hostname(self) -> typing.Optional[builtins.str]:
-        '''Specifies the domain name or IP version 4 (IPv4) address of the object storage server that your DataSync agent connects to.'''
+        '''Specifies the domain name or IP address (IPv4 or IPv6) of the object storage server that your DataSync agent connects to.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "serverHostname"))
 
     @server_hostname.setter
@@ -4990,14 +5501,227 @@ class CfnLocationObjectStorage(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "tagsRaw", value) # pyright: ignore[reportArgumentType]
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_datasync.CfnLocationObjectStorage.CmkSecretConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={"kms_key_arn": "kmsKeyArn", "secret_arn": "secretArn"},
+    )
+    class CmkSecretConfigProperty:
+        def __init__(
+            self,
+            *,
+            kms_key_arn: typing.Optional[builtins.str] = None,
+            secret_arn: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .
+
+            .. epigraph::
+
+               You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+            :param kms_key_arn: Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for ``SecretArn`` . DataSync provides this key to AWS Secrets Manager .
+            :param secret_arn: Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location. This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-cmksecretconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_datasync as datasync
+                
+                cmk_secret_config_property = datasync.CfnLocationObjectStorage.CmkSecretConfigProperty(
+                    kms_key_arn="kmsKeyArn",
+                    secret_arn="secretArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__86e020e5a613eca69f847ddcabf398915f10f12953f8b4391e961243da06c955)
+                check_type(argname="argument kms_key_arn", value=kms_key_arn, expected_type=type_hints["kms_key_arn"])
+                check_type(argname="argument secret_arn", value=secret_arn, expected_type=type_hints["secret_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if kms_key_arn is not None:
+                self._values["kms_key_arn"] = kms_key_arn
+            if secret_arn is not None:
+                self._values["secret_arn"] = secret_arn
+
+        @builtins.property
+        def kms_key_arn(self) -> typing.Optional[builtins.str]:
+            '''Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for ``SecretArn`` .
+
+            DataSync provides this key to AWS Secrets Manager .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-cmksecretconfig.html#cfn-datasync-locationobjectstorage-cmksecretconfig-kmskeyarn
+            '''
+            result = self._values.get("kms_key_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def secret_arn(self) -> typing.Optional[builtins.str]:
+            '''Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location.
+
+            This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-cmksecretconfig.html#cfn-datasync-locationobjectstorage-cmksecretconfig-secretarn
+            '''
+            result = self._values.get("secret_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "CmkSecretConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_datasync.CfnLocationObjectStorage.CustomSecretConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "secret_access_role_arn": "secretAccessRoleArn",
+            "secret_arn": "secretArn",
+        },
+    )
+    class CustomSecretConfigProperty:
+        def __init__(
+            self,
+            *,
+            secret_access_role_arn: builtins.str,
+            secret_arn: builtins.str,
+        ) -> None:
+            '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.
+
+            This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.
+            .. epigraph::
+
+               You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+            :param secret_access_role_arn: Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for ``SecretArn`` .
+            :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-customsecretconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_datasync as datasync
+                
+                custom_secret_config_property = datasync.CfnLocationObjectStorage.CustomSecretConfigProperty(
+                    secret_access_role_arn="secretAccessRoleArn",
+                    secret_arn="secretArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__630b549b792c8efcdd58178e432579f521d2a86cc91c662fd9c77d74c4293cb8)
+                check_type(argname="argument secret_access_role_arn", value=secret_access_role_arn, expected_type=type_hints["secret_access_role_arn"])
+                check_type(argname="argument secret_arn", value=secret_arn, expected_type=type_hints["secret_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "secret_access_role_arn": secret_access_role_arn,
+                "secret_arn": secret_arn,
+            }
+
+        @builtins.property
+        def secret_access_role_arn(self) -> builtins.str:
+            '''Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for ``SecretArn`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-customsecretconfig.html#cfn-datasync-locationobjectstorage-customsecretconfig-secretaccessrolearn
+            '''
+            result = self._values.get("secret_access_role_arn")
+            assert result is not None, "Required property 'secret_access_role_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def secret_arn(self) -> builtins.str:
+            '''Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-customsecretconfig.html#cfn-datasync-locationobjectstorage-customsecretconfig-secretarn
+            '''
+            result = self._values.get("secret_arn")
+            assert result is not None, "Required property 'secret_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "CustomSecretConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_datasync.CfnLocationObjectStorage.ManagedSecretConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={"secret_arn": "secretArn"},
+    )
+    class ManagedSecretConfigProperty:
+        def __init__(self, *, secret_arn: builtins.str) -> None:
+            '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location.
+
+            DataSync uses the default AWS -managed KMS key to encrypt this secret in AWS Secrets Manager .
+
+            :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-managedsecretconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_datasync as datasync
+                
+                managed_secret_config_property = datasync.CfnLocationObjectStorage.ManagedSecretConfigProperty(
+                    secret_arn="secretArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__65c61b34a40852805ad1d8c34da183c741fa3a1957daae2b986eb1a616335549)
+                check_type(argname="argument secret_arn", value=secret_arn, expected_type=type_hints["secret_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "secret_arn": secret_arn,
+            }
+
+        @builtins.property
+        def secret_arn(self) -> builtins.str:
+            '''Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-managedsecretconfig.html#cfn-datasync-locationobjectstorage-managedsecretconfig-secretarn
+            '''
+            result = self._values.get("secret_arn")
+            assert result is not None, "Required property 'secret_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "ManagedSecretConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_datasync.CfnLocationObjectStorageProps",
     jsii_struct_bases=[],
     name_mapping={
-        "agent_arns": "agentArns",
         "access_key": "accessKey",
+        "agent_arns": "agentArns",
         "bucket_name": "bucketName",
+        "cmk_secret_config": "cmkSecretConfig",
+        "custom_secret_config": "customSecretConfig",
         "secret_key": "secretKey",
         "server_certificate": "serverCertificate",
         "server_hostname": "serverHostname",
@@ -5011,9 +5735,11 @@ class CfnLocationObjectStorageProps:
     def __init__(
         self,
         *,
-        agent_arns: typing.Sequence[builtins.str],
         access_key: typing.Optional[builtins.str] = None,
+        agent_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
         bucket_name: typing.Optional[builtins.str] = None,
+        cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationObjectStorage.CmkSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+        custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationObjectStorage.CustomSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         secret_key: typing.Optional[builtins.str] = None,
         server_certificate: typing.Optional[builtins.str] = None,
         server_hostname: typing.Optional[builtins.str] = None,
@@ -5024,14 +5750,16 @@ class CfnLocationObjectStorageProps:
     ) -> None:
         '''Properties for defining a ``CfnLocationObjectStorage``.
 
-        :param agent_arns: Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.
         :param access_key: Specifies the access key (for example, a user name) if credentials are required to authenticate with the object storage server.
+        :param agent_arns: (Optional) Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter. .. epigraph:: Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.
         :param bucket_name: Specifies the name of the object storage bucket involved in the transfer.
-        :param secret_key: Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server.
+        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, which includes the ``SecretKey`` that DataSync uses to access a specific object storage location, with a customer-managed AWS KMS key . When you include this paramater as part of a ``CreateLocationObjectStorage`` request, you provide only the KMS key ARN. DataSync uses this KMS key together with the value you specify for the ``SecretKey`` parameter to create a DataSync-managed secret to store the location access credentials. Make sure the DataSync has permission to access the KMS key that you specify. .. epigraph:: You can use either ``CmkSecretConfig`` (with ``SecretKey`` ) or ``CustomSecretConfig`` (without ``SecretKey`` ) to provide credentials for a ``CreateLocationObjectStorage`` request. Do not provide both parameters for the same request.
+        :param custom_secret_config: Specifies configuration information for a customer-managed Secrets Manager secret where the secret key for a specific object storage location is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. .. epigraph:: You can use either ``CmkSecretConfig`` (with ``SecretKey`` ) or ``CustomSecretConfig`` (without ``SecretKey`` ) to provide credentials for a ``CreateLocationObjectStorage`` request. Do not provide both parameters for the same request.
+        :param secret_key: Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server. .. epigraph:: If you provide a secret using ``SecretKey`` , but do not provide secret configuration details using ``CmkSecretConfig`` or ``CustomSecretConfig`` , then DataSync stores the token using your AWS account's Secrets Manager secret.
         :param server_certificate: Specifies a certificate chain for DataSync to authenticate with your object storage system if the system uses a private or self-signed certificate authority (CA). You must specify a single ``.pem`` file with a full certificate chain (for example, ``file:///home/user/.ssh/object_storage_certificates.pem`` ). The certificate chain might include: - The object storage system's certificate - All intermediate certificates (if there are any) - The root certificate of the signing CA You can concatenate your certificates into a ``.pem`` file (which can be up to 32768 bytes before base64 encoding). The following example ``cat`` command creates an ``object_storage_certificates.pem`` file that includes three certificates: ``cat object_server_certificate.pem intermediate_certificate.pem ca_root_certificate.pem > object_storage_certificates.pem`` To use this parameter, configure ``ServerProtocol`` to ``HTTPS`` .
-        :param server_hostname: Specifies the domain name or IP version 4 (IPv4) address of the object storage server that your DataSync agent connects to.
+        :param server_hostname: Specifies the domain name or IP address (IPv4 or IPv6) of the object storage server that your DataSync agent connects to.
         :param server_port: Specifies the port that your object storage server accepts inbound network traffic on (for example, port 443).
-        :param server_protocol: Specifies the protocol that your object storage server uses to communicate.
+        :param server_protocol: Specifies the protocol that your object storage server uses to communicate. If not specified, the default value is ``HTTPS`` .
         :param subdirectory: Specifies the object prefix for your object storage server. If this is a source location, DataSync only copies objects with this prefix. If this is a destination location, DataSync writes all objects with this prefix.
         :param tags: Specifies the key-value pair that represents a tag that you want to add to the resource. Tags can help you manage, filter, and search for your resources. We recommend creating a name tag for your location.
 
@@ -5045,11 +5773,17 @@ class CfnLocationObjectStorageProps:
             from aws_cdk import aws_datasync as datasync
             
             cfn_location_object_storage_props = datasync.CfnLocationObjectStorageProps(
-                agent_arns=["agentArns"],
-            
-                # the properties below are optional
                 access_key="accessKey",
+                agent_arns=["agentArns"],
                 bucket_name="bucketName",
+                cmk_secret_config=datasync.CfnLocationObjectStorage.CmkSecretConfigProperty(
+                    kms_key_arn="kmsKeyArn",
+                    secret_arn="secretArn"
+                ),
+                custom_secret_config=datasync.CfnLocationObjectStorage.CustomSecretConfigProperty(
+                    secret_access_role_arn="secretAccessRoleArn",
+                    secret_arn="secretArn"
+                ),
                 secret_key="secretKey",
                 server_certificate="serverCertificate",
                 server_hostname="serverHostname",
@@ -5064,9 +5798,11 @@ class CfnLocationObjectStorageProps:
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__d542a26da4e93d9d103e234c98ed367d8b6bea7d295017a32de5525e1ec22b45)
-            check_type(argname="argument agent_arns", value=agent_arns, expected_type=type_hints["agent_arns"])
             check_type(argname="argument access_key", value=access_key, expected_type=type_hints["access_key"])
+            check_type(argname="argument agent_arns", value=agent_arns, expected_type=type_hints["agent_arns"])
             check_type(argname="argument bucket_name", value=bucket_name, expected_type=type_hints["bucket_name"])
+            check_type(argname="argument cmk_secret_config", value=cmk_secret_config, expected_type=type_hints["cmk_secret_config"])
+            check_type(argname="argument custom_secret_config", value=custom_secret_config, expected_type=type_hints["custom_secret_config"])
             check_type(argname="argument secret_key", value=secret_key, expected_type=type_hints["secret_key"])
             check_type(argname="argument server_certificate", value=server_certificate, expected_type=type_hints["server_certificate"])
             check_type(argname="argument server_hostname", value=server_hostname, expected_type=type_hints["server_hostname"])
@@ -5074,13 +5810,17 @@ class CfnLocationObjectStorageProps:
             check_type(argname="argument server_protocol", value=server_protocol, expected_type=type_hints["server_protocol"])
             check_type(argname="argument subdirectory", value=subdirectory, expected_type=type_hints["subdirectory"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
-        self._values: typing.Dict[builtins.str, typing.Any] = {
-            "agent_arns": agent_arns,
-        }
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
         if access_key is not None:
             self._values["access_key"] = access_key
+        if agent_arns is not None:
+            self._values["agent_arns"] = agent_arns
         if bucket_name is not None:
             self._values["bucket_name"] = bucket_name
+        if cmk_secret_config is not None:
+            self._values["cmk_secret_config"] = cmk_secret_config
+        if custom_secret_config is not None:
+            self._values["custom_secret_config"] = custom_secret_config
         if secret_key is not None:
             self._values["secret_key"] = secret_key
         if server_certificate is not None:
@@ -5096,16 +5836,6 @@ class CfnLocationObjectStorageProps:
         if tags is not None:
             self._values["tags"] = tags
 
-    @builtins.property
-    def agent_arns(self) -> typing.List[builtins.str]:
-        '''Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-agentarns
-        '''
-        result = self._values.get("agent_arns")
-        assert result is not None, "Required property 'agent_arns' is missing"
-        return typing.cast(typing.List[builtins.str], result)
-
     @builtins.property
     def access_key(self) -> typing.Optional[builtins.str]:
         '''Specifies the access key (for example, a user name) if credentials are required to authenticate with the object storage server.
@@ -5115,6 +5845,20 @@ class CfnLocationObjectStorageProps:
         result = self._values.get("access_key")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def agent_arns(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''(Optional) Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.
+
+        If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter.
+        .. epigraph::
+
+           Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-agentarns
+        '''
+        result = self._values.get("agent_arns")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
     @builtins.property
     def bucket_name(self) -> typing.Optional[builtins.str]:
         '''Specifies the name of the object storage bucket involved in the transfer.
@@ -5125,23 +5869,61 @@ class CfnLocationObjectStorageProps:
         return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
-    def secret_key(self) -> typing.Optional[builtins.str]:
-        '''Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server.
+    def cmk_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationObjectStorage.CmkSecretConfigProperty]]:
+        '''Specifies configuration information for a DataSync-managed secret, which includes the ``SecretKey`` that DataSync uses to access a specific object storage location, with a customer-managed AWS KMS key .
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-secretkey
+        When you include this paramater as part of a ``CreateLocationObjectStorage`` request, you provide only the KMS key ARN. DataSync uses this KMS key together with the value you specify for the ``SecretKey`` parameter to create a DataSync-managed secret to store the location access credentials.
+
+        Make sure the DataSync has permission to access the KMS key that you specify.
+        .. epigraph::
+
+           You can use either ``CmkSecretConfig`` (with ``SecretKey`` ) or ``CustomSecretConfig`` (without ``SecretKey`` ) to provide credentials for a ``CreateLocationObjectStorage`` request. Do not provide both parameters for the same request.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-cmksecretconfig
         '''
-        result = self._values.get("secret_key")
-        return typing.cast(typing.Optional[builtins.str], result)
+        result = self._values.get("cmk_secret_config")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationObjectStorage.CmkSecretConfigProperty]], result)
 
     @builtins.property
-    def server_certificate(self) -> typing.Optional[builtins.str]:
-        '''Specifies a certificate chain for DataSync to authenticate with your object storage system if the system uses a private or self-signed certificate authority (CA).
+    def custom_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationObjectStorage.CustomSecretConfigProperty]]:
+        '''Specifies configuration information for a customer-managed Secrets Manager secret where the secret key for a specific object storage location is stored in plain text.
 
