aws-cdk-lib 2.200.2__py3-none-any.whl → 2.224.0__py3-none-any.whl

aws_cdk/aws_datasync/__init__.py

@@ -68,9 +68,37 @@ from .. import (
     TagManager as _TagManager_0a598cb3,
     TreeInspector as _TreeInspector_488e0dd5,
 )
+from ..interfaces.aws_datasync import (
+    AgentReference as _AgentReference_4ce8de2b,
+    IAgentRef as _IAgentRef_7dc116ab,
+    ILocationAzureBlobRef as _ILocationAzureBlobRef_4f77cc54,
+    ILocationEFSRef as _ILocationEFSRef_6fba5e2e,
+    ILocationFSxLustreRef as _ILocationFSxLustreRef_af5bc776,
+    ILocationFSxONTAPRef as _ILocationFSxONTAPRef_f2d23af5,
+    ILocationFSxOpenZFSRef as _ILocationFSxOpenZFSRef_bf79198a,
+    ILocationFSxWindowsRef as _ILocationFSxWindowsRef_21eff906,
+    ILocationHDFSRef as _ILocationHDFSRef_7984fa07,
+    ILocationNFSRef as _ILocationNFSRef_01d78c69,
+    ILocationObjectStorageRef as _ILocationObjectStorageRef_76d6ff54,
+    ILocationS3Ref as _ILocationS3Ref_5240f1a4,
+    ILocationSMBRef as _ILocationSMBRef_b540cf9f,
+    ITaskRef as _ITaskRef_0571d67b,
+    LocationAzureBlobReference as _LocationAzureBlobReference_60bcd854,
+    LocationEFSReference as _LocationEFSReference_72d5c472,
+    LocationFSxLustreReference as _LocationFSxLustreReference_4b4c8fcd,
+    LocationFSxONTAPReference as _LocationFSxONTAPReference_696c1d88,
+    LocationFSxOpenZFSReference as _LocationFSxOpenZFSReference_ff06c64f,
+    LocationFSxWindowsReference as _LocationFSxWindowsReference_7de311b2,
+    LocationHDFSReference as _LocationHDFSReference_c3d0d6b5,
+    LocationNFSReference as _LocationNFSReference_163b2bab,
+    LocationObjectStorageReference as _LocationObjectStorageReference_5b3d36b8,
+    LocationS3Reference as _LocationS3Reference_113b17ee,
+    LocationSMBReference as _LocationSMBReference_9787936e,
+    TaskReference as _TaskReference_56755658,
+)
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IAgentRef_7dc116ab, _ITaggable_36806126)
 class CfnAgent(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -121,7 +149,8 @@ class CfnAgent(
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         vpc_endpoint_id: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::Agent``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param activation_key: Specifies your DataSync agent's activation key. If you don't have an activation key, see `Activating your agent <https://docs.aws.amazon.com/datasync/latest/userguide/activate-agent.html>`_ .
@@ -176,6 +205,12 @@ class CfnAgent(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="agentRef")
+    def agent_ref(self) -> _AgentReference_4ce8de2b:
+        '''A reference to a Agent resource.'''
+        return typing.cast(_AgentReference_4ce8de2b, jsii.get(self, "agentRef"))
+
     @builtins.property
     @jsii.member(jsii_name="attrAgentArn")
     def attr_agent_arn(self) -> builtins.str:
@@ -450,7 +485,7 @@ class CfnAgentProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
+@jsii.implements(_IInspectable_c2943556, _ILocationAzureBlobRef_4f77cc54, _ITaggableV2_4e6798f8)
 class CfnLocationAzureBlob(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -458,9 +493,9 @@ class CfnLocationAzureBlob(
 ):
     '''Creates a transfer *location* for a Microsoft Azure Blob Storage container.
 
-    AWS DataSync can use this location as a transfer source or destination.
+    AWS DataSync can use this location as a transfer source or destination. You can make transfers with or without a `DataSync agent <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-creating-agent>`_ that connects to your container.
 
-    Before you begin, make sure you know `how DataSync accesses Azure Blob Storage <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access>`_ and works with `access tiers <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers>`_ and `blob types <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#blob-types>`_ . You also need a `DataSync agent <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-creating-agent>`_ that can connect to your container.
+    Before you begin, make sure you know `how DataSync accesses Azure Blob Storage <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access>`_ and works with `access tiers <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers>`_ and `blob types <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#blob-types>`_ .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationazureblob.html
     :cloudformationResource: AWS::DataSync::LocationAzureBlob
@@ -515,17 +550,18 @@ class CfnLocationAzureBlob(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationAzureBlob``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param azure_blob_authentication_type: Specifies the authentication method DataSync uses to access your Azure Blob Storage. DataSync can access blob storage using a shared access signature (SAS). Default: - "SAS"
-        :param agent_arns: Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container. You can specify more than one agent. For more information, see `Using multiple agents for your transfer <https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html>`_ .
+        :param agent_arns: (Optional) Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter. You can specify more than one agent. For more information, see `Using multiple agents for your transfer <https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html>`_ . .. epigraph:: Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.
         :param azure_access_tier: Specifies the access tier that you want your objects or files transferred into. This only applies when using the location as a transfer destination. For more information, see `Access tiers <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers>`_ . Default: - "HOT"
         :param azure_blob_container_url: Specifies the URL of the Azure Blob Storage container involved in your transfer.
-        :param azure_blob_sas_configuration: Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.
+        :param azure_blob_sas_configuration: Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage. .. epigraph:: If you provide an authentication token using ``SasConfiguration`` , but do not provide secret configuration details using ``CmkSecretConfig`` or ``CustomSecretConfig`` , then DataSync stores the token using your AWS account's secrets manager secret.
         :param azure_blob_type: Specifies the type of blob that you want your objects or files to be when transferring them into Azure Blob Storage. Currently, DataSync only supports moving data into Azure Blob Storage as block blobs. For more information on blob types, see the `Azure Blob Storage documentation <https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs>`_ . Default: - "BLOCK"
-        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key.
-        :param custom_secret_config: Specifies configuration information for a customer-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and an IAM role that DataSync can assume and access the customer-managed secret.
+        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+        :param custom_secret_config: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
         :param subdirectory: Specifies path segments if you want to limit your transfer to a virtual directory in your container (for example, ``/my/images`` ).
         :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your transfer location.
         '''
@@ -581,7 +617,9 @@ class CfnLocationAzureBlob(
     @builtins.property
     @jsii.member(jsii_name="attrCmkSecretConfigSecretArn")
     def attr_cmk_secret_config_secret_arn(self) -> builtins.str:
-        '''Specifies the ARN for an AWS Secrets Manager secret, managed by DataSync.
+        '''Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location.
+
+        This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
 
         :cloudformationAttribute: CmkSecretConfig.SecretArn
         '''
@@ -627,6 +665,12 @@ class CfnLocationAzureBlob(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationAzureBlobRef")
+    def location_azure_blob_ref(self) -> _LocationAzureBlobReference_60bcd854:
+        '''A reference to a LocationAzureBlob resource.'''
+        return typing.cast(_LocationAzureBlobReference_60bcd854, jsii.get(self, "locationAzureBlobRef"))
+
     @builtins.property
     @jsii.member(jsii_name="azureBlobAuthenticationType")
     def azure_blob_authentication_type(self) -> builtins.str:
@@ -643,7 +687,7 @@ class CfnLocationAzureBlob(
     @builtins.property
     @jsii.member(jsii_name="agentArns")
     def agent_arns(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.'''
+        '''(Optional) Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "agentArns"))
 
     @agent_arns.setter
@@ -715,7 +759,7 @@ class CfnLocationAzureBlob(
     def cmk_secret_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationAzureBlob.CmkSecretConfigProperty"]]:
-        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key.'''
+        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationAzureBlob.CmkSecretConfigProperty"]], jsii.get(self, "cmkSecretConfig"))
 
     @cmk_secret_config.setter
@@ -733,7 +777,7 @@ class CfnLocationAzureBlob(
     def custom_secret_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationAzureBlob.CustomSecretConfigProperty"]]:
-        '''Specifies configuration information for a customer-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and an IAM role that DataSync can assume and access the customer-managed secret.'''
+        '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationAzureBlob.CustomSecretConfigProperty"]], jsii.get(self, "customSecretConfig"))
 
     @custom_secret_config.setter
@@ -842,10 +886,14 @@ class CfnLocationAzureBlob(
             kms_key_arn: typing.Optional[builtins.str] = None,
             secret_arn: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key.
+            '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .
 
-            :param kms_key_arn: Specifies the ARN for the customer-managed AWS KMS key used to encrypt the secret specified for SecretArn. DataSync provides this key to AWS Secrets Manager.
-            :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret, managed by DataSync.
+            .. epigraph::
+
+               You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+            :param kms_key_arn: Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for ``SecretArn`` . DataSync provides this key to AWS Secrets Manager .
+            :param secret_arn: Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location. This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-cmksecretconfig.html
             :exampleMetadata: fixture=_generated
@@ -873,9 +921,9 @@ class CfnLocationAzureBlob(
 
         @builtins.property
         def kms_key_arn(self) -> typing.Optional[builtins.str]:
-            '''Specifies the ARN for the customer-managed AWS KMS key used to encrypt the secret specified for SecretArn.
+            '''Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for ``SecretArn`` .
 
-            DataSync provides this key to AWS Secrets Manager.
+            DataSync provides this key to AWS Secrets Manager .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-cmksecretconfig.html#cfn-datasync-locationazureblob-cmksecretconfig-kmskeyarn
             '''
@@ -884,7 +932,9 @@ class CfnLocationAzureBlob(
 
         @builtins.property
         def secret_arn(self) -> typing.Optional[builtins.str]:
-            '''Specifies the ARN for an AWS Secrets Manager secret, managed by DataSync.
+            '''Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location.
+
+            This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-cmksecretconfig.html#cfn-datasync-locationazureblob-cmksecretconfig-secretarn
             '''
@@ -917,10 +967,15 @@ class CfnLocationAzureBlob(
             secret_access_role_arn: builtins.str,
             secret_arn: builtins.str,
         ) -> None:
-            '''Specifies configuration information for a customer-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and an IAM role that DataSync can assume and access the customer-managed secret.
+            '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.
 
-            :param secret_access_role_arn: Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for SecretArn.
-            :param secret_arn: Specifies the ARN for a customer created AWS Secrets Manager secret.
+            This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.
+            .. epigraph::
+
+               You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+            :param secret_access_role_arn: Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for ``SecretArn`` .
+            :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-customsecretconfig.html
             :exampleMetadata: fixture=_generated
@@ -947,7 +1002,7 @@ class CfnLocationAzureBlob(
 
         @builtins.property
         def secret_access_role_arn(self) -> builtins.str:
-            '''Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for SecretArn.
+            '''Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for ``SecretArn`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-customsecretconfig.html#cfn-datasync-locationazureblob-customsecretconfig-secretaccessrolearn
             '''
@@ -957,7 +1012,7 @@ class CfnLocationAzureBlob(
 
         @builtins.property
         def secret_arn(self) -> builtins.str:
-            '''Specifies the ARN for a customer created AWS Secrets Manager secret.
+            '''Specifies the ARN for an AWS Secrets Manager secret.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationazureblob-customsecretconfig.html#cfn-datasync-locationazureblob-customsecretconfig-secretarn
             '''
@@ -985,7 +1040,7 @@ class CfnLocationAzureBlob(
         def __init__(self, *, secret_arn: builtins.str) -> None:
             '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location.
 
-            DataSync uses the default AWS-managed KMS key to encrypt this secret in AWS Secrets Manager.
+            DataSync uses the default AWS -managed KMS key to encrypt this secret in AWS Secrets Manager .
 
             :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret.
 
@@ -1065,13 +1120,13 @@ class CfnLocationAzureBlobProps:
         '''Properties for defining a ``CfnLocationAzureBlob``.
 
