From 55b4f1c42fa1c069eb05a8f52182c64ca79cce3c Mon Sep 17 00:00:00 2001
From: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Date: Wed, 20 Mar 2024 10:54:43 -0400
Subject: [PATCH] docs: secrets-sync - move destination note (#26044)

---
 website/content/docs/sync/index.mdx | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/website/content/docs/sync/index.mdx b/website/content/docs/sync/index.mdx
index 46a984d785..d3f61980f2 100644
--- a/website/content/docs/sync/index.mdx
+++ b/website/content/docs/sync/index.mdx
@@ -129,6 +129,10 @@ The secret synced with the old granularity will be deleted and new secrets will
 
 ## Security
 
+~> Note: Vault does not control the permissions at the destination. It is the responsibility
+of the operator to configure and maintain proper access controls on the external system so synced
+secrets are not accessed unintentionally.
+
 ### Vault access requirements
 
 Vault verifies the client has read access on the secret before syncing it with any destination. This additional check is
@@ -193,9 +197,6 @@ Likewise, if the client tries to sync this secret to any destination they will r
 This read access verification is only done when creating or updating an association. Once the association is created, revoking
 read access to the policy that was used to sync the secret has no effect.
 
-Vault does not control the permissions at the destination. It is the responsibility of the operator to configure proper
-read access on the external system so synced secrets are not accessed unintentionally.
-
 ### Collisions and overwrites
 
 Secrets Sync operates with a last-write-wins strategy. If a secret with the same name already exists at the destination,