-        You must specify a single ``.pem`` file with a full certificate chain (for example, ``file:///home/user/.ssh/object_storage_certificates.pem`` ).
+        This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.
+        .. epigraph::
 
-        The certificate chain might include:
+           You can use either ``CmkSecretConfig`` (with ``SecretKey`` ) or ``CustomSecretConfig`` (without ``SecretKey`` ) to provide credentials for a ``CreateLocationObjectStorage`` request. Do not provide both parameters for the same request.
 
-        - The object storage system's certificate
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-customsecretconfig
+        '''
+        result = self._values.get("custom_secret_config")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationObjectStorage.CustomSecretConfigProperty]], result)
+
+    @builtins.property
+    def secret_key(self) -> typing.Optional[builtins.str]:
+        '''Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server.
+
+        .. epigraph::
+
+           If you provide a secret using ``SecretKey`` , but do not provide secret configuration details using ``CmkSecretConfig`` or ``CustomSecretConfig`` , then DataSync stores the token using your AWS account's Secrets Manager secret.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-secretkey
+        '''
+        result = self._values.get("secret_key")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def server_certificate(self) -> typing.Optional[builtins.str]:
+        '''Specifies a certificate chain for DataSync to authenticate with your object storage system if the system uses a private or self-signed certificate authority (CA).
+
+        You must specify a single ``.pem`` file with a full certificate chain (for example, ``file:///home/user/.ssh/object_storage_certificates.pem`` ).
+
+        The certificate chain might include:
+
+        - The object storage system's certificate
         - All intermediate certificates (if there are any)
         - The root certificate of the signing CA
 
@@ -5158,7 +5940,7 @@ class CfnLocationObjectStorageProps:
 
     @builtins.property
     def server_hostname(self) -> typing.Optional[builtins.str]:
-        '''Specifies the domain name or IP version 4 (IPv4) address of the object storage server that your DataSync agent connects to.
+        '''Specifies the domain name or IP address (IPv4 or IPv6) of the object storage server that your DataSync agent connects to.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-serverhostname
         '''
@@ -5178,6 +5960,8 @@ class CfnLocationObjectStorageProps:
     def server_protocol(self) -> typing.Optional[builtins.str]:
         '''Specifies the protocol that your object storage server uses to communicate.
 
+        If not specified, the default value is ``HTTPS`` .
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-serverprotocol
         '''
         result = self._values.get("server_protocol")
@@ -5217,7 +6001,7 @@ class CfnLocationObjectStorageProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationS3Ref_5240f1a4, _ITaggable_36806126)
 class CfnLocationS3(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -5264,7 +6048,8 @@ class CfnLocationS3(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationS3``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param s3_config: The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that is used to access an Amazon S3 bucket. For detailed information about using such a role, see `Creating a Location for Amazon S3 <https://docs.aws.amazon.com/datasync/latest/userguide/working-with-locations.html#create-s3-location>`_ in the *AWS DataSync User Guide* .
@@ -5340,6 +6125,12 @@ class CfnLocationS3(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationS3Ref")
+    def location_s3_ref(self) -> _LocationS3Reference_113b17ee:
+        '''A reference to a LocationS3 resource.'''
+        return typing.cast(_LocationS3Reference_113b17ee, jsii.get(self, "locationS3Ref"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -5622,7 +6413,7 @@ class CfnLocationS3Props:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationSMBRef_b540cf9f, _ITaggable_36806126)
 class CfnLocationSMB(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -5645,6 +6436,14 @@ class CfnLocationSMB(
         
             # the properties below are optional
             authentication_type="authenticationType",
+            cmk_secret_config=datasync.CfnLocationSMB.CmkSecretConfigProperty(
+                kms_key_arn="kmsKeyArn",
+                secret_arn="secretArn"
+            ),
+            custom_secret_config=datasync.CfnLocationSMB.CustomSecretConfigProperty(
+                secret_access_role_arn="secretAccessRoleArn",
+                secret_arn="secretArn"
+            ),
             dns_ip_addresses=["dnsIpAddresses"],
             domain="domain",
             kerberos_keytab="kerberosKeytab",
@@ -5671,6 +6470,8 @@ class CfnLocationSMB(
         *,
         agent_arns: typing.Sequence[builtins.str],
         authentication_type: typing.Optional[builtins.str] = None,
+        cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLocationSMB.CmkSecretConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLocationSMB.CustomSecretConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         dns_ip_addresses: typing.Optional[typing.Sequence[builtins.str]] = None,
         domain: typing.Optional[builtins.str] = None,
         kerberos_keytab: typing.Optional[builtins.str] = None,
@@ -5683,19 +6484,22 @@ class CfnLocationSMB(
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationSMB``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param agent_arns: Specifies the DataSync agent (or agents) that can connect to your SMB file server. You specify an agent by using its Amazon Resource Name (ARN).
-        :param authentication_type: Specifies the authentication protocol that DataSync uses to connect to your SMB file server. DataSync supports ``NTLM`` (default) and ``KERBEROS`` authentication. For more information, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
-        :param dns_ip_addresses: Specifies the IPv4 addresses for the DNS servers that your SMB file server belongs to. This parameter applies only if ``AuthenticationType`` is set to ``KERBEROS`` . If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.
+        :param authentication_type: The authentication mode used to determine identity of user.
+        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+        :param custom_secret_config: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+        :param dns_ip_addresses: Specifies the IPv4 addresses for the DNS servers that your SMB file server belongs to. This parameter applies only if AuthenticationType is set to KERBEROS. If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.
         :param domain: Specifies the Windows domain name that your SMB file server belongs to. This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` . If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.
-        :param kerberos_keytab: Specifies your Kerberos key table (keytab) file, which includes mappings between your Kerberos principal and encryption keys. The file must be base64 encoded. To avoid task execution errors, make sure that the Kerberos principal that you use to create the keytab file matches exactly what you specify for ``KerberosPrincipal`` .
-        :param kerberos_krb5_conf: Specifies a Kerberos configuration file ( ``krb5.conf`` ) that defines your Kerberos realm configuration. The file must be base64 encoded.
-        :param kerberos_principal: Specifies a Kerberos prinicpal, which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server. A Kerberos principal might look like ``HOST/kerberosuser@MYDOMAIN.ORG`` . Principal names are case sensitive. Your DataSync task execution will fail if the principal that you specify for this parameter doesn’t exactly match the principal that you use to create the keytab file.
+        :param kerberos_keytab: The Base64 string representation of the Keytab file. Specifies your Kerberos key table (keytab) file, which includes mappings between your service principal name (SPN) and encryption keys. To avoid task execution errors, make sure that the SPN in the keytab file matches exactly what you specify for KerberosPrincipal and in your krb5.conf file.
+        :param kerberos_krb5_conf: The string representation of the Krb5Conf file, or the presigned URL to access the Krb5.conf file within an S3 bucket. Specifies a Kerberos configuration file (krb5.conf) that defines your Kerberos realm configuration. To avoid task execution errors, make sure that the service principal name (SPN) in the krb5.conf file matches exactly what you specify for KerberosPrincipal and in your keytab file.
+        :param kerberos_principal: Specifies a service principal name (SPN), which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server. SPNs are case sensitive and must include a prepended cifs/. For example, an SPN might look like cifs/kerberosuser@EXAMPLE.COM. Your task execution will fail if the SPN that you provide for this parameter doesn't match exactly what's in your keytab or krb5.conf files.
         :param mount_options: Specifies the version of the SMB protocol that DataSync uses to access your SMB file server.
         :param password: Specifies the password of the user who can mount your SMB file server and has permission to access the files and folders involved in your transfer. This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` .
-        :param server_hostname: Specifies the domain name or IP address of the SMB file server that your DataSync agent connects to. Remember the following when configuring this parameter: - You can't specify an IP version 6 (IPv6) address. - If you're using Kerberos authentication, you must specify a domain name.
+        :param server_hostname: Specifies the domain name or IP address (IPv4 or IPv6) of the SMB file server that your DataSync agent connects to. .. epigraph:: If you're using Kerberos authentication, you must specify a domain name.
         :param subdirectory: Specifies the name of the share exported by your SMB file server where DataSync will read or write data. You can include a subdirectory in the share path (for example, ``/path/to/subdirectory`` ). Make sure that other SMB clients in your network can also mount this path. To copy all data in the subdirectory, DataSync must be able to mount the SMB share and access all of its data. For more information, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
         :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.
         :param user: Specifies the user that can mount and access the files, folders, and file metadata in your SMB file server. This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` . For information about choosing a user with the right level of access for your transfer, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
@@ -5707,6 +6511,8 @@ class CfnLocationSMB(
         props = CfnLocationSMBProps(
             agent_arns=agent_arns,
             authentication_type=authentication_type,
+            cmk_secret_config=cmk_secret_config,
+            custom_secret_config=custom_secret_config,
             dns_ip_addresses=dns_ip_addresses,
             domain=domain,
             kerberos_keytab=kerberos_keytab,
@@ -5752,6 +6558,17 @@ class CfnLocationSMB(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrCmkSecretConfigSecretArn")
+    def attr_cmk_secret_config_secret_arn(self) -> builtins.str:
+        '''Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location.
+
+        This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
+
+        :cloudformationAttribute: CmkSecretConfig.SecretArn
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrCmkSecretConfigSecretArn"))
+
     @builtins.property
     @jsii.member(jsii_name="attrLocationArn")
     def attr_location_arn(self) -> builtins.str:
@@ -5770,11 +6587,28 @@ class CfnLocationSMB(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrLocationUri"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrManagedSecretConfig")
+    def attr_managed_secret_config(self) -> _IResolvable_da3f097b:
+        '''Specifies configuration information for a DataSync-managed secret, such as a password or set of credentials that DataSync uses to access a specific transfer location.
+
+        DataSync uses the default AWS-managed KMS key to encrypt this secret in AWS Secrets Manager.
+
+        :cloudformationAttribute: ManagedSecretConfig
+        '''
+        return typing.cast(_IResolvable_da3f097b, jsii.get(self, "attrManagedSecretConfig"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationSmbRef")
+    def location_smb_ref(self) -> _LocationSMBReference_9787936e:
+        '''A reference to a LocationSMB resource.'''
+        return typing.cast(_LocationSMBReference_9787936e, jsii.get(self, "locationSmbRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -5797,7 +6631,7 @@ class CfnLocationSMB(
     @builtins.property
     @jsii.member(jsii_name="authenticationType")
     def authentication_type(self) -> typing.Optional[builtins.str]:
-        '''Specifies the authentication protocol that DataSync uses to connect to your SMB file server.'''
+        '''The authentication mode used to determine identity of user.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "authenticationType"))
 
     @authentication_type.setter
@@ -5807,6 +6641,42 @@ class CfnLocationSMB(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "authenticationType", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="cmkSecretConfig")
+    def cmk_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationSMB.CmkSecretConfigProperty"]]:
+        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationSMB.CmkSecretConfigProperty"]], jsii.get(self, "cmkSecretConfig"))
+
+    @cmk_secret_config.setter
+    def cmk_secret_config(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationSMB.CmkSecretConfigProperty"]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__e407ec55488adbc9f81891a5e15e237e234b987b6214eb331162a8b63f344324)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "cmkSecretConfig", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="customSecretConfig")
+    def custom_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationSMB.CustomSecretConfigProperty"]]:
+        '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationSMB.CustomSecretConfigProperty"]], jsii.get(self, "customSecretConfig"))
+
+    @custom_secret_config.setter
+    def custom_secret_config(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationSMB.CustomSecretConfigProperty"]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__fde88b8f3a9b839e4f9087f93f80eb219e3a48609302336a5ed68bd2edec2ebb)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "customSecretConfig", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="dnsIpAddresses")
     def dns_ip_addresses(self) -> typing.Optional[typing.List[builtins.str]]:
@@ -5839,7 +6709,7 @@ class CfnLocationSMB(
     @builtins.property
     @jsii.member(jsii_name="kerberosKeytab")
     def kerberos_keytab(self) -> typing.Optional[builtins.str]:
-        '''Specifies your Kerberos key table (keytab) file, which includes mappings between your Kerberos principal and encryption keys.'''
+        '''The Base64 string representation of the Keytab file.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "kerberosKeytab"))
 