         :param azure_blob_authentication_type: Specifies the authentication method DataSync uses to access your Azure Blob Storage. DataSync can access blob storage using a shared access signature (SAS). Default: - "SAS"
-        :param agent_arns: Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container. You can specify more than one agent. For more information, see `Using multiple agents for your transfer <https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html>`_ .
+        :param agent_arns: (Optional) Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter. You can specify more than one agent. For more information, see `Using multiple agents for your transfer <https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html>`_ . .. epigraph:: Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.
         :param azure_access_tier: Specifies the access tier that you want your objects or files transferred into. This only applies when using the location as a transfer destination. For more information, see `Access tiers <https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers>`_ . Default: - "HOT"
         :param azure_blob_container_url: Specifies the URL of the Azure Blob Storage container involved in your transfer.
-        :param azure_blob_sas_configuration: Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.
+        :param azure_blob_sas_configuration: Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage. .. epigraph:: If you provide an authentication token using ``SasConfiguration`` , but do not provide secret configuration details using ``CmkSecretConfig`` or ``CustomSecretConfig`` , then DataSync stores the token using your AWS account's secrets manager secret.
         :param azure_blob_type: Specifies the type of blob that you want your objects or files to be when transferring them into Azure Blob Storage. Currently, DataSync only supports moving data into Azure Blob Storage as block blobs. For more information on blob types, see the `Azure Blob Storage documentation <https://docs.aws.amazon.com/https://learn.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs>`_ . Default: - "BLOCK"
-        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key.
-        :param custom_secret_config: Specifies configuration information for a customer-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and an IAM role that DataSync can assume and access the customer-managed secret.
+        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+        :param custom_secret_config: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
         :param subdirectory: Specifies path segments if you want to limit your transfer to a virtual directory in your container (for example, ``/my/images`` ).
         :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your transfer location.
 
@@ -1160,9 +1215,14 @@ class CfnLocationAzureBlobProps:
 
     @builtins.property
     def agent_arns(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.
+        '''(Optional) Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect with your Azure Blob Storage container.
+
+        If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter.
 
         You can specify more than one agent. For more information, see `Using multiple agents for your transfer <https://docs.aws.amazon.com/datasync/latest/userguide/multiple-agents.html>`_ .
+        .. epigraph::
+
+           Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationazureblob.html#cfn-datasync-locationazureblob-agentarns
         '''
@@ -1197,6 +1257,10 @@ class CfnLocationAzureBlobProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationAzureBlob.AzureBlobSasConfigurationProperty]]:
         '''Specifies the SAS configuration that allows DataSync to access your Azure Blob Storage.
 
+        .. epigraph::
+
+           If you provide an authentication token using ``SasConfiguration`` , but do not provide secret configuration details using ``CmkSecretConfig`` or ``CustomSecretConfig`` , then DataSync stores the token using your AWS account's secrets manager secret.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationazureblob.html#cfn-datasync-locationazureblob-azureblobsasconfiguration
         '''
         result = self._values.get("azure_blob_sas_configuration")
@@ -1219,7 +1283,11 @@ class CfnLocationAzureBlobProps:
     def cmk_secret_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationAzureBlob.CmkSecretConfigProperty]]:
-        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key.
+        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .
+
+        .. epigraph::
+
+           You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationazureblob.html#cfn-datasync-locationazureblob-cmksecretconfig
         '''
@@ -1230,7 +1298,12 @@ class CfnLocationAzureBlobProps:
     def custom_secret_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationAzureBlob.CustomSecretConfigProperty]]:
-        '''Specifies configuration information for a customer-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and an IAM role that DataSync can assume and access the customer-managed secret.
+        '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.
+
+        This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.
+        .. epigraph::
+
+           You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationazureblob.html#cfn-datasync-locationazureblob-customsecretconfig
         '''
@@ -1269,7 +1342,7 @@ class CfnLocationAzureBlobProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationEFSRef_6fba5e2e, _ITaggable_36806126)
 class CfnLocationEFS(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -1321,7 +1394,8 @@ class CfnLocationEFS(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationEFS``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param ec2_config: Specifies the subnet and security groups DataSync uses to connect to one of your Amazon EFS file system's `mount targets <https://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html>`_ .
@@ -1401,6 +1475,12 @@ class CfnLocationEFS(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationEfsRef")
+    def location_efs_ref(self) -> _LocationEFSReference_72d5c472:
+        '''A reference to a LocationEFS resource.'''
+        return typing.cast(_LocationEFSReference_72d5c472, jsii.get(self, "locationEfsRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -1521,7 +1601,7 @@ class CfnLocationEFS(
             '''The subnet and security groups that AWS DataSync uses to connect to one of your Amazon EFS file system's `mount targets <https://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html>`_ .
 
             :param security_group_arns: Specifies the Amazon Resource Names (ARNs) of the security groups associated with an Amazon EFS file system's mount target.
-            :param subnet_arn: Specifies the ARN of a subnet where DataSync creates the `network interfaces <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-network.html#required-network-interfaces>`_ for managing traffic during your transfer. The subnet must be located: - In the same virtual private cloud (VPC) as the Amazon EFS file system. - In the same Availability Zone as at least one mount target for the Amazon EFS file system. .. epigraph:: You don't need to specify a subnet that includes a file system mount target.
+            :param subnet_arn: Specifies the ARN of a subnet where DataSync creates the `network interfaces <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-network.html#required-network-interfaces.html>`_ for managing traffic during your transfer. The subnet must be located: - In the same virtual private cloud (VPC) as the Amazon EFS file system. - In the same Availability Zone as at least one mount target for the Amazon EFS file system. .. epigraph:: You don't need to specify a subnet that includes a file system mount target.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationefs-ec2config.html
             :exampleMetadata: fixture=_generated
@@ -1558,7 +1638,7 @@ class CfnLocationEFS(
 
         @builtins.property
         def subnet_arn(self) -> builtins.str:
-            '''Specifies the ARN of a subnet where DataSync creates the `network interfaces <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-network.html#required-network-interfaces>`_ for managing traffic during your transfer.
+            '''Specifies the ARN of a subnet where DataSync creates the `network interfaces <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-network.html#required-network-interfaces.html>`_ for managing traffic during your transfer.
 
             The subnet must be located:
 
@@ -1764,7 +1844,7 @@ class CfnLocationEFSProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationFSxLustreRef_af5bc776, _ITaggable_36806126)
 class CfnLocationFSxLustre(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -1805,7 +1885,8 @@ class CfnLocationFSxLustre(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationFSxLustre``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param security_group_arns: The ARNs of the security groups that are used to configure the FSx for Lustre file system. *Pattern* : ``^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):ec2:[a-z\\-0-9]*:[0-9]{12}:security-group/.*$`` *Length constraints* : Maximum length of 128.
@@ -1879,6 +1960,12 @@ class CfnLocationFSxLustre(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationFSxLustreRef")
+    def location_f_sx_lustre_ref(self) -> _LocationFSxLustreReference_4b4c8fcd:
+        '''A reference to a LocationFSxLustre resource.'''
+        return typing.cast(_LocationFSxLustreReference_4b4c8fcd, jsii.get(self, "locationFSxLustreRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -2061,7 +2148,7 @@ class CfnLocationFSxLustreProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationFSxONTAPRef_f2d23af5, _ITaggable_36806126)
 class CfnLocationFSxONTAP(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -2122,7 +2209,8 @@ class CfnLocationFSxONTAP(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationFSxONTAP``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param security_group_arns: Specifies the Amazon Resource Names (ARNs) of the security groups that DataSync can use to access your FSx for ONTAP file system. You must configure the security groups to allow outbound traffic on the following ports (depending on the protocol that you're using): - *Network File System (NFS)* : TCP ports 111, 635, and 2049 - *Server Message Block (SMB)* : TCP port 445 Your file system's security groups must also allow inbound traffic on the same port.
@@ -2207,6 +2295,12 @@ class CfnLocationFSxONTAP(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationFSxOntapRef")
+    def location_f_sx_ontap_ref(self) -> _LocationFSxONTAPReference_696c1d88:
+        '''A reference to a LocationFSxONTAP resource.'''
+        return typing.cast(_LocationFSxONTAPReference_696c1d88, jsii.get(self, "locationFSxOntapRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -2853,7 +2947,7 @@ class CfnLocationFSxONTAPProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationFSxOpenZFSRef_bf79198a, _ITaggable_36806126)
 class CfnLocationFSxOpenZFS(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -2902,7 +2996,8 @@ class CfnLocationFSxOpenZFS(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationFSxOpenZFS``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param protocol: The type of protocol that AWS DataSync uses to access your file system.
@@ -2978,6 +3073,12 @@ class CfnLocationFSxOpenZFS(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationFSxOpenZfsRef")
+    def location_f_sx_open_zfs_ref(self) -> _LocationFSxOpenZFSReference_ff06c64f:
+        '''A reference to a LocationFSxOpenZFS resource.'''
+        return typing.cast(_LocationFSxOpenZFSReference_ff06c64f, jsii.get(self, "locationFSxOpenZfsRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -3379,7 +3480,7 @@ class CfnLocationFSxOpenZFSProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationFSxWindowsRef_21eff906, _ITaggable_36806126)
 class CfnLocationFSxWindows(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -3426,7 +3527,8 @@ class CfnLocationFSxWindows(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationFSxWindows``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param security_group_arns: The Amazon Resource Names (ARNs) of the security groups that are used to configure the FSx for Windows File Server file system. *Pattern* : ``^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):ec2:[a-z\\-0-9]*:[0-9]{12}:security-group/.*$`` *Length constraints* : Maximum length of 128.
@@ -3506,6 +3608,12 @@ class CfnLocationFSxWindows(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationFSxWindowsRef")
+    def location_f_sx_windows_ref(self) -> _LocationFSxWindowsReference_7de311b2:
+        '''A reference to a LocationFSxWindows resource.'''
+        return typing.cast(_LocationFSxWindowsReference_7de311b2, jsii.get(self, "locationFSxWindowsRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -3776,7 +3884,7 @@ class CfnLocationFSxWindowsProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationHDFSRef_7984fa07, _ITaggable_36806126)
 class CfnLocationHDFS(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -3841,7 +3949,8 @@ class CfnLocationHDFS(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationHDFS``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param agent_arns: The Amazon Resource Names (ARNs) of the DataSync agents that can connect to your HDFS cluster.
@@ -3933,6 +4042,12 @@ class CfnLocationHDFS(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationHdfsRef")
+    def location_hdfs_ref(self) -> _LocationHDFSReference_c3d0d6b5:
+        '''A reference to a LocationHDFS resource.'''
+        return typing.cast(_LocationHDFSReference_c3d0d6b5, jsii.get(self, "locationHdfsRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -4560,7 +4675,7 @@ class CfnLocationHDFSProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationNFSRef_01d78c69, _ITaggable_36806126)
 class CfnLocationNFS(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -4607,12 +4722,13 @@ class CfnLocationNFS(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationNFS``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param on_prem_config: Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect to your NFS file server. You can specify more than one agent. For more information, see `Using multiple DataSync agents <https://docs.aws.amazon.com/datasync/latest/userguide/do-i-need-datasync-agent.html#multiple-agents>`_ .
         :param mount_options: Specifies the options that DataSync can use to mount your NFS file server.
-        :param server_hostname: Specifies the DNS name or IP version 4 address of the NFS file server that your DataSync agent connects to.
+        :param server_hostname: Specifies the DNS name or IP address (IPv4 or IPv6) of the NFS file server that your DataSync agent connects to.
         :param subdirectory: Specifies the export path in your NFS file server that you want DataSync to mount. This path (or a subdirectory of the path) is where DataSync transfers data to or from. For information on configuring an export for DataSync, see `Accessing NFS file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#accessing-nfs>`_ .
         :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.
         '''
@@ -4683,6 +4799,12 @@ class CfnLocationNFS(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationNfsRef")
+    def location_nfs_ref(self) -> _LocationNFSReference_163b2bab:
+        '''A reference to a LocationNFS resource.'''
+        return typing.cast(_LocationNFSReference_163b2bab, jsii.get(self, "locationNfsRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -4728,7 +4850,7 @@ class CfnLocationNFS(
     @builtins.property
     @jsii.member(jsii_name="serverHostname")
     def server_hostname(self) -> typing.Optional[builtins.str]:
-        '''Specifies the DNS name or IP version 4 address of the NFS file server that your DataSync agent connects to.'''
+        '''Specifies the DNS name or IP address (IPv4 or IPv6) of the NFS file server that your DataSync agent connects to.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "serverHostname"))
 
     @server_hostname.setter
@@ -4908,7 +5030,7 @@ class CfnLocationNFSProps:
 
         :param on_prem_config: Specifies the Amazon Resource Name (ARN) of the DataSync agent that can connect to your NFS file server. You can specify more than one agent. For more information, see `Using multiple DataSync agents <https://docs.aws.amazon.com/datasync/latest/userguide/do-i-need-datasync-agent.html#multiple-agents>`_ .
         :param mount_options: Specifies the options that DataSync can use to mount your NFS file server.
-        :param server_hostname: Specifies the DNS name or IP version 4 address of the NFS file server that your DataSync agent connects to.
+        :param server_hostname: Specifies the DNS name or IP address (IPv4 or IPv6) of the NFS file server that your DataSync agent connects to.
         :param subdirectory: Specifies the export path in your NFS file server that you want DataSync to mount. This path (or a subdirectory of the path) is where DataSync transfers data to or from. For information on configuring an export for DataSync, see `Accessing NFS file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-nfs-location.html#accessing-nfs>`_ .
         :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.
 
