AWS evs medium security documentation change
Summary
Expanded AmazonEVSServiceRolePolicy permissions documentation to include EC2 instance management, EBS volume cleanup, Secrets Manager secret deletion, and CloudWatch metrics updates
Security assessment
The policy now explicitly includes permissions for deleting EC2 instances, managing EBS volumes containing Cloud Builder artifacts, and automatically deleting Secrets Manager credentials. These changes demonstrate enhanced security controls around resource lifecycle management and credential cleanup, directly addressing potential security risks from lingering resources or credentials.
Diff
diff --git a/evs/latest/userguide/security-iam-awsmanpol.md b/evs/latest/userguide/security-iam-awsmanpol.md index f05e085c5..c86b2df95 100644 --- a//evs/latest/userguide/security-iam-awsmanpol.md +++ b//evs/latest/userguide/security-iam-awsmanpol.md @@ -19 +19 @@ You can’t attach `AmazonEVSServiceRolePolicy` to your IAM entities. This polic -This policy allows the service-linked role to call AWS services on your behalf. +This policy allows the `AWSServiceRoleForAmazonEVS` service-linked role to call AWS services on your behalf. @@ -25 +25 @@ This policy includes the following permissions that allow Amazon EVS to complete - * `ec2` \- Create, modify, tag, and delete an elastic network interface that is used to establish a persistent connection between Amazon EVS and a VMware Virtual Cloud Foundation (VCF) SDDC Manager appliance in the customer’s VPC subnet. This connectivity is required for Amazon EVS to be able to deploy, manage, and monitor the VCF deployment. + * `ec2` \- Discover VPC networking components, including subnets and VPCs. Create, modify, tag, and delete elastic network interfaces that are used to establish a persistent connection between Amazon EVS and the VMware Virtual Cloud Foundation (VCF) SDDC Manager appliance in your VPC subnet. This connectivity is required for Amazon EVS to deploy, manage, and monitor the VCF deployment. @@ -27 +27 @@ This policy includes the following permissions that allow Amazon EVS to complete - * `ec2` \- Perform the `DeleteSubnet` operation on Amazon EVS VLAN subnets. This permission allows Amazon EVS to delete VLAN subnets on the customer’s behalf when the environment is deleted. + * `ec2` \- Delete EC2 instances that Amazon EVS creates when you make an EVS host deletion request. Describe and modify EC2 instance attributes so that default EC2 instance termination and stop protection can be disabled if needed to support EVS host deletion. @@ -29 +29 @@ This policy includes the following permissions that allow Amazon EVS to complete - * `cloudwatch` \- Publish Amazon EVS usage metrics to CloudWatch. + * `ec2` \- Manage EBS volumes for Cloud Builder installation and cleanup. During environment creation, Cloud Builder is installed onto one of the Amazon EVS deployed hosts to perform VCF configuration changes. After completion, Amazon EVS removes Cloud Builder by detaching and deleting the EC2 volume it is stored on. @@ -30,0 +31 @@ This policy includes the following permissions that allow Amazon EVS to complete + * `ec2` \- Delete EVS VLAN subnets on your behalf if you request environment deletion. @@ -31,0 +33 @@ This policy includes the following permissions that allow Amazon EVS to complete + * `secretsmanager` \- Delete VCF passwords that Amazon EVS creates and stores in AWS Secrets Manager during environment creation. Amazon EVS deletes all secrets that the service creates in your account if environment creation fails, or if you request environment deletion. @@ -32,0 +35 @@ This policy includes the following permissions that allow Amazon EVS to complete + * `cloudwatch` \- Publish AWS usage metrics to CloudWatch for Amazon EVS resources that have quotas. @@ -34 +37,4 @@ This policy includes the following permissions that allow Amazon EVS to complete -To view the latest version of the JSON policy document, see [AmazonEVSServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEVSServiceRolePolicy.html) in the _AWS Managed Policy Reference Guide_. + + + +To view more details about the policy, including the latest version of the JSON policy document, see [AmazonEVSServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEVSServiceRolePolicy.html) in the _AWS Managed Policy Reference Guide_. @@ -41,0 +48 @@ Change | Description | Date +AmazonEVSServiceRolePolicy — Policy updated | Amazon EVS updated the policy to add comprehensive resource management capabilities including EC2 instance management, EBS volume operations, and AWS Secrets Manager integration. To learn more, see AWS managed policy: AmazonEVSServiceRolePolicy. | August 14, 2025