     @kerberos_keytab.setter
@@ -5852,7 +6722,7 @@ class CfnLocationSMB(
     @builtins.property
     @jsii.member(jsii_name="kerberosKrb5Conf")
     def kerberos_krb5_conf(self) -> typing.Optional[builtins.str]:
-        '''Specifies a Kerberos configuration file ( ``krb5.conf`` ) that defines your Kerberos realm configuration.'''
+        '''The string representation of the Krb5Conf file, or the presigned URL to access the Krb5.conf file within an S3 bucket. Specifies a Kerberos configuration file (krb5.conf) that defines your Kerberos realm configuration. To avoid task execution errors, make sure that the service principal name (SPN) in the krb5.conf file matches exactly what you specify for KerberosPrincipal and in your keytab file.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "kerberosKrb5Conf"))
 
     @kerberos_krb5_conf.setter
@@ -5865,7 +6735,7 @@ class CfnLocationSMB(
     @builtins.property
     @jsii.member(jsii_name="kerberosPrincipal")
     def kerberos_principal(self) -> typing.Optional[builtins.str]:
-        '''Specifies a Kerberos prinicpal, which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server.'''
+        '''Specifies a service principal name (SPN), which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "kerberosPrincipal"))
 
     @kerberos_principal.setter
@@ -5909,7 +6779,7 @@ class CfnLocationSMB(
     @builtins.property
     @jsii.member(jsii_name="serverHostname")
     def server_hostname(self) -> typing.Optional[builtins.str]:
-        '''Specifies the domain name or IP address of the SMB file server that your DataSync agent connects to.'''
+        '''Specifies the domain name or IP address (IPv4 or IPv6) of the SMB file server that your DataSync agent connects to.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "serverHostname"))
 
     @server_hostname.setter
@@ -5958,6 +6828,217 @@ class CfnLocationSMB(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "user", value) # pyright: ignore[reportArgumentType]
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_datasync.CfnLocationSMB.CmkSecretConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={"kms_key_arn": "kmsKeyArn", "secret_arn": "secretArn"},
+    )
+    class CmkSecretConfigProperty:
+        def __init__(
+            self,
+            *,
+            kms_key_arn: typing.Optional[builtins.str] = None,
+            secret_arn: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .
+
+            .. epigraph::
+
+               You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+            :param kms_key_arn: Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for ``SecretArn`` . DataSync provides this key to AWS Secrets Manager .
+            :param secret_arn: Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location. This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-cmksecretconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_datasync as datasync
+                
+                cmk_secret_config_property = datasync.CfnLocationSMB.CmkSecretConfigProperty(
+                    kms_key_arn="kmsKeyArn",
+                    secret_arn="secretArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__9351aeda2a3946543003130a0d3d622afa774937076186eaabf4b996745ca99f)
+                check_type(argname="argument kms_key_arn", value=kms_key_arn, expected_type=type_hints["kms_key_arn"])
+                check_type(argname="argument secret_arn", value=secret_arn, expected_type=type_hints["secret_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if kms_key_arn is not None:
+                self._values["kms_key_arn"] = kms_key_arn
+            if secret_arn is not None:
+                self._values["secret_arn"] = secret_arn
+
+        @builtins.property
+        def kms_key_arn(self) -> typing.Optional[builtins.str]:
+            '''Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for ``SecretArn`` .
+
+            DataSync provides this key to AWS Secrets Manager .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-cmksecretconfig.html#cfn-datasync-locationsmb-cmksecretconfig-kmskeyarn
+            '''
+            result = self._values.get("kms_key_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def secret_arn(self) -> typing.Optional[builtins.str]:
+            '''Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location.
+
+            This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-cmksecretconfig.html#cfn-datasync-locationsmb-cmksecretconfig-secretarn
+            '''
+            result = self._values.get("secret_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "CmkSecretConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_datasync.CfnLocationSMB.CustomSecretConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "secret_access_role_arn": "secretAccessRoleArn",
+            "secret_arn": "secretArn",
+        },
+    )
+    class CustomSecretConfigProperty:
+        def __init__(
+            self,
+            *,
+            secret_access_role_arn: builtins.str,
+            secret_arn: builtins.str,
+        ) -> None:
+            '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.
+
+            This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.
+            .. epigraph::
+
+               You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+            :param secret_access_role_arn: Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for ``SecretArn`` .
+            :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-customsecretconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_datasync as datasync
+                
+                custom_secret_config_property = datasync.CfnLocationSMB.CustomSecretConfigProperty(
+                    secret_access_role_arn="secretAccessRoleArn",
+                    secret_arn="secretArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__6049f29f723d7f92a691c991b6232a25e39ba58d2d4400b1c499f542a7a8aee7)
+                check_type(argname="argument secret_access_role_arn", value=secret_access_role_arn, expected_type=type_hints["secret_access_role_arn"])
+                check_type(argname="argument secret_arn", value=secret_arn, expected_type=type_hints["secret_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "secret_access_role_arn": secret_access_role_arn,
+                "secret_arn": secret_arn,
+            }
+
+        @builtins.property
+        def secret_access_role_arn(self) -> builtins.str:
+            '''Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for ``SecretArn`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-customsecretconfig.html#cfn-datasync-locationsmb-customsecretconfig-secretaccessrolearn
+            '''
+            result = self._values.get("secret_access_role_arn")
+            assert result is not None, "Required property 'secret_access_role_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def secret_arn(self) -> builtins.str:
+            '''Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-customsecretconfig.html#cfn-datasync-locationsmb-customsecretconfig-secretarn
+            '''
+            result = self._values.get("secret_arn")
+            assert result is not None, "Required property 'secret_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "CustomSecretConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_datasync.CfnLocationSMB.ManagedSecretConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={"secret_arn": "secretArn"},
+    )
+    class ManagedSecretConfigProperty:
+        def __init__(self, *, secret_arn: builtins.str) -> None:
+            '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location.
+
+            DataSync uses the default AWS -managed KMS key to encrypt this secret in AWS Secrets Manager .
+
+            :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-managedsecretconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_datasync as datasync
+                
+                managed_secret_config_property = datasync.CfnLocationSMB.ManagedSecretConfigProperty(
+                    secret_arn="secretArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__5db7c95a4b68a63cb100ea0ecc9392535271eaf1c99519a96ebecbd32455f91c)
+                check_type(argname="argument secret_arn", value=secret_arn, expected_type=type_hints["secret_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "secret_arn": secret_arn,
+            }
+
+        @builtins.property
+        def secret_arn(self) -> builtins.str:
+            '''Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-managedsecretconfig.html#cfn-datasync-locationsmb-managedsecretconfig-secretarn
+            '''
+            result = self._values.get("secret_arn")
+            assert result is not None, "Required property 'secret_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "ManagedSecretConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_datasync.CfnLocationSMB.MountOptionsProperty",
         jsii_struct_bases=[],
@@ -6033,6 +7114,8 @@ class CfnLocationSMB(
     name_mapping={
         "agent_arns": "agentArns",
         "authentication_type": "authenticationType",
+        "cmk_secret_config": "cmkSecretConfig",
+        "custom_secret_config": "customSecretConfig",
         "dns_ip_addresses": "dnsIpAddresses",
         "domain": "domain",
         "kerberos_keytab": "kerberosKeytab",
@@ -6052,6 +7135,8 @@ class CfnLocationSMBProps:
         *,
         agent_arns: typing.Sequence[builtins.str],
         authentication_type: typing.Optional[builtins.str] = None,
+        cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.CmkSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+        custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.CustomSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         dns_ip_addresses: typing.Optional[typing.Sequence[builtins.str]] = None,
         domain: typing.Optional[builtins.str] = None,
         kerberos_keytab: typing.Optional[builtins.str] = None,
@@ -6067,15 +7152,17 @@ class CfnLocationSMBProps:
         '''Properties for defining a ``CfnLocationSMB``.
 
         :param agent_arns: Specifies the DataSync agent (or agents) that can connect to your SMB file server. You specify an agent by using its Amazon Resource Name (ARN).
-        :param authentication_type: Specifies the authentication protocol that DataSync uses to connect to your SMB file server. DataSync supports ``NTLM`` (default) and ``KERBEROS`` authentication. For more information, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
-        :param dns_ip_addresses: Specifies the IPv4 addresses for the DNS servers that your SMB file server belongs to. This parameter applies only if ``AuthenticationType`` is set to ``KERBEROS`` . If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.
+        :param authentication_type: The authentication mode used to determine identity of user.
+        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+        :param custom_secret_config: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+        :param dns_ip_addresses: Specifies the IPv4 addresses for the DNS servers that your SMB file server belongs to. This parameter applies only if AuthenticationType is set to KERBEROS. If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.
         :param domain: Specifies the Windows domain name that your SMB file server belongs to. This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` . If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.
-        :param kerberos_keytab: Specifies your Kerberos key table (keytab) file, which includes mappings between your Kerberos principal and encryption keys. The file must be base64 encoded. To avoid task execution errors, make sure that the Kerberos principal that you use to create the keytab file matches exactly what you specify for ``KerberosPrincipal`` .
-        :param kerberos_krb5_conf: Specifies a Kerberos configuration file ( ``krb5.conf`` ) that defines your Kerberos realm configuration. The file must be base64 encoded.
-        :param kerberos_principal: Specifies a Kerberos prinicpal, which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server. A Kerberos principal might look like ``HOST/kerberosuser@MYDOMAIN.ORG`` . Principal names are case sensitive. Your DataSync task execution will fail if the principal that you specify for this parameter doesn’t exactly match the principal that you use to create the keytab file.
+        :param kerberos_keytab: The Base64 string representation of the Keytab file. Specifies your Kerberos key table (keytab) file, which includes mappings between your service principal name (SPN) and encryption keys. To avoid task execution errors, make sure that the SPN in the keytab file matches exactly what you specify for KerberosPrincipal and in your krb5.conf file.
+        :param kerberos_krb5_conf: The string representation of the Krb5Conf file, or the presigned URL to access the Krb5.conf file within an S3 bucket. Specifies a Kerberos configuration file (krb5.conf) that defines your Kerberos realm configuration. To avoid task execution errors, make sure that the service principal name (SPN) in the krb5.conf file matches exactly what you specify for KerberosPrincipal and in your keytab file.
+        :param kerberos_principal: Specifies a service principal name (SPN), which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server. SPNs are case sensitive and must include a prepended cifs/. For example, an SPN might look like cifs/kerberosuser@EXAMPLE.COM. Your task execution will fail if the SPN that you provide for this parameter doesn't match exactly what's in your keytab or krb5.conf files.
         :param mount_options: Specifies the version of the SMB protocol that DataSync uses to access your SMB file server.
         :param password: Specifies the password of the user who can mount your SMB file server and has permission to access the files and folders involved in your transfer. This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` .
-        :param server_hostname: Specifies the domain name or IP address of the SMB file server that your DataSync agent connects to. Remember the following when configuring this parameter: - You can't specify an IP version 6 (IPv6) address. - If you're using Kerberos authentication, you must specify a domain name.
+        :param server_hostname: Specifies the domain name or IP address (IPv4 or IPv6) of the SMB file server that your DataSync agent connects to. .. epigraph:: If you're using Kerberos authentication, you must specify a domain name.
         :param subdirectory: Specifies the name of the share exported by your SMB file server where DataSync will read or write data. You can include a subdirectory in the share path (for example, ``/path/to/subdirectory`` ). Make sure that other SMB clients in your network can also mount this path. To copy all data in the subdirectory, DataSync must be able to mount the SMB share and access all of its data. For more information, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
         :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.
         :param user: Specifies the user that can mount and access the files, folders, and file metadata in your SMB file server. This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` . For information about choosing a user with the right level of access for your transfer, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
@@ -6094,6 +7181,14 @@ class CfnLocationSMBProps:
             
                 # the properties below are optional
                 authentication_type="authenticationType",
+                cmk_secret_config=datasync.CfnLocationSMB.CmkSecretConfigProperty(
+                    kms_key_arn="kmsKeyArn",
+                    secret_arn="secretArn"
+                ),
+                custom_secret_config=datasync.CfnLocationSMB.CustomSecretConfigProperty(
+                    secret_access_role_arn="secretAccessRoleArn",
+                    secret_arn="secretArn"
+                ),
                 dns_ip_addresses=["dnsIpAddresses"],
                 domain="domain",
                 kerberos_keytab="kerberosKeytab",
@@ -6116,6 +7211,8 @@ class CfnLocationSMBProps:
             type_hints = typing.get_type_hints(_typecheckingstub__b20670d7cb18baa1155ccc397df310282442d51b95170ab568e5c0a9cbea5bc8)
             check_type(argname="argument agent_arns", value=agent_arns, expected_type=type_hints["agent_arns"])
             check_type(argname="argument authentication_type", value=authentication_type, expected_type=type_hints["authentication_type"])
+            check_type(argname="argument cmk_secret_config", value=cmk_secret_config, expected_type=type_hints["cmk_secret_config"])
+            check_type(argname="argument custom_secret_config", value=custom_secret_config, expected_type=type_hints["custom_secret_config"])
             check_type(argname="argument dns_ip_addresses", value=dns_ip_addresses, expected_type=type_hints["dns_ip_addresses"])
             check_type(argname="argument domain", value=domain, expected_type=type_hints["domain"])
             check_type(argname="argument kerberos_keytab", value=kerberos_keytab, expected_type=type_hints["kerberos_keytab"])
@@ -6132,6 +7229,10 @@ class CfnLocationSMBProps:
         }
         if authentication_type is not None:
             self._values["authentication_type"] = authentication_type
+        if cmk_secret_config is not None:
+            self._values["cmk_secret_config"] = cmk_secret_config
+        if custom_secret_config is not None:
+            self._values["custom_secret_config"] = custom_secret_config
         if dns_ip_addresses is not None:
             self._values["dns_ip_addresses"] = dns_ip_addresses
         if domain is not None:
@@ -6169,24 +7270,49 @@ class CfnLocationSMBProps:
 