@@ -4984,7 +5106,7 @@ class CfnLocationNFSProps:
 
     @builtins.property
     def server_hostname(self) -> typing.Optional[builtins.str]:
-        '''Specifies the DNS name or IP version 4 address of the NFS file server that your DataSync agent connects to.
+        '''Specifies the DNS name or IP address (IPv4 or IPv6) of the NFS file server that your DataSync agent connects to.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationnfs.html#cfn-datasync-locationnfs-serverhostname
         '''
@@ -5025,7 +5147,7 @@ class CfnLocationNFSProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationObjectStorageRef_76d6ff54, _ITaggable_36806126)
 class CfnLocationObjectStorage(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -5088,19 +5210,20 @@ class CfnLocationObjectStorage(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationObjectStorage``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param access_key: Specifies the access key (for example, a user name) if credentials are required to authenticate with the object storage server.
-        :param agent_arns: Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.
+        :param agent_arns: (Optional) Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter. .. epigraph:: Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.
         :param bucket_name: Specifies the name of the object storage bucket involved in the transfer.
-        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key.
-        :param custom_secret_config: Specifies configuration information for a customer-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and an IAM role that DataSync can assume and access the customer-managed secret.
-        :param secret_key: Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server.
+        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, which includes the ``SecretKey`` that DataSync uses to access a specific object storage location, with a customer-managed AWS KMS key . When you include this paramater as part of a ``CreateLocationObjectStorage`` request, you provide only the KMS key ARN. DataSync uses this KMS key together with the value you specify for the ``SecretKey`` parameter to create a DataSync-managed secret to store the location access credentials. Make sure the DataSync has permission to access the KMS key that you specify. .. epigraph:: You can use either ``CmkSecretConfig`` (with ``SecretKey`` ) or ``CustomSecretConfig`` (without ``SecretKey`` ) to provide credentials for a ``CreateLocationObjectStorage`` request. Do not provide both parameters for the same request.
+        :param custom_secret_config: Specifies configuration information for a customer-managed Secrets Manager secret where the secret key for a specific object storage location is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. .. epigraph:: You can use either ``CmkSecretConfig`` (with ``SecretKey`` ) or ``CustomSecretConfig`` (without ``SecretKey`` ) to provide credentials for a ``CreateLocationObjectStorage`` request. Do not provide both parameters for the same request.
+        :param secret_key: Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server. .. epigraph:: If you provide a secret using ``SecretKey`` , but do not provide secret configuration details using ``CmkSecretConfig`` or ``CustomSecretConfig`` , then DataSync stores the token using your AWS account's Secrets Manager secret.
         :param server_certificate: Specifies a certificate chain for DataSync to authenticate with your object storage system if the system uses a private or self-signed certificate authority (CA). You must specify a single ``.pem`` file with a full certificate chain (for example, ``file:///home/user/.ssh/object_storage_certificates.pem`` ). The certificate chain might include: - The object storage system's certificate - All intermediate certificates (if there are any) - The root certificate of the signing CA You can concatenate your certificates into a ``.pem`` file (which can be up to 32768 bytes before base64 encoding). The following example ``cat`` command creates an ``object_storage_certificates.pem`` file that includes three certificates: ``cat object_server_certificate.pem intermediate_certificate.pem ca_root_certificate.pem > object_storage_certificates.pem`` To use this parameter, configure ``ServerProtocol`` to ``HTTPS`` .
-        :param server_hostname: Specifies the domain name or IP version 4 (IPv4) address of the object storage server that your DataSync agent connects to.
+        :param server_hostname: Specifies the domain name or IP address (IPv4 or IPv6) of the object storage server that your DataSync agent connects to.
         :param server_port: Specifies the port that your object storage server accepts inbound network traffic on (for example, port 443).
-        :param server_protocol: Specifies the protocol that your object storage server uses to communicate.
+        :param server_protocol: Specifies the protocol that your object storage server uses to communicate. If not specified, the default value is ``HTTPS`` .
         :param subdirectory: Specifies the object prefix for your object storage server. If this is a source location, DataSync only copies objects with this prefix. If this is a destination location, DataSync writes all objects with this prefix.
         :param tags: Specifies the key-value pair that represents a tag that you want to add to the resource. Tags can help you manage, filter, and search for your resources. We recommend creating a name tag for your location.
         '''
@@ -5158,7 +5281,9 @@ class CfnLocationObjectStorage(
     @builtins.property
     @jsii.member(jsii_name="attrCmkSecretConfigSecretArn")
     def attr_cmk_secret_config_secret_arn(self) -> builtins.str:
-        '''Specifies the ARN for an AWS Secrets Manager secret, managed by DataSync.
+        '''Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location.
+
+        This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
 
         :cloudformationAttribute: CmkSecretConfig.SecretArn
         '''
@@ -5198,6 +5323,12 @@ class CfnLocationObjectStorage(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationObjectStorageRef")
+    def location_object_storage_ref(self) -> _LocationObjectStorageReference_5b3d36b8:
+        '''A reference to a LocationObjectStorage resource.'''
+        return typing.cast(_LocationObjectStorageReference_5b3d36b8, jsii.get(self, "locationObjectStorageRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -5220,7 +5351,7 @@ class CfnLocationObjectStorage(
     @builtins.property
     @jsii.member(jsii_name="agentArns")
     def agent_arns(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.'''
+        '''(Optional) Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "agentArns"))
 
     @agent_arns.setter
@@ -5248,7 +5379,7 @@ class CfnLocationObjectStorage(
     def cmk_secret_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationObjectStorage.CmkSecretConfigProperty"]]:
-        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key.'''
+        '''Specifies configuration information for a DataSync-managed secret, which includes the ``SecretKey`` that DataSync uses to access a specific object storage location, with a customer-managed AWS KMS key .'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationObjectStorage.CmkSecretConfigProperty"]], jsii.get(self, "cmkSecretConfig"))
 
     @cmk_secret_config.setter
@@ -5266,7 +5397,7 @@ class CfnLocationObjectStorage(
     def custom_secret_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationObjectStorage.CustomSecretConfigProperty"]]:
-        '''Specifies configuration information for a customer-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and an IAM role that DataSync can assume and access the customer-managed secret.'''
+        '''Specifies configuration information for a customer-managed Secrets Manager secret where the secret key for a specific object storage location is stored in plain text.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationObjectStorage.CustomSecretConfigProperty"]], jsii.get(self, "customSecretConfig"))
 
     @custom_secret_config.setter
@@ -5308,7 +5439,7 @@ class CfnLocationObjectStorage(
     @builtins.property
     @jsii.member(jsii_name="serverHostname")
     def server_hostname(self) -> typing.Optional[builtins.str]:
-        '''Specifies the domain name or IP version 4 (IPv4) address of the object storage server that your DataSync agent connects to.'''
+        '''Specifies the domain name or IP address (IPv4 or IPv6) of the object storage server that your DataSync agent connects to.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "serverHostname"))
 
     @server_hostname.setter
@@ -5382,10 +5513,14 @@ class CfnLocationObjectStorage(
             kms_key_arn: typing.Optional[builtins.str] = None,
             secret_arn: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key.
+            '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .
 
-            :param kms_key_arn: Specifies the ARN for the customer-managed AWS KMS key used to encrypt the secret specified for SecretArn. DataSync provides this key to AWS Secrets Manager.
-            :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret, managed by DataSync.
+            .. epigraph::
+
+               You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+            :param kms_key_arn: Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for ``SecretArn`` . DataSync provides this key to AWS Secrets Manager .
+            :param secret_arn: Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location. This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-cmksecretconfig.html
             :exampleMetadata: fixture=_generated
@@ -5413,9 +5548,9 @@ class CfnLocationObjectStorage(
 
         @builtins.property
         def kms_key_arn(self) -> typing.Optional[builtins.str]:
-            '''Specifies the ARN for the customer-managed AWS KMS key used to encrypt the secret specified for SecretArn.
+            '''Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for ``SecretArn`` .
 
-            DataSync provides this key to AWS Secrets Manager.
+            DataSync provides this key to AWS Secrets Manager .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-cmksecretconfig.html#cfn-datasync-locationobjectstorage-cmksecretconfig-kmskeyarn
             '''
@@ -5424,7 +5559,9 @@ class CfnLocationObjectStorage(
 
         @builtins.property
         def secret_arn(self) -> typing.Optional[builtins.str]:
-            '''Specifies the ARN for an AWS Secrets Manager secret, managed by DataSync.
+            '''Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location.
+
+            This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-cmksecretconfig.html#cfn-datasync-locationobjectstorage-cmksecretconfig-secretarn
             '''
@@ -5457,10 +5594,15 @@ class CfnLocationObjectStorage(
             secret_access_role_arn: builtins.str,
             secret_arn: builtins.str,
         ) -> None:
-            '''Specifies configuration information for a customer-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and an IAM role that DataSync can assume and access the customer-managed secret.
+            '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.
 
-            :param secret_access_role_arn: Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for SecretArn.
-            :param secret_arn: Specifies the ARN for a customer created AWS Secrets Manager secret.
+            This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.
+            .. epigraph::
+
+               You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+            :param secret_access_role_arn: Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for ``SecretArn`` .
+            :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-customsecretconfig.html
             :exampleMetadata: fixture=_generated
@@ -5487,7 +5629,7 @@ class CfnLocationObjectStorage(
 
         @builtins.property
         def secret_access_role_arn(self) -> builtins.str:
-            '''Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for SecretArn.
+            '''Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for ``SecretArn`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-customsecretconfig.html#cfn-datasync-locationobjectstorage-customsecretconfig-secretaccessrolearn
             '''
@@ -5497,7 +5639,7 @@ class CfnLocationObjectStorage(
 
         @builtins.property
         def secret_arn(self) -> builtins.str:
-            '''Specifies the ARN for a customer created AWS Secrets Manager secret.
+            '''Specifies the ARN for an AWS Secrets Manager secret.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationobjectstorage-customsecretconfig.html#cfn-datasync-locationobjectstorage-customsecretconfig-secretarn
             '''
@@ -5525,7 +5667,7 @@ class CfnLocationObjectStorage(
         def __init__(self, *, secret_arn: builtins.str) -> None:
             '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location.
 
-            DataSync uses the default AWS-managed KMS key to encrypt this secret in AWS Secrets Manager.
+            DataSync uses the default AWS -managed KMS key to encrypt this secret in AWS Secrets Manager .
 
             :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret.
 
@@ -5609,15 +5751,15 @@ class CfnLocationObjectStorageProps:
         '''Properties for defining a ``CfnLocationObjectStorage``.
 
         :param access_key: Specifies the access key (for example, a user name) if credentials are required to authenticate with the object storage server.
-        :param agent_arns: Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.
+        :param agent_arns: (Optional) Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system. If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter. .. epigraph:: Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.
         :param bucket_name: Specifies the name of the object storage bucket involved in the transfer.
-        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key.
-        :param custom_secret_config: Specifies configuration information for a customer-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and an IAM role that DataSync can assume and access the customer-managed secret.
-        :param secret_key: Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server.
+        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, which includes the ``SecretKey`` that DataSync uses to access a specific object storage location, with a customer-managed AWS KMS key . When you include this paramater as part of a ``CreateLocationObjectStorage`` request, you provide only the KMS key ARN. DataSync uses this KMS key together with the value you specify for the ``SecretKey`` parameter to create a DataSync-managed secret to store the location access credentials. Make sure the DataSync has permission to access the KMS key that you specify. .. epigraph:: You can use either ``CmkSecretConfig`` (with ``SecretKey`` ) or ``CustomSecretConfig`` (without ``SecretKey`` ) to provide credentials for a ``CreateLocationObjectStorage`` request. Do not provide both parameters for the same request.
+        :param custom_secret_config: Specifies configuration information for a customer-managed Secrets Manager secret where the secret key for a specific object storage location is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. .. epigraph:: You can use either ``CmkSecretConfig`` (with ``SecretKey`` ) or ``CustomSecretConfig`` (without ``SecretKey`` ) to provide credentials for a ``CreateLocationObjectStorage`` request. Do not provide both parameters for the same request.
+        :param secret_key: Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server. .. epigraph:: If you provide a secret using ``SecretKey`` , but do not provide secret configuration details using ``CmkSecretConfig`` or ``CustomSecretConfig`` , then DataSync stores the token using your AWS account's Secrets Manager secret.
         :param server_certificate: Specifies a certificate chain for DataSync to authenticate with your object storage system if the system uses a private or self-signed certificate authority (CA). You must specify a single ``.pem`` file with a full certificate chain (for example, ``file:///home/user/.ssh/object_storage_certificates.pem`` ). The certificate chain might include: - The object storage system's certificate - All intermediate certificates (if there are any) - The root certificate of the signing CA You can concatenate your certificates into a ``.pem`` file (which can be up to 32768 bytes before base64 encoding). The following example ``cat`` command creates an ``object_storage_certificates.pem`` file that includes three certificates: ``cat object_server_certificate.pem intermediate_certificate.pem ca_root_certificate.pem > object_storage_certificates.pem`` To use this parameter, configure ``ServerProtocol`` to ``HTTPS`` .
-        :param server_hostname: Specifies the domain name or IP version 4 (IPv4) address of the object storage server that your DataSync agent connects to.
+        :param server_hostname: Specifies the domain name or IP address (IPv4 or IPv6) of the object storage server that your DataSync agent connects to.
         :param server_port: Specifies the port that your object storage server accepts inbound network traffic on (for example, port 443).
-        :param server_protocol: Specifies the protocol that your object storage server uses to communicate.
+        :param server_protocol: Specifies the protocol that your object storage server uses to communicate. If not specified, the default value is ``HTTPS`` .
         :param subdirectory: Specifies the object prefix for your object storage server. If this is a source location, DataSync only copies objects with this prefix. If this is a destination location, DataSync writes all objects with this prefix.
         :param tags: Specifies the key-value pair that represents a tag that you want to add to the resource. Tags can help you manage, filter, and search for your resources. We recommend creating a name tag for your location.
 
@@ -5705,7 +5847,12 @@ class CfnLocationObjectStorageProps:
 
     @builtins.property
     def agent_arns(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.
+        '''(Optional) Specifies the Amazon Resource Names (ARNs) of the DataSync agents that can connect with your object storage system.
+
+        If you are setting up an agentless cross-cloud transfer, you do not need to specify a value for this parameter.
+        .. epigraph::
+
+           Make sure you configure this parameter correctly when you first create your storage location. You cannot add or remove agents from a storage location after you create it.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-agentarns
         '''
@@ -5725,7 +5872,14 @@ class CfnLocationObjectStorageProps:
     def cmk_secret_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationObjectStorage.CmkSecretConfigProperty]]:
-        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key.
+        '''Specifies configuration information for a DataSync-managed secret, which includes the ``SecretKey`` that DataSync uses to access a specific object storage location, with a customer-managed AWS KMS key .
+
+        When you include this paramater as part of a ``CreateLocationObjectStorage`` request, you provide only the KMS key ARN. DataSync uses this KMS key together with the value you specify for the ``SecretKey`` parameter to create a DataSync-managed secret to store the location access credentials.
+
+        Make sure the DataSync has permission to access the KMS key that you specify.
+        .. epigraph::
+
+           You can use either ``CmkSecretConfig`` (with ``SecretKey`` ) or ``CustomSecretConfig`` (without ``SecretKey`` ) to provide credentials for a ``CreateLocationObjectStorage`` request. Do not provide both parameters for the same request.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-cmksecretconfig
         '''
@@ -5736,7 +5890,12 @@ class CfnLocationObjectStorageProps:
     def custom_secret_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationObjectStorage.CustomSecretConfigProperty]]:
-        '''Specifies configuration information for a customer-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and an IAM role that DataSync can assume and access the customer-managed secret.
+        '''Specifies configuration information for a customer-managed Secrets Manager secret where the secret key for a specific object storage location is stored in plain text.
+
+        This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.
+        .. epigraph::
+
+           You can use either ``CmkSecretConfig`` (with ``SecretKey`` ) or ``CustomSecretConfig`` (without ``SecretKey`` ) to provide credentials for a ``CreateLocationObjectStorage`` request. Do not provide both parameters for the same request.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-customsecretconfig
         '''
@@ -5747,6 +5906,10 @@ class CfnLocationObjectStorageProps:
     def secret_key(self) -> typing.Optional[builtins.str]:
         '''Specifies the secret key (for example, a password) if credentials are required to authenticate with the object storage server.
 
+        .. epigraph::
+
+           If you provide a secret using ``SecretKey`` , but do not provide secret configuration details using ``CmkSecretConfig`` or ``CustomSecretConfig`` , then DataSync stores the token using your AWS account's Secrets Manager secret.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-secretkey
         '''
         result = self._values.get("secret_key")
@@ -5777,7 +5940,7 @@ class CfnLocationObjectStorageProps:
 
     @builtins.property
     def server_hostname(self) -> typing.Optional[builtins.str]:
-        '''Specifies the domain name or IP version 4 (IPv4) address of the object storage server that your DataSync agent connects to.
+        '''Specifies the domain name or IP address (IPv4 or IPv6) of the object storage server that your DataSync agent connects to.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-serverhostname
         '''
@@ -5797,6 +5960,8 @@ class CfnLocationObjectStorageProps:
     def server_protocol(self) -> typing.Optional[builtins.str]:
         '''Specifies the protocol that your object storage server uses to communicate.
 
+        If not specified, the default value is ``HTTPS`` .
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationobjectstorage.html#cfn-datasync-locationobjectstorage-serverprotocol
         '''
         result = self._values.get("server_protocol")
@@ -5836,7 +6001,7 @@ class CfnLocationObjectStorageProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationS3Ref_5240f1a4, _ITaggable_36806126)
 class CfnLocationS3(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -5883,7 +6048,8 @@ class CfnLocationS3(
         subdirectory: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationS3``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param s3_config: The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that is used to access an Amazon S3 bucket. For detailed information about using such a role, see `Creating a Location for Amazon S3 <https://docs.aws.amazon.com/datasync/latest/userguide/working-with-locations.html#create-s3-location>`_ in the *AWS DataSync User Guide* .
@@ -5959,6 +6125,12 @@ class CfnLocationS3(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationS3Ref")
+    def location_s3_ref(self) -> _LocationS3Reference_113b17ee:
+        '''A reference to a LocationS3 resource.'''
+        return typing.cast(_LocationS3Reference_113b17ee, jsii.get(self, "locationS3Ref"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -6241,7 +6413,7 @@ class CfnLocationS3Props:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ILocationSMBRef_b540cf9f, _ITaggable_36806126)
 class CfnLocationSMB(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -6264,6 +6436,14 @@ class CfnLocationSMB(
         