     @builtins.property
     def authentication_type(self) -> typing.Optional[builtins.str]:
-        '''Specifies the authentication protocol that DataSync uses to connect to your SMB file server.
-
-        DataSync supports ``NTLM`` (default) and ``KERBEROS`` authentication.
-
-        For more information, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
+        '''The authentication mode used to determine identity of user.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-authenticationtype
         '''
         result = self._values.get("authentication_type")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def cmk_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.CmkSecretConfigProperty]]:
+        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .
+
+        .. epigraph::
+
+           You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-cmksecretconfig
+        '''
+        result = self._values.get("cmk_secret_config")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.CmkSecretConfigProperty]], result)
+
+    @builtins.property
+    def custom_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.CustomSecretConfigProperty]]:
+        '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.
+
+        This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.
+        .. epigraph::
+
+           You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-customsecretconfig
+        '''
+        result = self._values.get("custom_secret_config")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.CustomSecretConfigProperty]], result)
+
     @builtins.property
     def dns_ip_addresses(self) -> typing.Optional[typing.List[builtins.str]]:
         '''Specifies the IPv4 addresses for the DNS servers that your SMB file server belongs to.
 
-        This parameter applies only if ``AuthenticationType`` is set to ``KERBEROS`` .
-
-        If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.
+        This parameter applies only if AuthenticationType is set to KERBEROS. If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-dnsipaddresses
         '''
@@ -6208,11 +7334,9 @@ class CfnLocationSMBProps:
 
     @builtins.property
     def kerberos_keytab(self) -> typing.Optional[builtins.str]:
-        '''Specifies your Kerberos key table (keytab) file, which includes mappings between your Kerberos principal and encryption keys.
-
-        The file must be base64 encoded.
+        '''The Base64 string representation of the Keytab file.
 