             # the properties below are optional
             authentication_type="authenticationType",
+            cmk_secret_config=datasync.CfnLocationSMB.CmkSecretConfigProperty(
+                kms_key_arn="kmsKeyArn",
+                secret_arn="secretArn"
+            ),
+            custom_secret_config=datasync.CfnLocationSMB.CustomSecretConfigProperty(
+                secret_access_role_arn="secretAccessRoleArn",
+                secret_arn="secretArn"
+            ),
             dns_ip_addresses=["dnsIpAddresses"],
             domain="domain",
             kerberos_keytab="kerberosKeytab",
@@ -6290,6 +6470,8 @@ class CfnLocationSMB(
         *,
         agent_arns: typing.Sequence[builtins.str],
         authentication_type: typing.Optional[builtins.str] = None,
+        cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLocationSMB.CmkSecretConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLocationSMB.CustomSecretConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         dns_ip_addresses: typing.Optional[typing.Sequence[builtins.str]] = None,
         domain: typing.Optional[builtins.str] = None,
         kerberos_keytab: typing.Optional[builtins.str] = None,
@@ -6302,19 +6484,22 @@ class CfnLocationSMB(
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::LocationSMB``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param agent_arns: Specifies the DataSync agent (or agents) that can connect to your SMB file server. You specify an agent by using its Amazon Resource Name (ARN).
-        :param authentication_type: Specifies the authentication protocol that DataSync uses to connect to your SMB file server. DataSync supports ``NTLM`` (default) and ``KERBEROS`` authentication. For more information, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
-        :param dns_ip_addresses: Specifies the IPv4 addresses for the DNS servers that your SMB file server belongs to. This parameter applies only if ``AuthenticationType`` is set to ``KERBEROS`` . If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.
+        :param authentication_type: The authentication mode used to determine identity of user.
+        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+        :param custom_secret_config: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+        :param dns_ip_addresses: Specifies the IPv4 addresses for the DNS servers that your SMB file server belongs to. This parameter applies only if AuthenticationType is set to KERBEROS. If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.
         :param domain: Specifies the Windows domain name that your SMB file server belongs to. This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` . If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.
-        :param kerberos_keytab: Specifies your Kerberos key table (keytab) file, which includes mappings between your Kerberos principal and encryption keys. The file must be base64 encoded. To avoid task execution errors, make sure that the Kerberos principal that you use to create the keytab file matches exactly what you specify for ``KerberosPrincipal`` .
-        :param kerberos_krb5_conf: Specifies a Kerberos configuration file ( ``krb5.conf`` ) that defines your Kerberos realm configuration. The file must be base64 encoded.
-        :param kerberos_principal: Specifies a Kerberos prinicpal, which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server. A Kerberos principal might look like ``HOST/kerberosuser@MYDOMAIN.ORG`` . Principal names are case sensitive. Your DataSync task execution will fail if the principal that you specify for this parameter doesn’t exactly match the principal that you use to create the keytab file.
+        :param kerberos_keytab: The Base64 string representation of the Keytab file. Specifies your Kerberos key table (keytab) file, which includes mappings between your service principal name (SPN) and encryption keys. To avoid task execution errors, make sure that the SPN in the keytab file matches exactly what you specify for KerberosPrincipal and in your krb5.conf file.
+        :param kerberos_krb5_conf: The string representation of the Krb5Conf file, or the presigned URL to access the Krb5.conf file within an S3 bucket. Specifies a Kerberos configuration file (krb5.conf) that defines your Kerberos realm configuration. To avoid task execution errors, make sure that the service principal name (SPN) in the krb5.conf file matches exactly what you specify for KerberosPrincipal and in your keytab file.
+        :param kerberos_principal: Specifies a service principal name (SPN), which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server. SPNs are case sensitive and must include a prepended cifs/. For example, an SPN might look like cifs/kerberosuser@EXAMPLE.COM. Your task execution will fail if the SPN that you provide for this parameter doesn't match exactly what's in your keytab or krb5.conf files.
         :param mount_options: Specifies the version of the SMB protocol that DataSync uses to access your SMB file server.
         :param password: Specifies the password of the user who can mount your SMB file server and has permission to access the files and folders involved in your transfer. This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` .
-        :param server_hostname: Specifies the domain name or IP address of the SMB file server that your DataSync agent connects to. Remember the following when configuring this parameter: - You can't specify an IP version 6 (IPv6) address. - If you're using Kerberos authentication, you must specify a domain name.
+        :param server_hostname: Specifies the domain name or IP address (IPv4 or IPv6) of the SMB file server that your DataSync agent connects to. .. epigraph:: If you're using Kerberos authentication, you must specify a domain name.
         :param subdirectory: Specifies the name of the share exported by your SMB file server where DataSync will read or write data. You can include a subdirectory in the share path (for example, ``/path/to/subdirectory`` ). Make sure that other SMB clients in your network can also mount this path. To copy all data in the subdirectory, DataSync must be able to mount the SMB share and access all of its data. For more information, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
         :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.
         :param user: Specifies the user that can mount and access the files, folders, and file metadata in your SMB file server. This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` . For information about choosing a user with the right level of access for your transfer, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
@@ -6326,6 +6511,8 @@ class CfnLocationSMB(
         props = CfnLocationSMBProps(
             agent_arns=agent_arns,
             authentication_type=authentication_type,
+            cmk_secret_config=cmk_secret_config,
+            custom_secret_config=custom_secret_config,
             dns_ip_addresses=dns_ip_addresses,
             domain=domain,
             kerberos_keytab=kerberos_keytab,
@@ -6371,6 +6558,17 @@ class CfnLocationSMB(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrCmkSecretConfigSecretArn")
+    def attr_cmk_secret_config_secret_arn(self) -> builtins.str:
+        '''Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location.
+
+        This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
+
+        :cloudformationAttribute: CmkSecretConfig.SecretArn
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrCmkSecretConfigSecretArn"))
+
     @builtins.property
     @jsii.member(jsii_name="attrLocationArn")
     def attr_location_arn(self) -> builtins.str:
@@ -6389,11 +6587,28 @@ class CfnLocationSMB(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrLocationUri"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrManagedSecretConfig")
+    def attr_managed_secret_config(self) -> _IResolvable_da3f097b:
+        '''Specifies configuration information for a DataSync-managed secret, such as a password or set of credentials that DataSync uses to access a specific transfer location.
+
+        DataSync uses the default AWS-managed KMS key to encrypt this secret in AWS Secrets Manager.
+
+        :cloudformationAttribute: ManagedSecretConfig
+        '''
+        return typing.cast(_IResolvable_da3f097b, jsii.get(self, "attrManagedSecretConfig"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="locationSmbRef")
+    def location_smb_ref(self) -> _LocationSMBReference_9787936e:
+        '''A reference to a LocationSMB resource.'''
+        return typing.cast(_LocationSMBReference_9787936e, jsii.get(self, "locationSmbRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -6416,7 +6631,7 @@ class CfnLocationSMB(
     @builtins.property
     @jsii.member(jsii_name="authenticationType")
     def authentication_type(self) -> typing.Optional[builtins.str]:
-        '''Specifies the authentication protocol that DataSync uses to connect to your SMB file server.'''
+        '''The authentication mode used to determine identity of user.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "authenticationType"))
 
     @authentication_type.setter
@@ -6426,6 +6641,42 @@ class CfnLocationSMB(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "authenticationType", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="cmkSecretConfig")
+    def cmk_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationSMB.CmkSecretConfigProperty"]]:
+        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationSMB.CmkSecretConfigProperty"]], jsii.get(self, "cmkSecretConfig"))
+
+    @cmk_secret_config.setter
+    def cmk_secret_config(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationSMB.CmkSecretConfigProperty"]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__e407ec55488adbc9f81891a5e15e237e234b987b6214eb331162a8b63f344324)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "cmkSecretConfig", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="customSecretConfig")
+    def custom_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationSMB.CustomSecretConfigProperty"]]:
+        '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationSMB.CustomSecretConfigProperty"]], jsii.get(self, "customSecretConfig"))
+
+    @custom_secret_config.setter
+    def custom_secret_config(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLocationSMB.CustomSecretConfigProperty"]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__fde88b8f3a9b839e4f9087f93f80eb219e3a48609302336a5ed68bd2edec2ebb)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "customSecretConfig", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="dnsIpAddresses")
     def dns_ip_addresses(self) -> typing.Optional[typing.List[builtins.str]]:
@@ -6458,7 +6709,7 @@ class CfnLocationSMB(
     @builtins.property
     @jsii.member(jsii_name="kerberosKeytab")
     def kerberos_keytab(self) -> typing.Optional[builtins.str]:
-        '''Specifies your Kerberos key table (keytab) file, which includes mappings between your Kerberos principal and encryption keys.'''
+        '''The Base64 string representation of the Keytab file.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "kerberosKeytab"))
 
     @kerberos_keytab.setter
@@ -6471,7 +6722,7 @@ class CfnLocationSMB(
     @builtins.property
     @jsii.member(jsii_name="kerberosKrb5Conf")
     def kerberos_krb5_conf(self) -> typing.Optional[builtins.str]:
-        '''Specifies a Kerberos configuration file ( ``krb5.conf`` ) that defines your Kerberos realm configuration.'''
+        '''The string representation of the Krb5Conf file, or the presigned URL to access the Krb5.conf file within an S3 bucket. Specifies a Kerberos configuration file (krb5.conf) that defines your Kerberos realm configuration. To avoid task execution errors, make sure that the service principal name (SPN) in the krb5.conf file matches exactly what you specify for KerberosPrincipal and in your keytab file.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "kerberosKrb5Conf"))
 
     @kerberos_krb5_conf.setter
@@ -6484,7 +6735,7 @@ class CfnLocationSMB(
     @builtins.property
     @jsii.member(jsii_name="kerberosPrincipal")
     def kerberos_principal(self) -> typing.Optional[builtins.str]:
-        '''Specifies a Kerberos prinicpal, which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server.'''
+        '''Specifies a service principal name (SPN), which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "kerberosPrincipal"))
 
     @kerberos_principal.setter
@@ -6528,7 +6779,7 @@ class CfnLocationSMB(
     @builtins.property
     @jsii.member(jsii_name="serverHostname")
     def server_hostname(self) -> typing.Optional[builtins.str]:
-        '''Specifies the domain name or IP address of the SMB file server that your DataSync agent connects to.'''
+        '''Specifies the domain name or IP address (IPv4 or IPv6) of the SMB file server that your DataSync agent connects to.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "serverHostname"))
 
     @server_hostname.setter
@@ -6577,6 +6828,217 @@ class CfnLocationSMB(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "user", value) # pyright: ignore[reportArgumentType]
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_datasync.CfnLocationSMB.CmkSecretConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={"kms_key_arn": "kmsKeyArn", "secret_arn": "secretArn"},
+    )
+    class CmkSecretConfigProperty:
+        def __init__(
+            self,
+            *,
+            kms_key_arn: typing.Optional[builtins.str] = None,
+            secret_arn: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .
+
+            .. epigraph::
+
+               You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+            :param kms_key_arn: Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for ``SecretArn`` . DataSync provides this key to AWS Secrets Manager .
+            :param secret_arn: Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location. This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-cmksecretconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_datasync as datasync
+                
+                cmk_secret_config_property = datasync.CfnLocationSMB.CmkSecretConfigProperty(
+                    kms_key_arn="kmsKeyArn",
+                    secret_arn="secretArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__9351aeda2a3946543003130a0d3d622afa774937076186eaabf4b996745ca99f)
+                check_type(argname="argument kms_key_arn", value=kms_key_arn, expected_type=type_hints["kms_key_arn"])
+                check_type(argname="argument secret_arn", value=secret_arn, expected_type=type_hints["secret_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if kms_key_arn is not None:
+                self._values["kms_key_arn"] = kms_key_arn
+            if secret_arn is not None:
+                self._values["secret_arn"] = secret_arn
+
+        @builtins.property
+        def kms_key_arn(self) -> typing.Optional[builtins.str]:
+            '''Specifies the ARN for the customer-managed AWS KMS key that DataSync uses to encrypt the DataSync-managed secret stored for ``SecretArn`` .
+
+            DataSync provides this key to AWS Secrets Manager .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-cmksecretconfig.html#cfn-datasync-locationsmb-cmksecretconfig-kmskeyarn
+            '''
+            result = self._values.get("kms_key_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def secret_arn(self) -> typing.Optional[builtins.str]:
+            '''Specifies the ARN for the DataSync-managed AWS Secrets Manager secret that that is used to access a specific storage location.
+
+            This property is generated by DataSync and is read-only. DataSync encrypts this secret with the KMS key that you specify for ``KmsKeyArn`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-cmksecretconfig.html#cfn-datasync-locationsmb-cmksecretconfig-secretarn
+            '''
+            result = self._values.get("secret_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "CmkSecretConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_datasync.CfnLocationSMB.CustomSecretConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "secret_access_role_arn": "secretAccessRoleArn",
+            "secret_arn": "secretArn",
+        },
+    )
+    class CustomSecretConfigProperty:
+        def __init__(
+            self,
+            *,
+            secret_access_role_arn: builtins.str,
+            secret_arn: builtins.str,
+        ) -> None:
+            '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.
+
+            This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.
+            .. epigraph::
+
+               You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+            :param secret_access_role_arn: Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for ``SecretArn`` .
+            :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-customsecretconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_datasync as datasync
+                
+                custom_secret_config_property = datasync.CfnLocationSMB.CustomSecretConfigProperty(
+                    secret_access_role_arn="secretAccessRoleArn",
+                    secret_arn="secretArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__6049f29f723d7f92a691c991b6232a25e39ba58d2d4400b1c499f542a7a8aee7)
+                check_type(argname="argument secret_access_role_arn", value=secret_access_role_arn, expected_type=type_hints["secret_access_role_arn"])
+                check_type(argname="argument secret_arn", value=secret_arn, expected_type=type_hints["secret_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "secret_access_role_arn": secret_access_role_arn,
+                "secret_arn": secret_arn,
+            }
+
+        @builtins.property
+        def secret_access_role_arn(self) -> builtins.str:
+            '''Specifies the ARN for the AWS Identity and Access Management role that DataSync uses to access the secret specified for ``SecretArn`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-customsecretconfig.html#cfn-datasync-locationsmb-customsecretconfig-secretaccessrolearn
+            '''
+            result = self._values.get("secret_access_role_arn")
+            assert result is not None, "Required property 'secret_access_role_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def secret_arn(self) -> builtins.str:
+            '''Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-customsecretconfig.html#cfn-datasync-locationsmb-customsecretconfig-secretarn
+            '''
+            result = self._values.get("secret_arn")
+            assert result is not None, "Required property 'secret_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "CustomSecretConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_datasync.CfnLocationSMB.ManagedSecretConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={"secret_arn": "secretArn"},
+    )
+    class ManagedSecretConfigProperty:
+        def __init__(self, *, secret_arn: builtins.str) -> None:
+            '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location.
+
+            DataSync uses the default AWS -managed KMS key to encrypt this secret in AWS Secrets Manager .
+
+            :param secret_arn: Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-managedsecretconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_datasync as datasync
+                
+                managed_secret_config_property = datasync.CfnLocationSMB.ManagedSecretConfigProperty(
+                    secret_arn="secretArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__5db7c95a4b68a63cb100ea0ecc9392535271eaf1c99519a96ebecbd32455f91c)
+                check_type(argname="argument secret_arn", value=secret_arn, expected_type=type_hints["secret_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "secret_arn": secret_arn,
+            }
+
+        @builtins.property
+        def secret_arn(self) -> builtins.str:
+            '''Specifies the ARN for an AWS Secrets Manager secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-locationsmb-managedsecretconfig.html#cfn-datasync-locationsmb-managedsecretconfig-secretarn
+            '''
+            result = self._values.get("secret_arn")
+            assert result is not None, "Required property 'secret_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "ManagedSecretConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_datasync.CfnLocationSMB.MountOptionsProperty",
         jsii_struct_bases=[],
@@ -6652,6 +7114,8 @@ class CfnLocationSMB(
     name_mapping={
         "agent_arns": "agentArns",
         "authentication_type": "authenticationType",
+        "cmk_secret_config": "cmkSecretConfig",
+        "custom_secret_config": "customSecretConfig",
         "dns_ip_addresses": "dnsIpAddresses",
         "domain": "domain",
         "kerberos_keytab": "kerberosKeytab",
@@ -6671,6 +7135,8 @@ class CfnLocationSMBProps:
         *,
         agent_arns: typing.Sequence[builtins.str],
         authentication_type: typing.Optional[builtins.str] = None,
+        cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.CmkSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+        custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.CustomSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         dns_ip_addresses: typing.Optional[typing.Sequence[builtins.str]] = None,
         domain: typing.Optional[builtins.str] = None,
         kerberos_keytab: typing.Optional[builtins.str] = None,
@@ -6686,15 +7152,17 @@ class CfnLocationSMBProps:
         '''Properties for defining a ``CfnLocationSMB``.
 