-        To avoid task execution errors, make sure that the Kerberos principal that you use to create the keytab file matches exactly what you specify for ``KerberosPrincipal`` .
+        Specifies your Kerberos key table (keytab) file, which includes mappings between your service principal name (SPN) and encryption keys. To avoid task execution errors, make sure that the SPN in the keytab file matches exactly what you specify for KerberosPrincipal and in your krb5.conf file.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-kerberoskeytab
         '''
@@ -6220,682 +7344,97 @@ class CfnLocationSMBProps:
         return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
-    def kerberos_krb5_conf(self) -> typing.Optional[builtins.str]:
-        '''Specifies a Kerberos configuration file ( ``krb5.conf`` ) that defines your Kerberos realm configuration.
-
-        The file must be base64 encoded.
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-kerberoskrb5conf
-        '''
-        result = self._values.get("kerberos_krb5_conf")
-        return typing.cast(typing.Optional[builtins.str], result)
-
-    @builtins.property
-    def kerberos_principal(self) -> typing.Optional[builtins.str]:
-        '''Specifies a Kerberos prinicpal, which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server.
-
-        A Kerberos principal might look like ``HOST/kerberosuser@MYDOMAIN.ORG`` .
-
-        Principal names are case sensitive. Your DataSync task execution will fail if the principal that you specify for this parameter doesn’t exactly match the principal that you use to create the keytab file.
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-kerberosprincipal
-        '''
-        result = self._values.get("kerberos_principal")
-        return typing.cast(typing.Optional[builtins.str], result)
-
-    @builtins.property
-    def mount_options(
-        self,
-    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.MountOptionsProperty]]:
-        '''Specifies the version of the SMB protocol that DataSync uses to access your SMB file server.
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-mountoptions
-        '''
-        result = self._values.get("mount_options")
-        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.MountOptionsProperty]], result)
-
-    @builtins.property
-    def password(self) -> typing.Optional[builtins.str]:
-        '''Specifies the password of the user who can mount your SMB file server and has permission to access the files and folders involved in your transfer.
-
-        This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` .
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-password
-        '''
-        result = self._values.get("password")
-        return typing.cast(typing.Optional[builtins.str], result)
-
-    @builtins.property
-    def server_hostname(self) -> typing.Optional[builtins.str]:
-        '''Specifies the domain name or IP address of the SMB file server that your DataSync agent connects to.
-
-        Remember the following when configuring this parameter:
-
-        - You can't specify an IP version 6 (IPv6) address.
-        - If you're using Kerberos authentication, you must specify a domain name.
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-serverhostname
-        '''
-        result = self._values.get("server_hostname")
-        return typing.cast(typing.Optional[builtins.str], result)
-
-    @builtins.property
-    def subdirectory(self) -> typing.Optional[builtins.str]:
-        '''Specifies the name of the share exported by your SMB file server where DataSync will read or write data.
-
-        You can include a subdirectory in the share path (for example, ``/path/to/subdirectory`` ). Make sure that other SMB clients in your network can also mount this path.
-
-        To copy all data in the subdirectory, DataSync must be able to mount the SMB share and access all of its data. For more information, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-subdirectory
-        '''
-        result = self._values.get("subdirectory")
-        return typing.cast(typing.Optional[builtins.str], result)
-
-    @builtins.property
-    def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
-        '''Specifies labels that help you categorize, filter, and search for your AWS resources.
-
-        We recommend creating at least a name tag for your location.
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-tags
-        '''
-        result = self._values.get("tags")
-        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], result)
-
-    @builtins.property
-    def user(self) -> typing.Optional[builtins.str]:
-        '''Specifies the user that can mount and access the files, folders, and file metadata in your SMB file server.
-
-        This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` .
-
-        For information about choosing a user with the right level of access for your transfer, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-user
-        '''
-        result = self._values.get("user")
-        return typing.cast(typing.Optional[builtins.str], result)
-
-    def __eq__(self, rhs: typing.Any) -> builtins.bool:
-        return isinstance(rhs, self.__class__) and rhs._values == self._values
-
-    def __ne__(self, rhs: typing.Any) -> builtins.bool:
-        return not (rhs == self)
-
-    def __repr__(self) -> str:
-        return "CfnLocationSMBProps(%s)" % ", ".join(
-            k + "=" + repr(v) for k, v in self._values.items()
-        )
-
-
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
-class CfnStorageSystem(
-    _CfnResource_9df397a6,
-    metaclass=jsii.JSIIMeta,
-    jsii_type="aws-cdk-lib.aws_datasync.CfnStorageSystem",
-):
-    '''The ``AWS::DataSync::StorageSystem`` resource creates an AWS resource for an on-premises storage system that you want DataSync Discovery to collect information about.
-
-    For more information, see `discovering your storage with DataSync Discovery. <https://docs.aws.amazon.com/datasync/latest/userguide/understanding-your-storage.html>`_
-
-    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-storagesystem.html
-    :cloudformationResource: AWS::DataSync::StorageSystem
-    :exampleMetadata: fixture=_generated
-
-    Example::
-
-        # The code below shows an example of how to instantiate this type.
-        # The values are placeholders you should change.
-        from aws_cdk import aws_datasync as datasync
-        
-        cfn_storage_system = datasync.CfnStorageSystem(self, "MyCfnStorageSystem",
-            agent_arns=["agentArns"],
-            server_configuration=datasync.CfnStorageSystem.ServerConfigurationProperty(
-                server_hostname="serverHostname",
-        
-                # the properties below are optional
-                server_port=123
-            ),
-            system_type="systemType",
-        
-            # the properties below are optional
-            cloud_watch_log_group_arn="cloudWatchLogGroupArn",
-            name="name",
-            server_credentials=datasync.CfnStorageSystem.ServerCredentialsProperty(
-                password="password",
-                username="username"
-            ),
-            tags=[CfnTag(
-                key="key",
-                value="value"
-            )]
-        )
-    '''
-
-    def __init__(
-        self,
-        scope: _constructs_77d1e7e8.Construct,
-        id: builtins.str,
-        *,
-        agent_arns: typing.Sequence[builtins.str],
-        server_configuration: typing.Union[_IResolvable_da3f097b, typing.Union["CfnStorageSystem.ServerConfigurationProperty", typing.Dict[builtins.str, typing.Any]]],
-        system_type: builtins.str,
-        cloud_watch_log_group_arn: typing.Optional[builtins.str] = None,
-        name: typing.Optional[builtins.str] = None,
-        server_credentials: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnStorageSystem.ServerCredentialsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
-        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
-    ) -> None:
-        '''
-        :param scope: Scope in which this resource is defined.
-        :param id: Construct identifier for this resource (unique in its scope).
-        :param agent_arns: Specifies the Amazon Resource Name (ARN) of the DataSync agent that connects to and reads from your on-premises storage system's management interface. You can only specify one ARN.
-        :param server_configuration: Specifies the server name and network port required to connect with the management interface of your on-premises storage system.
-        :param system_type: Specifies the type of on-premises storage system that you want DataSync Discovery to collect information about. .. epigraph:: DataSync Discovery currently supports NetApp Fabric-Attached Storage (FAS) and All Flash FAS (AFF) systems running ONTAP 9.7 or later.
-        :param cloud_watch_log_group_arn: Specifies the ARN of the Amazon CloudWatch log group for monitoring and logging discovery job events.
-        :param name: Specifies a familiar name for your on-premises storage system.
-        :param server_credentials: Specifies the user name and password for accessing your on-premises storage system's management interface.
-        :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your on-premises storage system.
-        '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__cd03aea3d03c00385e272f326dc093d0575219e3eac09a9f89062f9453a9360f)
-            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
-            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
-        props = CfnStorageSystemProps(
-            agent_arns=agent_arns,
-            server_configuration=server_configuration,
-            system_type=system_type,
-            cloud_watch_log_group_arn=cloud_watch_log_group_arn,
-            name=name,
-            server_credentials=server_credentials,
-            tags=tags,
-        )
-
-        jsii.create(self.__class__, self, [scope, id, props])
-
-    @jsii.member(jsii_name="inspect")
-    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
-        '''Examines the CloudFormation resource and discloses attributes.
-
-        :param inspector: tree inspector to collect and process attributes.
-        '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__9d30237b704bab23311aad893ff50107b6fc1840c11f7ab06f9fd41ffce46d0d)
-            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
-        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
-
-    @jsii.member(jsii_name="renderProperties")
-    def _render_properties(
-        self,
-        props: typing.Mapping[builtins.str, typing.Any],
-    ) -> typing.Mapping[builtins.str, typing.Any]:
-        '''
-        :param props: -
-        '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__81b9c192e8b33247af58d9ec7498864f379be5476b6c0a2aeb98684bc257c348)
-            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
-        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
-
-    @jsii.python.classproperty
-    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
-    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
-        '''The CloudFormation resource type name for this resource class.'''
-        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
-
-    @builtins.property
-    @jsii.member(jsii_name="attrConnectivityStatus")
-    def attr_connectivity_status(self) -> builtins.str:
-        '''Indicates whether your DataSync agent can connect to your on-premises storage system.
-
-        :cloudformationAttribute: ConnectivityStatus
-        '''
-        return typing.cast(builtins.str, jsii.get(self, "attrConnectivityStatus"))
-
-    @builtins.property
-    @jsii.member(jsii_name="attrSecretsManagerArn")
-    def attr_secrets_manager_arn(self) -> builtins.str:
-        '''The ARN of the secret that stores your on-premises storage system's credentials.
-
-        DataSync Discovery stores these credentials in `AWS Secrets Manager <https://docs.aws.amazon.com/datasync/latest/userguide/discovery-configure-storage.html#discovery-add-storage>`_ .
-
-        :cloudformationAttribute: SecretsManagerArn
-        '''
-        return typing.cast(builtins.str, jsii.get(self, "attrSecretsManagerArn"))
-
-    @builtins.property
-    @jsii.member(jsii_name="attrStorageSystemArn")
-    def attr_storage_system_arn(self) -> builtins.str:
-        '''The ARN of the on-premises storage system that you're using with DataSync Discovery.
-
-        :cloudformationAttribute: StorageSystemArn
-        '''
-        return typing.cast(builtins.str, jsii.get(self, "attrStorageSystemArn"))
-
-    @builtins.property
-    @jsii.member(jsii_name="cfnProperties")
-    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
-        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
-
-    @builtins.property
-    @jsii.member(jsii_name="tags")
-    def tags(self) -> _TagManager_0a598cb3:
-        '''Tag Manager which manages the tags for this resource.'''
-        return typing.cast(_TagManager_0a598cb3, jsii.get(self, "tags"))
-
-    @builtins.property
-    @jsii.member(jsii_name="agentArns")
-    def agent_arns(self) -> typing.List[builtins.str]:
-        '''Specifies the Amazon Resource Name (ARN) of the DataSync agent that connects to and reads from your on-premises storage system's management interface.'''
-        return typing.cast(typing.List[builtins.str], jsii.get(self, "agentArns"))
-
-    @agent_arns.setter
-    def agent_arns(self, value: typing.List[builtins.str]) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__91c1b3e5cd2d7dd98537d8ad2c7deae28f00b5d6d23089b99cb0768ef5ca4d7f)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "agentArns", value) # pyright: ignore[reportArgumentType]
-
-    @builtins.property
-    @jsii.member(jsii_name="serverConfiguration")
-    def server_configuration(
-        self,
-    ) -> typing.Union[_IResolvable_da3f097b, "CfnStorageSystem.ServerConfigurationProperty"]:
-        '''Specifies the server name and network port required to connect with the management interface of your on-premises storage system.'''
-        return typing.cast(typing.Union[_IResolvable_da3f097b, "CfnStorageSystem.ServerConfigurationProperty"], jsii.get(self, "serverConfiguration"))
-
-    @server_configuration.setter
-    def server_configuration(
-        self,
-        value: typing.Union[_IResolvable_da3f097b, "CfnStorageSystem.ServerConfigurationProperty"],
-    ) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__81366a44879ecfffc2cf1020a13667d2ef18466bde35cc8a36864bab3668086b)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "serverConfiguration", value) # pyright: ignore[reportArgumentType]
-
-    @builtins.property
-    @jsii.member(jsii_name="systemType")
-    def system_type(self) -> builtins.str:
-        '''Specifies the type of on-premises storage system that you want DataSync Discovery to collect information about.'''
-        return typing.cast(builtins.str, jsii.get(self, "systemType"))
-
-    @system_type.setter
-    def system_type(self, value: builtins.str) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__1ac346e347fbe1b4d60467d3562a6b070e1ed3e50a18844309f094f5f94cb7f6)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "systemType", value) # pyright: ignore[reportArgumentType]
-
-    @builtins.property
-    @jsii.member(jsii_name="cloudWatchLogGroupArn")
-    def cloud_watch_log_group_arn(self) -> typing.Optional[builtins.str]:
-        '''Specifies the ARN of the Amazon CloudWatch log group for monitoring and logging discovery job events.'''
-        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "cloudWatchLogGroupArn"))
-
-    @cloud_watch_log_group_arn.setter
-    def cloud_watch_log_group_arn(self, value: typing.Optional[builtins.str]) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__e8cf99420b818e4ec735e8ef96836c7c265a5bb74331a73d84e9fc56a6321299)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "cloudWatchLogGroupArn", value) # pyright: ignore[reportArgumentType]
-
-    @builtins.property
-    @jsii.member(jsii_name="name")
-    def name(self) -> typing.Optional[builtins.str]:
-        '''Specifies a familiar name for your on-premises storage system.'''
-        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "name"))
-
-    @name.setter
-    def name(self, value: typing.Optional[builtins.str]) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__764666a950d4d83875874f1d9312ef4c5d98748fc51fe8f1dc9c8cf696e4e0bd)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "name", value) # pyright: ignore[reportArgumentType]
-
-    @builtins.property
-    @jsii.member(jsii_name="serverCredentials")
-    def server_credentials(
-        self,
-    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnStorageSystem.ServerCredentialsProperty"]]:
-        '''Specifies the user name and password for accessing your on-premises storage system's management interface.'''
-        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnStorageSystem.ServerCredentialsProperty"]], jsii.get(self, "serverCredentials"))
-
-    @server_credentials.setter
-    def server_credentials(
-        self,
-        value: typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnStorageSystem.ServerCredentialsProperty"]],
-    ) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__2f52a2f2a6197dee934b3eaad41d0b7cc429e508ed4c3d4437b45f339ffd8712)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "serverCredentials", value) # pyright: ignore[reportArgumentType]
-
-    @builtins.property
-    @jsii.member(jsii_name="tagsRaw")
-    def tags_raw(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
-        '''Specifies labels that help you categorize, filter, and search for your AWS resources.'''
-        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], jsii.get(self, "tagsRaw"))
-
-    @tags_raw.setter
-    def tags_raw(self, value: typing.Optional[typing.List[_CfnTag_f6864754]]) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__3f06b57402f5a745b22a5a454fa8563a935276c499111bb78103406214b07c52)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "tagsRaw", value) # pyright: ignore[reportArgumentType]
-
-    @jsii.data_type(
-        jsii_type="aws-cdk-lib.aws_datasync.CfnStorageSystem.ServerConfigurationProperty",
-        jsii_struct_bases=[],
-        name_mapping={
-            "server_hostname": "serverHostname",
-            "server_port": "serverPort",
-        },
-    )
-    class ServerConfigurationProperty:
-        def __init__(
-            self,
-            *,
-            server_hostname: builtins.str,
-            server_port: typing.Optional[jsii.Number] = None,
-        ) -> None:
-            '''The network settings that DataSync Discovery uses to connect with your on-premises storage system's management interface.
-
-            :param server_hostname: The domain name or IP address of your storage system's management interface.
-            :param server_port: The network port for accessing the storage system's management interface.
-
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-storagesystem-serverconfiguration.html
-            :exampleMetadata: fixture=_generated
-
-            Example::
-
-                # The code below shows an example of how to instantiate this type.
-                # The values are placeholders you should change.
-                from aws_cdk import aws_datasync as datasync
-                
-                server_configuration_property = datasync.CfnStorageSystem.ServerConfigurationProperty(
-                    server_hostname="serverHostname",
-                
-                    # the properties below are optional
-                    server_port=123
-                )
-            '''
-            if __debug__:
-                type_hints = typing.get_type_hints(_typecheckingstub__0b2d9d38924c8714fdacccf65a04ce2f4670647a35b1330abeacb71b09b32c66)
-                check_type(argname="argument server_hostname", value=server_hostname, expected_type=type_hints["server_hostname"])
-                check_type(argname="argument server_port", value=server_port, expected_type=type_hints["server_port"])
-            self._values: typing.Dict[builtins.str, typing.Any] = {
-                "server_hostname": server_hostname,
-            }
-            if server_port is not None:
-                self._values["server_port"] = server_port
-
-        @builtins.property
-        def server_hostname(self) -> builtins.str:
-            '''The domain name or IP address of your storage system's management interface.
-
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-storagesystem-serverconfiguration.html#cfn-datasync-storagesystem-serverconfiguration-serverhostname
-            '''
-            result = self._values.get("server_hostname")
-            assert result is not None, "Required property 'server_hostname' is missing"
-            return typing.cast(builtins.str, result)
-
-        @builtins.property
-        def server_port(self) -> typing.Optional[jsii.Number]:
-            '''The network port for accessing the storage system's management interface.
-
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-storagesystem-serverconfiguration.html#cfn-datasync-storagesystem-serverconfiguration-serverport
-            '''
-            result = self._values.get("server_port")
-            return typing.cast(typing.Optional[jsii.Number], result)
-
-        def __eq__(self, rhs: typing.Any) -> builtins.bool:
-            return isinstance(rhs, self.__class__) and rhs._values == self._values
-
-        def __ne__(self, rhs: typing.Any) -> builtins.bool:
-            return not (rhs == self)
-
-        def __repr__(self) -> str:
-            return "ServerConfigurationProperty(%s)" % ", ".join(
-                k + "=" + repr(v) for k, v in self._values.items()
-            )
-
-    @jsii.data_type(
-        jsii_type="aws-cdk-lib.aws_datasync.CfnStorageSystem.ServerCredentialsProperty",
-        jsii_struct_bases=[],
-        name_mapping={"password": "password", "username": "username"},
-    )
-    class ServerCredentialsProperty:
-        def __init__(self, *, password: builtins.str, username: builtins.str) -> None:
-            '''The credentials that provide DataSync Discovery read access to your on-premises storage system's management interface.
-
-            DataSync Discovery stores these credentials in `AWS Secrets Manager <https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html>`_ . For more information, see `Accessing your on-premises storage system <https://docs.aws.amazon.com/datasync/latest/userguide/discovery-configure-storage.html>`_ .
-
-            :param password: Specifies the password for your storage system's management interface.
-            :param username: Specifies the user name for your storage system's management interface.
-
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-storagesystem-servercredentials.html
-            :exampleMetadata: fixture=_generated
-
-            Example::
-
-                # The code below shows an example of how to instantiate this type.
-                # The values are placeholders you should change.
-                from aws_cdk import aws_datasync as datasync
-                
-                server_credentials_property = datasync.CfnStorageSystem.ServerCredentialsProperty(
-                    password="password",
-                    username="username"
-                )
-            '''
-            if __debug__:
-                type_hints = typing.get_type_hints(_typecheckingstub__4aca605fb52bb6e32c26164545155c20da0e4d47eff8787d0c19d543d3f0f293)
-                check_type(argname="argument password", value=password, expected_type=type_hints["password"])
-                check_type(argname="argument username", value=username, expected_type=type_hints["username"])
-            self._values: typing.Dict[builtins.str, typing.Any] = {
-                "password": password,
-                "username": username,
-            }
-
-        @builtins.property
-        def password(self) -> builtins.str:
-            '''Specifies the password for your storage system's management interface.
-
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-storagesystem-servercredentials.html#cfn-datasync-storagesystem-servercredentials-password
-            '''
-            result = self._values.get("password")
-            assert result is not None, "Required property 'password' is missing"
-            return typing.cast(builtins.str, result)
-
-        @builtins.property
-        def username(self) -> builtins.str:
-            '''Specifies the user name for your storage system's management interface.
-
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-storagesystem-servercredentials.html#cfn-datasync-storagesystem-servercredentials-username
-            '''
-            result = self._values.get("username")
-            assert result is not None, "Required property 'username' is missing"
-            return typing.cast(builtins.str, result)
-
-        def __eq__(self, rhs: typing.Any) -> builtins.bool:
-            return isinstance(rhs, self.__class__) and rhs._values == self._values
-
-        def __ne__(self, rhs: typing.Any) -> builtins.bool:
-            return not (rhs == self)
-
-        def __repr__(self) -> str:
-            return "ServerCredentialsProperty(%s)" % ", ".join(
-                k + "=" + repr(v) for k, v in self._values.items()
-            )
-
-
-@jsii.data_type(
-    jsii_type="aws-cdk-lib.aws_datasync.CfnStorageSystemProps",
-    jsii_struct_bases=[],
-    name_mapping={
-        "agent_arns": "agentArns",
-        "server_configuration": "serverConfiguration",
-        "system_type": "systemType",
-        "cloud_watch_log_group_arn": "cloudWatchLogGroupArn",
-        "name": "name",
-        "server_credentials": "serverCredentials",
-        "tags": "tags",
-    },
-)
-class CfnStorageSystemProps:
-    def __init__(
-        self,
-        *,
-        agent_arns: typing.Sequence[builtins.str],
-        server_configuration: typing.Union[_IResolvable_da3f097b, typing.Union[CfnStorageSystem.ServerConfigurationProperty, typing.Dict[builtins.str, typing.Any]]],
-        system_type: builtins.str,
-        cloud_watch_log_group_arn: typing.Optional[builtins.str] = None,
-        name: typing.Optional[builtins.str] = None,
-        server_credentials: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnStorageSystem.ServerCredentialsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
-        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
-    ) -> None:
-        '''Properties for defining a ``CfnStorageSystem``.
-
-        :param agent_arns: Specifies the Amazon Resource Name (ARN) of the DataSync agent that connects to and reads from your on-premises storage system's management interface. You can only specify one ARN.
-        :param server_configuration: Specifies the server name and network port required to connect with the management interface of your on-premises storage system.
-        :param system_type: Specifies the type of on-premises storage system that you want DataSync Discovery to collect information about. .. epigraph:: DataSync Discovery currently supports NetApp Fabric-Attached Storage (FAS) and All Flash FAS (AFF) systems running ONTAP 9.7 or later.
-        :param cloud_watch_log_group_arn: Specifies the ARN of the Amazon CloudWatch log group for monitoring and logging discovery job events.
-        :param name: Specifies a familiar name for your on-premises storage system.
-        :param server_credentials: Specifies the user name and password for accessing your on-premises storage system's management interface.
-        :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your on-premises storage system.
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-storagesystem.html
-        :exampleMetadata: fixture=_generated
-
-        Example::
-
-            # The code below shows an example of how to instantiate this type.
-            # The values are placeholders you should change.
-            from aws_cdk import aws_datasync as datasync
-            
-            cfn_storage_system_props = datasync.CfnStorageSystemProps(
-                agent_arns=["agentArns"],
-                server_configuration=datasync.CfnStorageSystem.ServerConfigurationProperty(
-                    server_hostname="serverHostname",
-            
-                    # the properties below are optional
-                    server_port=123
-                ),
-                system_type="systemType",
-            
-                # the properties below are optional
-                cloud_watch_log_group_arn="cloudWatchLogGroupArn",
-                name="name",
-                server_credentials=datasync.CfnStorageSystem.ServerCredentialsProperty(
-                    password="password",
-                    username="username"
-                ),
-                tags=[CfnTag(
-                    key="key",
-                    value="value"
-                )]
-            )
-        '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__b07c9f88707493efc0c6204abeacfb93dcb4bfdc339feb06b9cedb3c14e549a6)
-            check_type(argname="argument agent_arns", value=agent_arns, expected_type=type_hints["agent_arns"])
-            check_type(argname="argument server_configuration", value=server_configuration, expected_type=type_hints["server_configuration"])
-            check_type(argname="argument system_type", value=system_type, expected_type=type_hints["system_type"])
-            check_type(argname="argument cloud_watch_log_group_arn", value=cloud_watch_log_group_arn, expected_type=type_hints["cloud_watch_log_group_arn"])
-            check_type(argname="argument name", value=name, expected_type=type_hints["name"])
-            check_type(argname="argument server_credentials", value=server_credentials, expected_type=type_hints["server_credentials"])
-            check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
-        self._values: typing.Dict[builtins.str, typing.Any] = {
-            "agent_arns": agent_arns,
-            "server_configuration": server_configuration,
-            "system_type": system_type,
-        }
-        if cloud_watch_log_group_arn is not None:
-            self._values["cloud_watch_log_group_arn"] = cloud_watch_log_group_arn
-        if name is not None:
-            self._values["name"] = name
-        if server_credentials is not None:
-            self._values["server_credentials"] = server_credentials
-        if tags is not None:
-            self._values["tags"] = tags
+    def kerberos_krb5_conf(self) -> typing.Optional[builtins.str]:
+        '''The string representation of the Krb5Conf file, or the presigned URL to access the Krb5.conf file within an S3 bucket. Specifies a Kerberos configuration file (krb5.conf) that defines your Kerberos realm configuration. To avoid task execution errors, make sure that the service principal name (SPN) in the krb5.conf file matches exactly what you specify for KerberosPrincipal and in your keytab file.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-kerberoskrb5conf
+        '''
+        result = self._values.get("kerberos_krb5_conf")
+        return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
-    def agent_arns(self) -> typing.List[builtins.str]:
-        '''Specifies the Amazon Resource Name (ARN) of the DataSync agent that connects to and reads from your on-premises storage system's management interface.
+    def kerberos_principal(self) -> typing.Optional[builtins.str]:
+        '''Specifies a service principal name (SPN), which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server.
 