         :param agent_arns: Specifies the DataSync agent (or agents) that can connect to your SMB file server. You specify an agent by using its Amazon Resource Name (ARN).
-        :param authentication_type: Specifies the authentication protocol that DataSync uses to connect to your SMB file server. DataSync supports ``NTLM`` (default) and ``KERBEROS`` authentication. For more information, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
-        :param dns_ip_addresses: Specifies the IPv4 addresses for the DNS servers that your SMB file server belongs to. This parameter applies only if ``AuthenticationType`` is set to ``KERBEROS`` . If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.
+        :param authentication_type: The authentication mode used to determine identity of user.
+        :param cmk_secret_config: Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+        :param custom_secret_config: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. .. epigraph:: You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+        :param dns_ip_addresses: Specifies the IPv4 addresses for the DNS servers that your SMB file server belongs to. This parameter applies only if AuthenticationType is set to KERBEROS. If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.
         :param domain: Specifies the Windows domain name that your SMB file server belongs to. This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` . If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right file server.
-        :param kerberos_keytab: Specifies your Kerberos key table (keytab) file, which includes mappings between your Kerberos principal and encryption keys. The file must be base64 encoded. To avoid task execution errors, make sure that the Kerberos principal that you use to create the keytab file matches exactly what you specify for ``KerberosPrincipal`` .
-        :param kerberos_krb5_conf: Specifies a Kerberos configuration file ( ``krb5.conf`` ) that defines your Kerberos realm configuration. The file must be base64 encoded.
-        :param kerberos_principal: Specifies a Kerberos prinicpal, which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server. A Kerberos principal might look like ``HOST/kerberosuser@MYDOMAIN.ORG`` . Principal names are case sensitive. Your DataSync task execution will fail if the principal that you specify for this parameter doesn’t exactly match the principal that you use to create the keytab file.
+        :param kerberos_keytab: The Base64 string representation of the Keytab file. Specifies your Kerberos key table (keytab) file, which includes mappings between your service principal name (SPN) and encryption keys. To avoid task execution errors, make sure that the SPN in the keytab file matches exactly what you specify for KerberosPrincipal and in your krb5.conf file.
+        :param kerberos_krb5_conf: The string representation of the Krb5Conf file, or the presigned URL to access the Krb5.conf file within an S3 bucket. Specifies a Kerberos configuration file (krb5.conf) that defines your Kerberos realm configuration. To avoid task execution errors, make sure that the service principal name (SPN) in the krb5.conf file matches exactly what you specify for KerberosPrincipal and in your keytab file.
+        :param kerberos_principal: Specifies a service principal name (SPN), which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server. SPNs are case sensitive and must include a prepended cifs/. For example, an SPN might look like cifs/kerberosuser@EXAMPLE.COM. Your task execution will fail if the SPN that you provide for this parameter doesn't match exactly what's in your keytab or krb5.conf files.
         :param mount_options: Specifies the version of the SMB protocol that DataSync uses to access your SMB file server.
         :param password: Specifies the password of the user who can mount your SMB file server and has permission to access the files and folders involved in your transfer. This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` .
-        :param server_hostname: Specifies the domain name or IP address of the SMB file server that your DataSync agent connects to. Remember the following when configuring this parameter: - You can't specify an IP version 6 (IPv6) address. - If you're using Kerberos authentication, you must specify a domain name.
+        :param server_hostname: Specifies the domain name or IP address (IPv4 or IPv6) of the SMB file server that your DataSync agent connects to. .. epigraph:: If you're using Kerberos authentication, you must specify a domain name.
         :param subdirectory: Specifies the name of the share exported by your SMB file server where DataSync will read or write data. You can include a subdirectory in the share path (for example, ``/path/to/subdirectory`` ). Make sure that other SMB clients in your network can also mount this path. To copy all data in the subdirectory, DataSync must be able to mount the SMB share and access all of its data. For more information, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
         :param tags: Specifies labels that help you categorize, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.
         :param user: Specifies the user that can mount and access the files, folders, and file metadata in your SMB file server. This parameter applies only if ``AuthenticationType`` is set to ``NTLM`` . For information about choosing a user with the right level of access for your transfer, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
@@ -6713,6 +7181,14 @@ class CfnLocationSMBProps:
             
                 # the properties below are optional
                 authentication_type="authenticationType",
+                cmk_secret_config=datasync.CfnLocationSMB.CmkSecretConfigProperty(
+                    kms_key_arn="kmsKeyArn",
+                    secret_arn="secretArn"
+                ),
+                custom_secret_config=datasync.CfnLocationSMB.CustomSecretConfigProperty(
+                    secret_access_role_arn="secretAccessRoleArn",
+                    secret_arn="secretArn"
+                ),
                 dns_ip_addresses=["dnsIpAddresses"],
                 domain="domain",
                 kerberos_keytab="kerberosKeytab",
@@ -6735,6 +7211,8 @@ class CfnLocationSMBProps:
             type_hints = typing.get_type_hints(_typecheckingstub__b20670d7cb18baa1155ccc397df310282442d51b95170ab568e5c0a9cbea5bc8)
             check_type(argname="argument agent_arns", value=agent_arns, expected_type=type_hints["agent_arns"])
             check_type(argname="argument authentication_type", value=authentication_type, expected_type=type_hints["authentication_type"])
+            check_type(argname="argument cmk_secret_config", value=cmk_secret_config, expected_type=type_hints["cmk_secret_config"])
+            check_type(argname="argument custom_secret_config", value=custom_secret_config, expected_type=type_hints["custom_secret_config"])
             check_type(argname="argument dns_ip_addresses", value=dns_ip_addresses, expected_type=type_hints["dns_ip_addresses"])
             check_type(argname="argument domain", value=domain, expected_type=type_hints["domain"])
             check_type(argname="argument kerberos_keytab", value=kerberos_keytab, expected_type=type_hints["kerberos_keytab"])
@@ -6751,6 +7229,10 @@ class CfnLocationSMBProps:
         }
         if authentication_type is not None:
             self._values["authentication_type"] = authentication_type
+        if cmk_secret_config is not None:
+            self._values["cmk_secret_config"] = cmk_secret_config
+        if custom_secret_config is not None:
+            self._values["custom_secret_config"] = custom_secret_config
         if dns_ip_addresses is not None:
             self._values["dns_ip_addresses"] = dns_ip_addresses
         if domain is not None:
@@ -6788,24 +7270,49 @@ class CfnLocationSMBProps:
 
     @builtins.property
     def authentication_type(self) -> typing.Optional[builtins.str]:
-        '''Specifies the authentication protocol that DataSync uses to connect to your SMB file server.
-
-        DataSync supports ``NTLM`` (default) and ``KERBEROS`` authentication.
-
-        For more information, see `Providing DataSync access to SMB file servers <https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html#configuring-smb-permissions>`_ .
+        '''The authentication mode used to determine identity of user.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-authenticationtype
         '''
         result = self._values.get("authentication_type")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def cmk_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.CmkSecretConfigProperty]]:
+        '''Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key .
+
+        .. epigraph::
+
+           You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-cmksecretconfig
+        '''
+        result = self._values.get("cmk_secret_config")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.CmkSecretConfigProperty]], result)
+
+    @builtins.property
+    def custom_secret_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.CustomSecretConfigProperty]]:
+        '''Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text.
+
+        This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret.
+        .. epigraph::
+
+           You can use either ``CmkSecretConfig`` or ``CustomSecretConfig`` to provide credentials for a ``CreateLocation`` request. Do not provide both parameters for the same request.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-customsecretconfig
+        '''
+        result = self._values.get("custom_secret_config")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.CustomSecretConfigProperty]], result)
+
     @builtins.property
     def dns_ip_addresses(self) -> typing.Optional[typing.List[builtins.str]]:
         '''Specifies the IPv4 addresses for the DNS servers that your SMB file server belongs to.
 
-        This parameter applies only if ``AuthenticationType`` is set to ``KERBEROS`` .
-
-        If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.
+        This parameter applies only if AuthenticationType is set to KERBEROS. If you have multiple domains in your environment, configuring this parameter makes sure that DataSync connects to the right SMB file server.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-dnsipaddresses
         '''
@@ -6827,11 +7334,9 @@ class CfnLocationSMBProps:
 
     @builtins.property
     def kerberos_keytab(self) -> typing.Optional[builtins.str]:
-        '''Specifies your Kerberos key table (keytab) file, which includes mappings between your Kerberos principal and encryption keys.
+        '''The Base64 string representation of the Keytab file.
 
-        The file must be base64 encoded.
-
-        To avoid task execution errors, make sure that the Kerberos principal that you use to create the keytab file matches exactly what you specify for ``KerberosPrincipal`` .
+        Specifies your Kerberos key table (keytab) file, which includes mappings between your service principal name (SPN) and encryption keys. To avoid task execution errors, make sure that the SPN in the keytab file matches exactly what you specify for KerberosPrincipal and in your krb5.conf file.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-kerberoskeytab
         '''
@@ -6840,9 +7345,7 @@ class CfnLocationSMBProps:
 
     @builtins.property
     def kerberos_krb5_conf(self) -> typing.Optional[builtins.str]:
-        '''Specifies a Kerberos configuration file ( ``krb5.conf`` ) that defines your Kerberos realm configuration.
-
-        The file must be base64 encoded.
+        '''The string representation of the Krb5Conf file, or the presigned URL to access the Krb5.conf file within an S3 bucket. Specifies a Kerberos configuration file (krb5.conf) that defines your Kerberos realm configuration. To avoid task execution errors, make sure that the service principal name (SPN) in the krb5.conf file matches exactly what you specify for KerberosPrincipal and in your keytab file.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-kerberoskrb5conf
         '''
@@ -6851,11 +7354,9 @@ class CfnLocationSMBProps:
 
     @builtins.property
     def kerberos_principal(self) -> typing.Optional[builtins.str]:
-        '''Specifies a Kerberos prinicpal, which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server.
-
-        A Kerberos principal might look like ``HOST/kerberosuser@MYDOMAIN.ORG`` .
+        '''Specifies a service principal name (SPN), which is an identity in your Kerberos realm that has permission to access the files, folders, and file metadata in your SMB file server.
 
-        Principal names are case sensitive. Your DataSync task execution will fail if the principal that you specify for this parameter doesn’t exactly match the principal that you use to create the keytab file.
+        SPNs are case sensitive and must include a prepended cifs/. For example, an SPN might look like cifs/kerberosuser@EXAMPLE.COM. Your task execution will fail if the SPN that you provide for this parameter doesn't match exactly what's in your keytab or krb5.conf files.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-kerberosprincipal
         '''
@@ -6886,12 +7387,11 @@ class CfnLocationSMBProps:
 
     @builtins.property
     def server_hostname(self) -> typing.Optional[builtins.str]:
-        '''Specifies the domain name or IP address of the SMB file server that your DataSync agent connects to.
+        '''Specifies the domain name or IP address (IPv4 or IPv6) of the SMB file server that your DataSync agent connects to.
 
-        Remember the following when configuring this parameter:
+        .. epigraph::
 
-        - You can't specify an IP version 6 (IPv6) address.
-        - If you're using Kerberos authentication, you must specify a domain name.
+           If you're using Kerberos authentication, you must specify a domain name.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-locationsmb.html#cfn-datasync-locationsmb-serverhostname
         '''
@@ -6947,7 +7447,7 @@ class CfnLocationSMBProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ITaskRef_0571d67b, _ITaggable_36806126)
 class CfnTask(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -7071,7 +7571,8 @@ class CfnTask(
         task_mode: typing.Optional[builtins.str] = None,
         task_report_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnTask.TaskReportConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::DataSync::Task``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param destination_location_arn: The Amazon Resource Name (ARN) of an AWS storage resource's location.
@@ -7084,8 +7585,8 @@ class CfnTask(
         :param options: Specifies your task's settings, such as preserving file metadata, verifying data integrity, among other options.
         :param schedule: Specifies a schedule for when you want your task to run. For more information, see `Scheduling your task <https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html>`_ .
         :param tags: Specifies the tags that you want to apply to your task. *Tags* are key-value pairs that help you manage, filter, and search for your DataSync resources.
-        :param task_mode: Specifies one of the following task modes for your data transfer:. - ``ENHANCED`` - Transfer virtually unlimited numbers of objects with higher performance than Basic mode. Enhanced mode tasks optimize the data transfer process by listing, preparing, transferring, and verifying data in parallel. Enhanced mode is currently available for transfers between Amazon S3 locations. .. epigraph:: To create an Enhanced mode task, the IAM role that you use to call the ``CreateTask`` operation must have the ``iam:CreateServiceLinkedRole`` permission. - ``BASIC`` (default) - Transfer files or objects between AWS storage and all other supported DataSync locations. Basic mode tasks are subject to `quotas <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-limits.html>`_ on the number of files, objects, and directories in a dataset. Basic mode sequentially prepares, transfers, and verifies data, making it slower than Enhanced mode for most workloads. For more information, see `Understanding task mode differences <https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html#task-mode-differences>`_ .
-        :param task_report_config: Specifies how you want to configure a task report, which provides detailed information about your DataSync transfer. For more information, see `Monitoring your DataSync transfers with task reports <https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html>`_ . When using this parameter, your caller identity (the role that you're using DataSync with) must have the ``iam:PassRole`` permission. The `AWSDataSyncFullAccess <https://docs.aws.amazon.com/datasync/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awsdatasyncfullaccess>`_ policy includes this permission.
+        :param task_mode: The task mode that you're using. For more information, see `Choosing a task mode for your data transfer <https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html>`_ .
+        :param task_report_config: The configuration of your task report, which provides detailed information about your DataSync transfer. For more information, see `Monitoring your DataSync transfers with task reports <https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html>`_ .
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__9add9673a1f0ceb078949e967bce91066ff7e0441dae95d55c11c4a503a397a6)
@@ -7185,6 +7686,12 @@ class CfnTask(
         '''Tag Manager which manages the tags for this resource.'''
         return typing.cast(_TagManager_0a598cb3, jsii.get(self, "tags"))
 
+    @builtins.property
+    @jsii.member(jsii_name="taskRef")
+    def task_ref(self) -> _TaskReference_56755658:
+        '''A reference to a Task resource.'''
+        return typing.cast(_TaskReference_56755658, jsii.get(self, "taskRef"))
+
     @builtins.property
     @jsii.member(jsii_name="destinationLocationArn")
     def destination_location_arn(self) -> builtins.str:
@@ -7343,7 +7850,7 @@ class CfnTask(
     @builtins.property
     @jsii.member(jsii_name="taskMode")
     def task_mode(self) -> typing.Optional[builtins.str]:
-        '''Specifies one of the following task modes for your data transfer:.'''
+        '''The task mode that you're using.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "taskMode"))
 
     @task_mode.setter
@@ -7358,7 +7865,7 @@ class CfnTask(
     def task_report_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.TaskReportConfigProperty"]]:
-        '''Specifies how you want to configure a task report, which provides detailed information about your DataSync transfer.'''
+        '''The configuration of your task report, which provides detailed information about your DataSync transfer.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.TaskReportConfigProperty"]], jsii.get(self, "taskReportConfig"))
 
     @task_report_config.setter
@@ -7382,9 +7889,11 @@ class CfnTask(
             *,
             report_level: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The reporting level for the deleted section of your DataSync task report.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to delete in your destination location.
 
-            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't. - ``ERRORS_ONLY`` : A report shows what DataSync was unable to delete. - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to delete.
+            This only applies if you configure your task to delete data in the destination that isn't in the source.
+
+            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-deleted.html
             :exampleMetadata: fixture=_generated
@@ -7410,9 +7919,6 @@ class CfnTask(
         def report_level(self) -> typing.Optional[builtins.str]:
             '''Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
-            - ``ERRORS_ONLY`` : A report shows what DataSync was unable to delete.
-            - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to delete.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-deleted.html#cfn-datasync-task-deleted-reportlevel
             '''
             result = self._values.get("report_level")
@@ -7440,7 +7946,7 @@ class CfnTask(
             *,
             s3: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnTask.S3Property", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''Specifies where DataSync uploads your `task report <https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html>`_ .
+            '''Specifies where DataSync uploads your task report.
 
             :param s3: Specifies the Amazon S3 bucket where DataSync uploads your task report.
 
@@ -7692,11 +8198,9 @@ class CfnTask(
         ) -> None:
             '''Specifies the S3 bucket where you're hosting the manifest that you want AWS DataSync to use.
 
-            For more information and configuration examples, see `Specifying what DataSync transfers by using a manifest <https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html>`_ .
-
-            :param bucket_access_role_arn: Specifies the AWS Identity and Access Management (IAM) role that allows DataSync to access your manifest. For more information, see `Providing DataSync access to your manifest <https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html#transferring-with-manifest-access>`_ .
-            :param manifest_object_path: Specifies the Amazon S3 object key of your manifest. This can include a prefix (for example, ``prefix/my-manifest.csv`` ).
-            :param manifest_object_version_id: Specifies the object version ID of the manifest that you want DataSync to use. If you don't set this, DataSync uses the latest version of the object.
+            :param bucket_access_role_arn: Specifies the AWS Identity and Access Management (IAM) role that allows DataSync to access your manifest.
+            :param manifest_object_path: Specifies the Amazon S3 object key of your manifest.
+            :param manifest_object_version_id: Specifies the object version ID of the manifest that you want DataSync to use.
             :param s3_bucket_arn: Specifies the Amazon Resource Name (ARN) of the S3 bucket where you're hosting your manifest.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-manifestconfigsources3.html
@@ -7735,8 +8239,6 @@ class CfnTask(
         def bucket_access_role_arn(self) -> typing.Optional[builtins.str]:
             '''Specifies the AWS Identity and Access Management (IAM) role that allows DataSync to access your manifest.
 
-            For more information, see `Providing DataSync access to your manifest <https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html#transferring-with-manifest-access>`_ .
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-manifestconfigsources3.html#cfn-datasync-task-manifestconfigsources3-bucketaccessrolearn
             '''
             result = self._values.get("bucket_access_role_arn")
@@ -7746,8 +8248,6 @@ class CfnTask(
         def manifest_object_path(self) -> typing.Optional[builtins.str]:
             '''Specifies the Amazon S3 object key of your manifest.
 
-            This can include a prefix (for example, ``prefix/my-manifest.csv`` ).
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-manifestconfigsources3.html#cfn-datasync-task-manifestconfigsources3-manifestobjectpath
             '''
             result = self._values.get("manifest_object_path")
@@ -7757,8 +8257,6 @@ class CfnTask(
         def manifest_object_version_id(self) -> typing.Optional[builtins.str]:
             '''Specifies the object version ID of the manifest that you want DataSync to use.
 
-            If you don't set this, DataSync uses the latest version of the object.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-manifestconfigsources3.html#cfn-datasync-task-manifestconfigsources3-manifestobjectversionid
             '''
             result = self._values.get("manifest_object_version_id")
@@ -8211,12 +8709,12 @@ class CfnTask(
         ) -> None:
             '''Customizes the reporting level for aspects of your task report.
 
-            For example, your report might generally only include errors, but you could specify that you want a list of successes and errors just for the files that DataSync attempted to delete in your destination location.
+            For example, your report might generally only include errors, but you could specify that you want a list of successes and errors just for the files that Datasync attempted to delete in your destination location.
 
-            :param deleted: Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location. This only applies if you `configure your task <https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html>`_ to delete data in the destination that isn't in the source.
-            :param skipped: Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer.
-            :param transferred: Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer.
-            :param verified: Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify during your transfer.
+            :param deleted: Specifies the level of reporting for the files, objects, and directories that Datasync attempted to delete in your destination location. This only applies if you configure your task to delete data in the destination that isn't in the source.
+            :param skipped: Specifies the level of reporting for the files, objects, and directories that Datasync attempted to skip during your transfer.
+            :param transferred: Specifies the level of reporting for the files, objects, and directories that Datasync attempted to transfer.
+            :param verified: Specifies the level of reporting for the files, objects, and directories that Datasync attempted to verify at the end of your transfer. This only applies if you configure your task to verify data during and after the transfer (which Datasync does by default)
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-overrides.html
             :exampleMetadata: fixture=_generated
@@ -8262,9 +8760,9 @@ class CfnTask(
         def deleted(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.DeletedProperty"]]:
-            '''Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to delete in your destination location.
 
-            This only applies if you `configure your task <https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html>`_ to delete data in the destination that isn't in the source.
+            This only applies if you configure your task to delete data in the destination that isn't in the source.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-overrides.html#cfn-datasync-task-overrides-deleted
             '''
@@ -8275,7 +8773,7 @@ class CfnTask(
         def skipped(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.SkippedProperty"]]:
-            '''Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to skip during your transfer.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-overrides.html#cfn-datasync-task-overrides-skipped
             '''
@@ -8286,7 +8784,7 @@ class CfnTask(
         def transferred(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.TransferredProperty"]]:
-            '''Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to transfer.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-overrides.html#cfn-datasync-task-overrides-transferred
             '''
@@ -8297,7 +8795,9 @@ class CfnTask(
         def verified(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.VerifiedProperty"]]:
-            '''Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify during your transfer.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to verify at the end of your transfer.
+
+            This only applies if you configure your task to verify data during and after the transfer (which Datasync does by default)
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-overrides.html#cfn-datasync-task-overrides-verified
             '''
@@ -8411,9 +8911,9 @@ class CfnTask(
             *,
             report_level: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The reporting level for the skipped section of your DataSync task report.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to skip during your transfer.
 