-        You can only specify one ARN.
+        SPNs are case sensitive and must include a prepended cifs/. For example, an SPN might look like cifs/kerberosuser@EXAMPLE.COM. Your task execution will fail if the SPN that you provide for this parameter doesn't match exactly what's in your keytab or krb5.conf files.
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-storagesystem.html#cfn-datasync-storagesystem-agentarns
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-kerberosprincipal
         '''
-        result = self._values.get("agent_arns")
-        assert result is not None, "Required property 'agent_arns' is missing"
-        return typing.cast(typing.List[builtins.str], result)
+        result = self._values.get("kerberos_principal")
+        return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
-    def server_configuration(
+    def mount_options(
         self,
-    ) -> typing.Union[_IResolvable_da3f097b, CfnStorageSystem.ServerConfigurationProperty]:
-        '''Specifies the server name and network port required to connect with the management interface of your on-premises storage system.
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.MountOptionsProperty]]:
+        '''Specifies the version of the SMB protocol that DataSync uses to access your SMB file server.
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-storagesystem.html#cfn-datasync-storagesystem-serverconfiguration
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-mountoptions
         '''
-        result = self._values.get("server_configuration")
-        assert result is not None, "Required property 'server_configuration' is missing"
-        return typing.cast(typing.Union[_IResolvable_da3f097b, CfnStorageSystem.ServerConfigurationProperty], result)
+        result = self._values.get("mount_options")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.MountOptionsProperty]], result)
 
     @builtins.property
-    def system_type(self) -> builtins.str:
-        '''Specifies the type of on-premises storage system that you want DataSync Discovery to collect information about.
-
-        .. epigraph::
+    def password(self) -> typing.Optional[builtins.str]:
+        '''Specifies the password of the user who can mount your SMB file server and has permission to access the files and folders involved in your transfer.
 
-           DataSync Discovery currently supports NetApp Fabric-Attached Storage (FAS) and All Flash FAS (AFF) systems running ONTAP 9.7 or later.
+        This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` .
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-storagesystem.html#cfn-datasync-storagesystem-systemtype
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-password
         '''
-        result = self._values.get("system_type")
-        assert result is not None, "Required property 'system_type' is missing"
-        return typing.cast(builtins.str, result)
+        result = self._values.get("password")
+        return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
-    def cloud_watch_log_group_arn(self) -> typing.Optional[builtins.str]:
-        '''Specifies the ARN of the Amazon CloudWatch log group for monitoring and logging discovery job events.
+    def server_hostname(self) -> typing.Optional[builtins.str]:
+        '''Specifies the domain name or IP address (IPv4 or IPv6) of the SMB file server that your DataSync agent connects to.
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-storagesystem.html#cfn-datasync-storagesystem-cloudwatchloggrouparn
-        '''
-        result = self._values.get("cloud_watch_log_group_arn")
-        return typing.cast(typing.Optional[builtins.str], result)
+        .. epigraph::
 
-    @builtins.property
-    def name(self) -> typing.Optional[builtins.str]:
-        '''Specifies a familiar name for your on-premises storage system.
+           If you're using Kerberos authentication, you must specify a domain name.
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-storagesystem.html#cfn-datasync-storagesystem-name
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-serverhostname
         '''
-        result = self._values.get("name")
+        result = self._values.get("server_hostname")
         return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
-    def server_credentials(
-        self,
-    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnStorageSystem.ServerCredentialsProperty]]:
-        '''Specifies the user name and password for accessing your on-premises storage system's management interface.
+    def subdirectory(self) -> typing.Optional[builtins.str]:
+        '''Specifies the name of the share exported by your SMB file server where DataSync will read or write data.
+
+        You can include a subdirectory in the share path (for example, ``/path/to/subdirectory`` ). Make sure that other SMB clients in your network can also mount this path.
+
+        To copy all data in the subdirectory, DataSync must be able to mount the SMB share and access all of its data. For more information, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-storagesystem.html#cfn-datasync-storagesystem-servercredentials
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-subdirectory
         '''
-        result = self._values.get("server_credentials")
-        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnStorageSystem.ServerCredentialsProperty]], result)
+        result = self._values.get("subdirectory")
+        return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
     def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
         '''Specifies labels that help you categorize, filter, and search for your AWS resources.
 
-        We recommend creating at least a name tag for your on-premises storage system.
+        We recommend creating at least a name tag for your location.
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-storagesystem.html#cfn-datasync-storagesystem-tags
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-tags
         '''
         result = self._values.get("tags")
         return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], result)
 
+    @builtins.property
+    def user(self) -> typing.Optional[builtins.str]:
+        '''Specifies the user that can mount and access the files, folders, and file metadata in your SMB file server.
+
+        This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` .
+
+        For information about choosing a user with the right level of access for your transfer, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-user
+        '''
+        result = self._values.get("user")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -6903,12 +7442,12 @@ class CfnStorageSystemProps:
         return not (rhs == self)
 
     def __repr__(self) -> str:
-        return "CfnStorageSystemProps(%s)" % ", ".join(
+        return "CfnLocationSMBProps(%s)" % ", ".join(
             k + "=" + repr(v) for k, v in self._values.items()
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ITaskRef_0571d67b, _ITaggable_36806126)
 class CfnTask(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -7032,7 +7571,8 @@ class CfnTask(
         task_mode: typing.Optional[builtins.str] = None,
         task_report_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnTask.TaskReportConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::Task``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param destination_location_arn: The Amazon Resource Name (ARN) of an AWS storage resource's location.
@@ -7045,8 +7585,8 @@ class CfnTask(
         :param options: Specifies your task's settings, such as preserving file metadata, verifying data integrity, among other options.
         :param schedule: Specifies a schedule for when you want your task to run. For more information, see `Scheduling your task <https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html>`_ .
         :param tags: Specifies the tags that you want to apply to your task. *Tags* are key-value pairs that help you manage, filter, and search for your DataSync resources.
-        :param task_mode: Specifies one of the following task modes for your data transfer:. - ``ENHANCED`` - Transfer virtually unlimited numbers of objects with higher performance than Basic mode. Enhanced mode tasks optimize the data transfer process by listing, preparing, transferring, and verifying data in parallel. Enhanced mode is currently available for transfers between Amazon S3 locations. .. epigraph:: To create an Enhanced mode task, the IAM role that you use to call the ``CreateTask`` operation must have the ``iam:CreateServiceLinkedRole`` permission. - ``BASIC`` (default) - Transfer files or objects between AWS storage and all other supported DataSync locations. Basic mode tasks are subject to `quotas <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-limits.html>`_ on the number of files, objects, and directories in a dataset. Basic mode sequentially prepares, transfers, and verifies data, making it slower than Enhanced mode for most workloads. For more information, see `Understanding task mode differences <https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html#task-mode-differences>`_ .
-        :param task_report_config: Specifies how you want to configure a task report, which provides detailed information about your DataSync transfer. For more information, see `Monitoring your DataSync transfers with task reports <https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html>`_ . When using this parameter, your caller identity (the role that you're using DataSync with) must have the ``iam:PassRole`` permission. The `AWSDataSyncFullAccess <https://docs.aws.amazon.com/datasync/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awsdatasyncfullaccess>`_ policy includes this permission.
+        :param task_mode: The task mode that you're using. For more information, see `Choosing a task mode for your data transfer <https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html>`_ .
+        :param task_report_config: The configuration of your task report, which provides detailed information about your DataSync transfer. For more information, see `Monitoring your DataSync transfers with task reports <https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html>`_ .
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__9add9673a1f0ceb078949e967bce91066ff7e0441dae95d55c11c4a503a397a6)
@@ -7146,6 +7686,12 @@ class CfnTask(
         '''Tag Manager which manages the tags for this resource.'''
         return typing.cast(_TagManager_0a598cb3, jsii.get(self, "tags"))
 
+    @builtins.property
+    @jsii.member(jsii_name="taskRef")
+    def task_ref(self) -> _TaskReference_56755658:
+        '''A reference to a Task resource.'''
+        return typing.cast(_TaskReference_56755658, jsii.get(self, "taskRef"))
+
     @builtins.property
     @jsii.member(jsii_name="destinationLocationArn")
     def destination_location_arn(self) -> builtins.str:
@@ -7304,7 +7850,7 @@ class CfnTask(
     @builtins.property
     @jsii.member(jsii_name="taskMode")
     def task_mode(self) -> typing.Optional[builtins.str]:
-        '''Specifies one of the following task modes for your data transfer:.'''
+        '''The task mode that you're using.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "taskMode"))
 
     @task_mode.setter
@@ -7319,7 +7865,7 @@ class CfnTask(
     def task_report_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.TaskReportConfigProperty"]]:
-        '''Specifies how you want to configure a task report, which provides detailed information about your DataSync transfer.'''
+        '''The configuration of your task report, which provides detailed information about your DataSync transfer.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.TaskReportConfigProperty"]], jsii.get(self, "taskReportConfig"))
 
     @task_report_config.setter
@@ -7343,9 +7889,11 @@ class CfnTask(
             *,
             report_level: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The reporting level for the deleted section of your DataSync task report.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to delete in your destination location.
+
+            This only applies if you configure your task to delete data in the destination that isn't in the source.
 
-            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't. - ``ERRORS_ONLY`` : A report shows what DataSync was unable to delete. - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to delete.
+            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-deleted.html
             :exampleMetadata: fixture=_generated
@@ -7371,9 +7919,6 @@ class CfnTask(
         def report_level(self) -> typing.Optional[builtins.str]:
             '''Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
-            - ``ERRORS_ONLY`` : A report shows what DataSync was unable to delete.
-            - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to delete.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-deleted.html#cfn-datasync-task-deleted-reportlevel
             '''
             result = self._values.get("report_level")
@@ -7401,7 +7946,7 @@ class CfnTask(
             *,
             s3: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnTask.S3Property", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''Specifies where DataSync uploads your `task report <https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html>`_ .
+            '''Specifies where DataSync uploads your task report.
 
             :param s3: Specifies the Amazon S3 bucket where DataSync uploads your task report.
 
@@ -7653,11 +8198,9 @@ class CfnTask(
         ) -> None:
             '''Specifies the S3 bucket where you're hosting the manifest that you want AWS DataSync to use.
 
-            For more information and configuration examples, see `Specifying what DataSync transfers by using a manifest <https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html>`_ .
-
-            :param bucket_access_role_arn: Specifies the AWS Identity and Access Management (IAM) role that allows DataSync to access your manifest. For more information, see `Providing DataSync access to your manifest <https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html#transferring-with-manifest-access>`_ .
-            :param manifest_object_path: Specifies the Amazon S3 object key of your manifest. This can include a prefix (for example, ``prefix/my-manifest.csv`` ).
-            :param manifest_object_version_id: Specifies the object version ID of the manifest that you want DataSync to use. If you don't set this, DataSync uses the latest version of the object.
+            :param bucket_access_role_arn: Specifies the AWS Identity and Access Management (IAM) role that allows DataSync to access your manifest.
+            :param manifest_object_path: Specifies the Amazon S3 object key of your manifest.
+            :param manifest_object_version_id: Specifies the object version ID of the manifest that you want DataSync to use.
             :param s3_bucket_arn: Specifies the Amazon Resource Name (ARN) of the S3 bucket where you're hosting your manifest.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-manifestconfigsources3.html
@@ -7696,8 +8239,6 @@ class CfnTask(
         def bucket_access_role_arn(self) -> typing.Optional[builtins.str]:
             '''Specifies the AWS Identity and Access Management (IAM) role that allows DataSync to access your manifest.
 
-            For more information, see `Providing DataSync access to your manifest <https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html#transferring-with-manifest-access>`_ .
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-manifestconfigsources3.html#cfn-datasync-task-manifestconfigsources3-bucketaccessrolearn
             '''
             result = self._values.get("bucket_access_role_arn")
@@ -7707,8 +8248,6 @@ class CfnTask(
         def manifest_object_path(self) -> typing.Optional[builtins.str]:
             '''Specifies the Amazon S3 object key of your manifest.
 
-            This can include a prefix (for example, ``prefix/my-manifest.csv`` ).
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-manifestconfigsources3.html#cfn-datasync-task-manifestconfigsources3-manifestobjectpath
             '''
             result = self._values.get("manifest_object_path")
@@ -7718,8 +8257,6 @@ class CfnTask(
         def manifest_object_version_id(self) -> typing.Optional[builtins.str]:
             '''Specifies the object version ID of the manifest that you want DataSync to use.
 