-            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't. - ``ERRORS_ONLY`` : A report shows what DataSync was unable to skip. - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to skip.
+            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-skipped.html
             :exampleMetadata: fixture=_generated
@@ -8439,9 +8939,6 @@ class CfnTask(
         def report_level(self) -> typing.Optional[builtins.str]:
             '''Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
-            - ``ERRORS_ONLY`` : A report shows what DataSync was unable to skip.
-            - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to skip.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-skipped.html#cfn-datasync-task-skipped-reportlevel
             '''
             result = self._values.get("report_level")
@@ -8469,11 +8966,9 @@ class CfnTask(
             *,
             s3: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnTask.ManifestConfigSourceS3Property", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''Specifies the manifest that you want AWS DataSync to use and where it's hosted.
-
-            For more information and configuration examples, see `Specifying what DataSync transfers by using a manifest <https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html>`_ .
+            '''Specifies the manifest that you want DataSync to use and where it's hosted.
 
-            :param s3: Specifies the S3 bucket where you're hosting your manifest.
+            :param s3: Specifies the S3 bucket where you're hosting the manifest that you want AWS DataSync to use.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-source.html
             :exampleMetadata: fixture=_generated
@@ -8504,7 +8999,7 @@ class CfnTask(
         def s3(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnTask.ManifestConfigSourceS3Property"]]:
-            '''Specifies the S3 bucket where you're hosting your manifest.
+            '''Specifies the S3 bucket where you're hosting the manifest that you want AWS DataSync to use.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-source.html#cfn-datasync-task-source-s3
             '''
@@ -8698,7 +9193,7 @@ class CfnTask(
             '''Configures your AWS DataSync task to run on a `schedule <https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html>`_ (at a minimum interval of 1 hour).
 
             :param schedule_expression: Specifies your task schedule by using a cron or rate expression. Use cron expressions for task schedules that run on a specific time and day. For example, the following cron expression creates a task schedule that runs at 8 AM on the first Wednesday of every month: ``cron(0 8 * * 3#1)`` Use rate expressions for task schedules that run on a regular interval. For example, the following rate expression creates a task schedule that runs every 12 hours: ``rate(12 hours)`` For information about cron and rate expression syntax, see the `*Amazon EventBridge User Guide* <https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-scheduled-rule-pattern.html>`_ .
-            :param status: Specifies whether to enable or disable your task schedule. Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to perform maintenance on a storage system before you can begin a recurring DataSync transfer. DataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see the `*DataSync User Guide* <https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html#pause-task-schedule>`_ .
+            :param status: Specifies whether to enable or disable your task schedule. Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to pause a recurring transfer to fix an issue with your task or perform maintenance on your storage system. DataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see `TaskScheduleDetails <https://docs.aws.amazon.com/datasync/latest/userguide/API_TaskScheduleDetails.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-taskschedule.html
             :exampleMetadata: fixture=_generated
@@ -8747,9 +9242,9 @@ class CfnTask(
         def status(self) -> typing.Optional[builtins.str]:
             '''Specifies whether to enable or disable your task schedule.
 
-            Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to perform maintenance on a storage system before you can begin a recurring DataSync transfer.
+            Your schedule is enabled by default, but there can be situations where you need to disable it. For example, you might need to pause a recurring transfer to fix an issue with your task or perform maintenance on your storage system.
 
-            DataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see the `*DataSync User Guide* <https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html#pause-task-schedule>`_ .
+            DataSync might disable your schedule automatically if your task fails repeatedly with the same error. For more information, see `TaskScheduleDetails <https://docs.aws.amazon.com/datasync/latest/userguide/API_TaskScheduleDetails.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-taskschedule.html#cfn-datasync-task-taskschedule-status
             '''
@@ -8778,9 +9273,9 @@ class CfnTask(
             *,
             report_level: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The reporting level for the transferred section of your DataSync task report.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to transfer.
 
-            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't. - ``ERRORS_ONLY`` : A report shows what DataSync was unable to transfer. - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to transfer.
+            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-transferred.html
             :exampleMetadata: fixture=_generated
@@ -8806,9 +9301,6 @@ class CfnTask(
         def report_level(self) -> typing.Optional[builtins.str]:
             '''Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
-            - ``ERRORS_ONLY`` : A report shows what DataSync was unable to transfer.
-            - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to transfer.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-transferred.html#cfn-datasync-task-transferred-reportlevel
             '''
             result = self._values.get("report_level")
@@ -8836,9 +9328,11 @@ class CfnTask(
             *,
             report_level: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The reporting level for the verified section of your DataSync task report.
+            '''Specifies the level of reporting for the files, objects, and directories that Datasync attempted to verify at the end of your transfer.
+
+            This only applies if you configure your task to verify data during and after the transfer (which Datasync does by default)
 
-            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't. - ``ERRORS_ONLY`` : A report shows what DataSync was unable to verify. - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to verify.
+            :param report_level: Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-verified.html
             :exampleMetadata: fixture=_generated
@@ -8864,9 +9358,6 @@ class CfnTask(
         def report_level(self) -> typing.Optional[builtins.str]:
             '''Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't.
 
-            - ``ERRORS_ONLY`` : A report shows what DataSync was unable to verify.
-            - ``SUCCESSES_AND_ERRORS`` : A report shows what DataSync was able and unable to verify.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-datasync-task-verified.html#cfn-datasync-task-verified-reportlevel
             '''
             result = self._values.get("report_level")
@@ -8931,8 +9422,8 @@ class CfnTaskProps:
         :param options: Specifies your task's settings, such as preserving file metadata, verifying data integrity, among other options.
         :param schedule: Specifies a schedule for when you want your task to run. For more information, see `Scheduling your task <https://docs.aws.amazon.com/datasync/latest/userguide/task-scheduling.html>`_ .
         :param tags: Specifies the tags that you want to apply to your task. *Tags* are key-value pairs that help you manage, filter, and search for your DataSync resources.
-        :param task_mode: Specifies one of the following task modes for your data transfer:. - ``ENHANCED`` - Transfer virtually unlimited numbers of objects with higher performance than Basic mode. Enhanced mode tasks optimize the data transfer process by listing, preparing, transferring, and verifying data in parallel. Enhanced mode is currently available for transfers between Amazon S3 locations. .. epigraph:: To create an Enhanced mode task, the IAM role that you use to call the ``CreateTask`` operation must have the ``iam:CreateServiceLinkedRole`` permission. - ``BASIC`` (default) - Transfer files or objects between AWS storage and all other supported DataSync locations. Basic mode tasks are subject to `quotas <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-limits.html>`_ on the number of files, objects, and directories in a dataset. Basic mode sequentially prepares, transfers, and verifies data, making it slower than Enhanced mode for most workloads. For more information, see `Understanding task mode differences <https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html#task-mode-differences>`_ .
-        :param task_report_config: Specifies how you want to configure a task report, which provides detailed information about your DataSync transfer. For more information, see `Monitoring your DataSync transfers with task reports <https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html>`_ . When using this parameter, your caller identity (the role that you're using DataSync with) must have the ``iam:PassRole`` permission. The `AWSDataSyncFullAccess <https://docs.aws.amazon.com/datasync/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awsdatasyncfullaccess>`_ policy includes this permission.
+        :param task_mode: The task mode that you're using. For more information, see `Choosing a task mode for your data transfer <https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html>`_ .
+        :param task_report_config: The configuration of your task report, which provides detailed information about your DataSync transfer. For more information, see `Monitoring your DataSync transfers with task reports <https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-task.html
         :exampleMetadata: fixture=_generated
@@ -9185,17 +9676,9 @@ class CfnTaskProps:
 
     @builtins.property
     def task_mode(self) -> typing.Optional[builtins.str]:
-        '''Specifies one of the following task modes for your data transfer:.
-
-        - ``ENHANCED`` - Transfer virtually unlimited numbers of objects with higher performance than Basic mode. Enhanced mode tasks optimize the data transfer process by listing, preparing, transferring, and verifying data in parallel. Enhanced mode is currently available for transfers between Amazon S3 locations.
+        '''The task mode that you're using.
 
-        .. epigraph::
-
-           To create an Enhanced mode task, the IAM role that you use to call the ``CreateTask`` operation must have the ``iam:CreateServiceLinkedRole`` permission.
-
-        - ``BASIC`` (default) - Transfer files or objects between AWS storage and all other supported DataSync locations. Basic mode tasks are subject to `quotas <https://docs.aws.amazon.com/datasync/latest/userguide/datasync-limits.html>`_ on the number of files, objects, and directories in a dataset. Basic mode sequentially prepares, transfers, and verifies data, making it slower than Enhanced mode for most workloads.
-
-        For more information, see `Understanding task mode differences <https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html#task-mode-differences>`_ .
+        For more information, see `Choosing a task mode for your data transfer <https://docs.aws.amazon.com/datasync/latest/userguide/choosing-task-mode.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-task.html#cfn-datasync-task-taskmode
         '''
@@ -9206,12 +9689,10 @@ class CfnTaskProps:
     def task_report_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnTask.TaskReportConfigProperty]]:
-        '''Specifies how you want to configure a task report, which provides detailed information about your DataSync transfer.
+        '''The configuration of your task report, which provides detailed information about your DataSync transfer.
 
         For more information, see `Monitoring your DataSync transfers with task reports <https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html>`_ .
 
-        When using this parameter, your caller identity (the role that you're using DataSync with) must have the ``iam:PassRole`` permission. The `AWSDataSyncFullAccess <https://docs.aws.amazon.com/datasync/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awsdatasyncfullaccess>`_ policy includes this permission.
-
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-datasync-task.html#cfn-datasync-task-taskreportconfig
         '''
         result = self._values.get("task_report_config")
@@ -10342,6 +10823,8 @@ def _typecheckingstub__bafa6101408857d4661895c88a8c9839da8768aa52e07d3f2889a4f27
     *,
     agent_arns: typing.Sequence[builtins.str],
     authentication_type: typing.Optional[builtins.str] = None,
+    cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.CmkSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.CustomSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     dns_ip_addresses: typing.Optional[typing.Sequence[builtins.str]] = None,
     domain: typing.Optional[builtins.str] = None,
     kerberos_keytab: typing.Optional[builtins.str] = None,
@@ -10381,6 +10864,18 @@ def _typecheckingstub__35de39b9b573d0d6146fa84be08e6a3a14ff5e9ece5535c93fc8af130
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__e407ec55488adbc9f81891a5e15e237e234b987b6214eb331162a8b63f344324(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.CmkSecretConfigProperty]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__fde88b8f3a9b839e4f9087f93f80eb219e3a48609302336a5ed68bd2edec2ebb(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLocationSMB.CustomSecretConfigProperty]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__dc011a04f6ce95bde8af4cc9451501d73cdf7696b6089617c22a1d8aa112d7be(
     value: typing.Optional[typing.List[builtins.str]],
 ) -> None:
@@ -10447,6 +10942,29 @@ def _typecheckingstub__9112e8b177e52fbd055f221015988972f906f8c7291b4a1992bb1656c
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__9351aeda2a3946543003130a0d3d622afa774937076186eaabf4b996745ca99f(
+    *,
+    kms_key_arn: typing.Optional[builtins.str] = None,
+    secret_arn: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__6049f29f723d7f92a691c991b6232a25e39ba58d2d4400b1c499f542a7a8aee7(
+    *,
+    secret_access_role_arn: builtins.str,
+    secret_arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__5db7c95a4b68a63cb100ea0ecc9392535271eaf1c99519a96ebecbd32455f91c(
+    *,
+    secret_arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__465428a8e33c33a3926562e4b4d3d671db7fc7f2d1ff95443e6224cb280e8c00(
     *,
     version: typing.Optional[builtins.str] = None,
@@ -10458,6 +10976,8 @@ def _typecheckingstub__b20670d7cb18baa1155ccc397df310282442d51b95170ab568e5c0a9c
     *,
     agent_arns: typing.Sequence[builtins.str],
     authentication_type: typing.Optional[builtins.str] = None,
+    cmk_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.CmkSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    custom_secret_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLocationSMB.CustomSecretConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     dns_ip_addresses: typing.Optional[typing.Sequence[builtins.str]] = None,
     domain: typing.Optional[builtins.str] = None,
     kerberos_keytab: typing.Optional[builtins.str] = None,