-            If you don't set this, DataSync uses the latest version of the object.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-manifestconfigsources3.html#cfn-datasync-task-manifestconfigsources3-manifestobjectversionid
             '''
             result = self._values.get("manifest_object_version_id")
@@ -8172,12 +8709,12 @@ class CfnTask(
         ) -> None:
             '''Customizes the reporting level for aspects of your task report.
 
-            For example, your report might generally only include errors, but you could specify that you want a list of successes and errors just for the files that DataSync attempted to delete in your destination location.
+            For example, your report might generally only include errors, but you could specify that you want a list of successes and errors just for the files that Datasync attempted to delete in your destination location.
 
-            :param deleted: Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location. This only applies if you `configure your task <https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html>`_ to delete data in the destination that isn't in the source.
-            :param skipped: Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer.
-            :param transferred: Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer.
-            :param verified: Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify during your transfer.
+            :param deleted: Specifies the level of reporting for the files, objects, and directories that Datasync attempted to delete in your destination location. This only applies if you configure your task to delete data in the destination that isn't in the source.
+            :param skipped: Specifies the level of reporting for the files, objects, and directories that Datasync attempted to skip during your transfer.
+            :param transferred: Specifies the level of reporting for the files, objects, and directories that Datasync attempted to transfer.
+            :param verified: Specifies the level of reporting for the files, objects, and directories that Datasync attempted to verify at the end of your transfer. This only applies if you configure your task to verify data during and after the transfer (which Datasync does by default)
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-overrides.html
             :exampleMetadata: fixture=_generated
@@ -8223,9 +8760,9 @@ class CfnTask(
         def deleted(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.DeletedProperty"]]:
-            '''Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to delete in your destination location.
 
-            This only applies if you `configure your task <https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html>`_ to delete data in the destination that isn't in the source.
+            This only applies if you configure your task to delete data in the destination that isn't in the source.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-overrides.html#cfn-datasync-task-overrides-deleted
             '''
@@ -8236,7 +8773,7 @@ class CfnTask(
         def skipped(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.SkippedProperty"]]:
-            '''Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to skip during your transfer.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-overrides.html#cfn-datasync-task-overrides-skipped
             '''
@@ -8247,7 +8784,7 @@ class CfnTask(
         def transferred(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.TransferredProperty"]]:
-            '''Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to transfer.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-overrides.html#cfn-datasync-task-overrides-transferred
             '''
@@ -8258,7 +8795,9 @@ class CfnTask(
         def verified(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.VerifiedProperty"]]:
-            '''Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify during your transfer.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to verify at the end of your transfer.
+
+            This only applies if you configure your task to verify data during and after the transfer (which Datasync does by default)
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-overrides.html#cfn-datasync-task-overrides-verified
             '''
@@ -8372,9 +8911,9 @@ class CfnTask(
             *,
             report_level: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The reporting level for the skipped section of your DataSync task report.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to skip during your transfer.
 
-            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't. - ``ERRORS_ONLY`` : A report shows what DataSync was unable to skip. - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to skip.
+            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-skipped.html
             :exampleMetadata: fixture=_generated
@@ -8400,9 +8939,6 @@ class CfnTask(
         def report_level(self) -> typing.Optional[builtins.str]:
             '''Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
-            - ``ERRORS_ONLY`` : A report shows what DataSync was unable to skip.
-            - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to skip.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-skipped.html#cfn-datasync-task-skipped-reportlevel
             '''
             result = self._values.get("report_level")
@@ -8430,11 +8966,9 @@ class CfnTask(
             *,
             s3: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnTask.ManifestConfigSourceS3Property", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''Specifies the manifest that you want AWS DataSync to use and where it's hosted.
-
-            For more information and configuration examples, see `Specifying what DataSync transfers by using a manifest <https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html>`_ .
+            '''Specifies the manifest that you want DataSync to use and where it's hosted.
 
-            :param s3: Specifies the S3 bucket where you're hosting your manifest.
+            :param s3: Specifies the S3 bucket where you're hosting the manifest that you want AWS DataSync to use.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-source.html
             :exampleMetadata: fixture=_generated
@@ -8465,7 +8999,7 @@ class CfnTask(
         def s3(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.ManifestConfigSourceS3Property"]]:
-            '''Specifies the S3 bucket where you're hosting your manifest.
+            '''Specifies the S3 bucket where you're hosting the manifest that you want AWS DataSync to use.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-source.html#cfn-datasync-task-source-s3
             '''
@@ -8659,7 +9193,7 @@ class CfnTask(
             '''Configures your AWS DataSync task to run on a `schedule <https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html>`_ (at a minimum interval of 1 hour).
 
             :param schedule_expression: Specifies your task schedule by using a cron or rate expression. Use cron expressions for task schedules that run on a specific time and day. For example, the following cron expression creates a task schedule that runs at 8 AM on the first Wednesday of every month: ``cron(0 8 * * 3#1)`` Use rate expressions for task schedules that run on a regular interval. For example, the following rate expression creates a task schedule that runs every 12 hours: ``rate(12 hours)`` For information about cron and rate expression syntax, see the `*Amazon EventBridge User Guide* <https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-scheduled-rule-pattern.html>`_ .
-            :param status: Specifies whether to enable or disable your task schedule. Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to perform maintenance on a storage system before you can begin a recurring DataSync transfer. DataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see the `*DataSync User Guide* <https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html#pause-task-schedule>`_ .
+            :param status: Specifies whether to enable or disable your task schedule. Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to pause a recurring transfer to fix an issue with your task or perform maintenance on your storage system. DataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see `TaskScheduleDetails <https://docs.aws.amazon.com/datasync/latest/userguide/API_TaskScheduleDetails.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-taskschedule.html
             :exampleMetadata: fixture=_generated
@@ -8708,9 +9242,9 @@ class CfnTask(
         def status(self) -> typing.Optional[builtins.str]:
             '''Specifies whether to enable or disable your task schedule.
 
-            Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to perform maintenance on a storage system before you can begin a recurring DataSync transfer.
+            Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to pause a recurring transfer to fix an issue with your task or perform maintenance on your storage system.
 
-            DataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see the `*DataSync User Guide* <https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html#pause-task-schedule>`_ .
+            DataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see `TaskScheduleDetails <https://docs.aws.amazon.com/datasync/latest/userguide/API_TaskScheduleDetails.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-taskschedule.html#cfn-datasync-task-taskschedule-status
             '''
@@ -8739,9 +9273,9 @@ class CfnTask(
             *,
             report_level: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The reporting level for the transferred section of your DataSync task report.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to transfer.
 
-            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't. - ``ERRORS_ONLY`` : A report shows what DataSync was unable to transfer. - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to transfer.
+            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-transferred.html
             :exampleMetadata: fixture=_generated
@@ -8767,9 +9301,6 @@ class CfnTask(
         def report_level(self) -> typing.Optional[builtins.str]:
             '''Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
-            - ``ERRORS_ONLY`` : A report shows what DataSync was unable to transfer.
-            - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to transfer.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-transferred.html#cfn-datasync-task-transferred-reportlevel
             '''
             result = self._values.get("report_level")
@@ -8797,9 +9328,11 @@ class CfnTask(
             *,
             report_level: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The reporting level for the verified section of your DataSync task report.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to verify at the end of your transfer.
 
-            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't. - ``ERRORS_ONLY`` : A report shows what DataSync was unable to verify. - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to verify.
+            This only applies if you configure your task to verify data during and after the transfer (which Datasync does by default)
+
+            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-verified.html
             :exampleMetadata: fixture=_generated
@@ -8825,9 +9358,6 @@ class CfnTask(
         def report_level(self) -> typing.Optional[builtins.str]:
             '''Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
-            - ``ERRORS_ONLY`` : A report shows what DataSync was unable to verify.
-            - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to verify.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-verified.html#cfn-datasync-task-verified-reportlevel
             '''
             result = self._values.get("report_level")
@@ -8892,8 +9422,8 @@ class CfnTaskProps:
         :param options: Specifies your task's settings, such as preserving file metadata, verifying data integrity, among other options.
         :param schedule: Specifies a schedule for when you want your task to run. For more information, see `Scheduling your task <https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html>`_ .
         :param tags: Specifies the tags that you want to apply to your task. *Tags* are key-value pairs that help you manage, filter, and search for your DataSync resources.
-        :param task_mode: Specifies one of the following task modes for your data transfer:. - ``ENHANCED`` - Transfer virtually unlimited numbers of objects with higher performance than Basic mode. Enhanced mode tasks optimize the data transfer process by listing, preparing, transferring, and verifying data in parallel. Enhanced mode is currently available for transfers between Amazon S3 locations. .. epigraph:: To create an Enhanced mode task, the IAM role that you use to call the ``CreateTask`` operation must have the ``iam:CreateServiceLinkedRole`` permission. - ``BASIC`` (default) - Transfer files or objects between AWS storage and all other supported DataSync locations. Basic mode tasks are subject to `quotas <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-limits.html>`_ on the number of files, objects, and directories in a dataset. Basic mode sequentially prepares, transfers, and verifies data, making it slower than Enhanced mode for most workloads. For more information, see `Understanding task mode differences <https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html#task-mode-differences>`_ .
-        :param task_report_config: Specifies how you want to configure a task report, which provides detailed information about your DataSync transfer. For more information, see `Monitoring your DataSync transfers with task reports <https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html>`_ . When using this parameter, your caller identity (the role that you're using DataSync with) must have the ``iam:PassRole`` permission. The `AWSDataSyncFullAccess <https://docs.aws.amazon.com/datasync/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awsdatasyncfullaccess>`_ policy includes this permission.
+        :param task_mode: The task mode that you're using. For more information, see `Choosing a task mode for your data transfer <https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html>`_ .
+        :param task_report_config: The configuration of your task report, which provides detailed information about your DataSync transfer. For more information, see `Monitoring your DataSync transfers with task reports <https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-task.html
         :exampleMetadata: fixture=_generated
@@ -9146,17 +9676,9 @@ class CfnTaskProps:
 
     @builtins.property
     def task_mode(self) -> typing.Optional[builtins.str]:
-        '''Specifies one of the following task modes for your data transfer:.
+        '''The task mode that you're using.
 
-        - ``ENHANCED`` - Transfer virtually unlimited numbers of objects with higher performance than Basic mode. Enhanced mode tasks optimize the data transfer process by listing, preparing, transferring, and verifying data in parallel. Enhanced mode is currently available for transfers between Amazon S3 locations.
-
-        .. epigraph::
-
-           To create an Enhanced mode task, the IAM role that you use to call the ``CreateTask`` operation must have the ``iam:CreateServiceLinkedRole`` permission.
-
-        - ``BASIC`` (default) - Transfer files or objects between AWS storage and all other supported DataSync locations. Basic mode tasks are subject to `quotas <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-limits.html>`_ on the number of files, objects, and directories in a dataset. Basic mode sequentially prepares, transfers, and verifies data, making it slower than Enhanced mode for most workloads.
-
-        For more information, see `Understanding task mode differences <https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html#task-mode-differences>`_ .
+        For more information, see `Choosing a task mode for your data transfer <https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-task.html#cfn-datasync-task-taskmode
         '''
@@ -9167,12 +9689,10 @@ class CfnTaskProps:
     def task_report_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnTask.TaskReportConfigProperty]]:
-        '''Specifies how you want to configure a task report, which provides detailed information about your DataSync transfer.
+        '''The configuration of your task report, which provides detailed information about your DataSync transfer.
 
         For more information, see `Monitoring your DataSync transfers with task reports <https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html>`_ .
 
-        When using this parameter, your caller identity (the role that you're using DataSync with) must have the ``iam:PassRole`` permission. The `AWSDataSyncFullAccess <https://docs.aws.amazon.com/datasync/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awsdatasyncfullaccess>`_ policy includes this permission.
-
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-task.html#cfn-datasync-task-taskreportconfig
         '''
         result = self._values.get("task_report_config")
@@ -9215,8 +9735,6 @@ __all__ = [
     "CfnLocationS3Props",
     "CfnLocationSMB",
     "CfnLocationSMBProps",
-    "CfnStorageSystem",
-    "CfnStorageSystemProps",
     "CfnTask",
     "CfnTaskProps",
 ]
@@ -9301,12 +9819,14 @@ def _typecheckingstub__2a49f57a1ab4813b1537b04053be19b99e3fa8f143f30fac9d1bc72ca
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
-    agent_arns: typing.Sequence[builtins.str],
     azure_blob_authentication_type: builtins.str,
+    agent_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
     azure_access_tier: typing.Optional[builtins.str] = None,
     azure_blob_container_url: typing.Optional[builtins.str] = None,
     azure_blob_sas_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationAzureBlob.AzureBlobSasConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     azure_blob_type: typing.Optional[builtins.str] = None,
+    cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationAzureBlob.CmkSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationAzureBlob.CustomSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     subdirectory: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
@@ -9325,14 +9845,14 @@ def _typecheckingstub__ebde5c22aa68229dea3796deaf496ab61b9ffcfdf6d4f56a59875e604
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__04d94ab53395a58893ca5e5668d51e78b5d567de304ebc1b3c8937ab5824c459(
-    value: typing.List[builtins.str],
+def _typecheckingstub__d66037c88c30360a6dbdeedf60b7cdd8b0d971ae11fb4944eb61af92fe413080(
+    value: builtins.str,
 ) -> None:
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__d66037c88c30360a6dbdeedf60b7cdd8b0d971ae11fb4944eb61af92fe413080(
-    value: builtins.str,
+def _typecheckingstub__04d94ab53395a58893ca5e5668d51e78b5d567de304ebc1b3c8937ab5824c459(
+    value: typing.Optional[typing.List[builtins.str]],
 ) -> None:
     """Type checking stubs"""
     pass
@@ -9361,6 +9881,18 @@ def _typecheckingstub__e74328b40eb55d86e422d5f30530d28f29d1393792015d7646eb06c88
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__bbe60c9e1409294412076468854254983957a988d2e0d53f2fa73767e4a48525(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationAzureBlob.CmkSecretConfigProperty]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__3276084bb32edc8f06759cb50268fc7821cd740602d985f3b1b967d5267f90dc(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationAzureBlob.CustomSecretConfigProperty]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__861788b0a9a32f402ab93793acdec22ae6bb15d217371b8ba36d7cb8ba33fc6b(
     value: typing.Optional[builtins.str],
 ) -> None:
@@ -9380,14 +9912,39 @@ def _typecheckingstub__3b97bd3f13ec4166f121eb8229b7a3322702a4782d767aca2fc1323e9
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__d03d5287185c3e65174404788128d96c2205212b3aa189dc5803a4b4b4b8ab36(
+    *,
+    kms_key_arn: typing.Optional[builtins.str] = None,
+    secret_arn: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__0b2d06a0f90feb2e23667a772b3c70d85bf30ee5c9bef02d35fd7339fdffaf93(
+    *,
+    secret_access_role_arn: builtins.str,
+    secret_arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__8ed16453ba6567e90e7b3e0e37a7206cf71efddb64e1cca1af96064be80c9609(
+    *,
+    secret_arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__d386b9f5845962fa66385393ccc6424f66b9aee312fecdc96fe3ec242f754bf1(
     *,
-    agent_arns: typing.Sequence[builtins.str],
     azure_blob_authentication_type: builtins.str,
+    agent_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
     azure_access_tier: typing.Optional[builtins.str] = None,
     azure_blob_container_url: typing.Optional[builtins.str] = None,
     azure_blob_sas_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationAzureBlob.AzureBlobSasConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     azure_blob_type: typing.Optional[builtins.str] = None,
+    cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationAzureBlob.CmkSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationAzureBlob.CustomSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     subdirectory: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
@@ -10046,9 +10603,11 @@ def _typecheckingstub__6afc4365b2246b057f5b97e5d62cc10a54cff3be74dae8a9bb184f54b
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
-    agent_arns: typing.Sequence[builtins.str],
     access_key: typing.Optional[builtins.str] = None,
+    agent_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
     bucket_name: typing.Optional[builtins.str] = None,
+    cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationObjectStorage.CmkSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationObjectStorage.CustomSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     secret_key: typing.Optional[builtins.str] = None,
     server_certificate: typing.Optional[builtins.str] = None,
     server_hostname: typing.Optional[builtins.str] = None,
@@ -10072,14 +10631,14 @@ def _typecheckingstub__1891041f95311e30edfb4c440a05c41fa9ad1fb130ed42400500c5785
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__af42e226779e989fe6f4a4e7403f44c0a7f4048f3185f2bd0fdbbe0f191363ec(
-    value: typing.List[builtins.str],
+def _typecheckingstub__5bab62678e3c33f0a6edfb878fe17304321977ba3655bb45d3504aa54de9dadc(
+    value: typing.Optional[builtins.str],
 ) -> None:
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__5bab62678e3c33f0a6edfb878fe17304321977ba3655bb45d3504aa54de9dadc(
-    value: typing.Optional[builtins.str],
+def _typecheckingstub__af42e226779e989fe6f4a4e7403f44c0a7f4048f3185f2bd0fdbbe0f191363ec(
+    value: typing.Optional[typing.List[builtins.str]],
 ) -> None:
     """Type checking stubs"""
     pass
@@ -10090,6 +10649,18 @@ def _typecheckingstub__daf6330b6613abe7771487991e7b16db5686e2242ecdbb63f4ef7e946
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__750d7a103b8b00f0ab06ca1128b92bb839b2b91e71e5a388ec467dacd0fb58b6(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationObjectStorage.CmkSecretConfigProperty]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__f8e807a4053a1cf75e73e9841ea082806de0e3097bc4b377492cf4268c03a8c5(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationObjectStorage.CustomSecretConfigProperty]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__0cdc4af71140887c9702de30a25cd730dad08983bb31931dbba45c838b77c638(
     value: typing.Optional[builtins.str],
 ) -> None:
@@ -10132,11 +10703,36 @@ def _typecheckingstub__4c7a3d48757bffde04fd1015e50d6672207d2522eec04091eebdb3ac1
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__86e020e5a613eca69f847ddcabf398915f10f12953f8b4391e961243da06c955(
+    *,
+    kms_key_arn: typing.Optional[builtins.str] = None,
+    secret_arn: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__630b549b792c8efcdd58178e432579f521d2a86cc91c662fd9c77d74c4293cb8(
+    *,
+    secret_access_role_arn: builtins.str,
+    secret_arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__65c61b34a40852805ad1d8c34da183c741fa3a1957daae2b986eb1a616335549(
+    *,
+    secret_arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__d542a26da4e93d9d103e234c98ed367d8b6bea7d295017a32de5525e1ec22b45(
     *,
-    agent_arns: typing.Sequence[builtins.str],
     access_key: typing.Optional[builtins.str] = None,
+    agent_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
     bucket_name: typing.Optional[builtins.str] = None,
+    cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationObjectStorage.CmkSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationObjectStorage.CustomSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     secret_key: typing.Optional[builtins.str] = None,
     server_certificate: typing.Optional[builtins.str] = None,
     server_hostname: typing.Optional[builtins.str] = None,
@@ -10227,6 +10823,8 @@ def _typecheckingstub__bafa6101408857d4661895c88a8c9839da8768aa52e07d3f2889a4f27
     *,
     agent_arns: typing.Sequence[builtins.str],
     authentication_type: typing.Optional[builtins.str] = None,
+    cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.CmkSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.CustomSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     dns_ip_addresses: typing.Optional[typing.Sequence[builtins.str]] = None,
     domain: typing.Optional[builtins.str] = None,
     kerberos_keytab: typing.Optional[builtins.str] = None,
@@ -10266,6 +10864,18 @@ def _typecheckingstub__35de39b9b573d0d6146fa84be08e6a3a14ff5e9ece5535c93fc8af130
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__e407ec55488adbc9f81891a5e15e237e234b987b6214eb331162a8b63f344324(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.CmkSecretConfigProperty]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__fde88b8f3a9b839e4f9087f93f80eb219e3a48609302336a5ed68bd2edec2ebb(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.CustomSecretConfigProperty]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__dc011a04f6ce95bde8af4cc9451501d73cdf7696b6089617c22a1d8aa112d7be(
     value: typing.Optional[typing.List[builtins.str]],
 ) -> None:
@@ -10332,126 +10942,53 @@ def _typecheckingstub__9112e8b177e52fbd055f221015988972f906f8c7291b4a1992bb1656c
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__465428a8e33c33a3926562e4b4d3d671db7fc7f2d1ff95443e6224cb280e8c00(
-    *,
-    version: typing.Optional[builtins.str] = None,
-) -> None:
-    """Type checking stubs"""
-    pass
-
-def _typecheckingstub__b20670d7cb18baa1155ccc397df310282442d51b95170ab568e5c0a9cbea5bc8(
+def _typecheckingstub__9351aeda2a3946543003130a0d3d622afa774937076186eaabf4b996745ca99f(
     *,
-    agent_arns: typing.Sequence[builtins.str],
-    authentication_type: typing.Optional[builtins.str] = None,
-    dns_ip_addresses: typing.Optional[typing.Sequence[builtins.str]] = None,
-    domain: typing.Optional[builtins.str] = None,
-    kerberos_keytab: typing.Optional[builtins.str] = None,
-    kerberos_krb5_conf: typing.Optional[builtins.str] = None,
-    kerberos_principal: typing.Optional[builtins.str] = None,
-    mount_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.MountOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
-    password: typing.Optional[builtins.str] = None,
-    server_hostname: typing.Optional[builtins.str] = None,
-    subdirectory: typing.Optional[builtins.str] = None,
-    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
-    user: typing.Optional[builtins.str] = None,
+    kms_key_arn: typing.Optional[builtins.str] = None,
+    secret_arn: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__cd03aea3d03c00385e272f326dc093d0575219e3eac09a9f89062f9453a9360f(
-    scope: _constructs_77d1e7e8.Construct,
-    id: builtins.str,
+def _typecheckingstub__6049f29f723d7f92a691c991b6232a25e39ba58d2d4400b1c499f542a7a8aee7(
     *,
-    agent_arns: typing.Sequence[builtins.str],
-    server_configuration: typing.Union[_IResolvable_da3f097b, typing.Union[CfnStorageSystem.ServerConfigurationProperty, typing.Dict[builtins.str, typing.Any]]],
-    system_type: builtins.str,
-    cloud_watch_log_group_arn: typing.Optional[builtins.str] = None,
-    name: typing.Optional[builtins.str] = None,
-    server_credentials: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnStorageSystem.ServerCredentialsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
-    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
-) -> None:
-    """Type checking stubs"""
-    pass
-
-def _typecheckingstub__9d30237b704bab23311aad893ff50107b6fc1840c11f7ab06f9fd41ffce46d0d(
-    inspector: _TreeInspector_488e0dd5,
-) -> None:
-    """Type checking stubs"""
-    pass
-
-def _typecheckingstub__81b9c192e8b33247af58d9ec7498864f379be5476b6c0a2aeb98684bc257c348(
-    props: typing.Mapping[builtins.str, typing.Any],
-) -> None:
-    """Type checking stubs"""
-    pass
-
-def _typecheckingstub__91c1b3e5cd2d7dd98537d8ad2c7deae28f00b5d6d23089b99cb0768ef5ca4d7f(
-    value: typing.List[builtins.str],
-) -> None:
-    """Type checking stubs"""
-    pass
-
-def _typecheckingstub__81366a44879ecfffc2cf1020a13667d2ef18466bde35cc8a36864bab3668086b(
-    value: typing.Union[_IResolvable_da3f097b, CfnStorageSystem.ServerConfigurationProperty],
-) -> None:
-    """Type checking stubs"""
-    pass
-
-def _typecheckingstub__1ac346e347fbe1b4d60467d3562a6b070e1ed3e50a18844309f094f5f94cb7f6(
-    value: builtins.str,
-) -> None:
-    """Type checking stubs"""
-    pass
-
-def _typecheckingstub__e8cf99420b818e4ec735e8ef96836c7c265a5bb74331a73d84e9fc56a6321299(
-    value: typing.Optional[builtins.str],
+    secret_access_role_arn: builtins.str,
+    secret_arn: builtins.str,
 ) -> None:
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__764666a950d4d83875874f1d9312ef4c5d98748fc51fe8f1dc9c8cf696e4e0bd(
-    value: typing.Optional[builtins.str],
-) -> None:
-    """Type checking stubs"""
-    pass
-
-def _typecheckingstub__2f52a2f2a6197dee934b3eaad41d0b7cc429e508ed4c3d4437b45f339ffd8712(
-    value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnStorageSystem.ServerCredentialsProperty]],
-) -> None:
-    """Type checking stubs"""
-    pass
-
-def _typecheckingstub__3f06b57402f5a745b22a5a454fa8563a935276c499111bb78103406214b07c52(
-    value: typing.Optional[typing.List[_CfnTag_f6864754]],
-) -> None:
-    """Type checking stubs"""
-    pass
-
-def _typecheckingstub__0b2d9d38924c8714fdacccf65a04ce2f4670647a35b1330abeacb71b09b32c66(
+def _typecheckingstub__5db7c95a4b68a63cb100ea0ecc9392535271eaf1c99519a96ebecbd32455f91c(
     *,
-    server_hostname: builtins.str,
-    server_port: typing.Optional[jsii.Number] = None,
+    secret_arn: builtins.str,
 ) -> None:
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__4aca605fb52bb6e32c26164545155c20da0e4d47eff8787d0c19d543d3f0f293(
+def _typecheckingstub__465428a8e33c33a3926562e4b4d3d671db7fc7f2d1ff95443e6224cb280e8c00(
     *,
-    password: builtins.str,
-    username: builtins.str,
+    version: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__b07c9f88707493efc0c6204abeacfb93dcb4bfdc339feb06b9cedb3c14e549a6(
+def _typecheckingstub__b20670d7cb18baa1155ccc397df310282442d51b95170ab568e5c0a9cbea5bc8(
     *,
     agent_arns: typing.Sequence[builtins.str],
-    server_configuration: typing.Union[_IResolvable_da3f097b, typing.Union[CfnStorageSystem.ServerConfigurationProperty, typing.Dict[builtins.str, typing.Any]]],
-    system_type: builtins.str,
-    cloud_watch_log_group_arn: typing.Optional[builtins.str] = None,
-    name: typing.Optional[builtins.str] = None,
-    server_credentials: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnStorageSystem.ServerCredentialsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    authentication_type: typing.Optional[builtins.str] = None,
+    cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.CmkSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.CustomSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    dns_ip_addresses: typing.Optional[typing.Sequence[builtins.str]] = None,
+    domain: typing.Optional[builtins.str] = None,
+    kerberos_keytab: typing.Optional[builtins.str] = None,
+    kerberos_krb5_conf: typing.Optional[builtins.str] = None,
+    kerberos_principal: typing.Optional[builtins.str] = None,
+    mount_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.MountOptionsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    password: typing.Optional[builtins.str] = None,
+    server_hostname: typing.Optional[builtins.str] = None,
+    subdirectory: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+    user: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass