AWS Security ChangesHomeSearch

AWS evs documentation change

Service: evs · 2026-03-25 · Documentation medium

File: evs/latest/userguide/security-iam-awsmanpol.md

Summary

Updated AmazonEVSServiceRolePolicy documentation to include new permissions for retrieving vCenter credentials from Secrets Manager and decrypting KMS-encrypted secrets, both scoped with resource tag conditions (EvsAccess=true)

Security assessment

This change documents expanded IAM permissions for Amazon EVS service role, specifically for accessing secrets and KMS keys with tag-based resource conditions. While this is security documentation about IAM policies and access controls, there is no evidence it addresses a specific security vulnerability. The tag conditions (EvsAccess=true) represent a security improvement by scoping permissions.

Diff

diff --git a/evs/latest/userguide/security-iam-awsmanpol.md b/evs/latest/userguide/security-iam-awsmanpol.md
index c86b2df95..ccb3c3c80 100644
--- a//evs/latest/userguide/security-iam-awsmanpol.md
+++ b//evs/latest/userguide/security-iam-awsmanpol.md
@@ -33 +33,3 @@ This policy includes the following permissions that allow Amazon EVS to complete
-  * `secretsmanager` \- Delete VCF passwords that Amazon EVS creates and stores in AWS Secrets Manager during environment creation. Amazon EVS deletes all secrets that the service creates in your account if environment creation fails, or if you request environment deletion.
+  * `secretsmanager` \- Delete VCF passwords that Amazon EVS creates and stores in AWS Secrets Manager during environment creation. Amazon EVS deletes all secrets that the service creates in your account if environment creation fails, or if you request environment deletion. Retrieve vCenter credentials from AWS Secrets Manager when you configure a vCenter connector by providing a secret ARN. The permission is scoped with a resource tag condition `EvsAccess=true` to ensure Amazon EVS only accesses secrets explicitly tagged for Amazon EVS vCenter access.
+
+  * `kms` \- Decrypt secrets and describe KMS keys when vCenter credentials stored in Secrets Manager are encrypted with KMS keys. The permission is scoped with a resource tag condition `EvsAccess=true` to ensure Amazon EVS only accesses KMS keys explicitly tagged for vCenter access.
@@ -47,0 +50 @@ Change | Description | Date
+AmazonEVSServiceRolePolicy — Policy updated |  Amazon EVS updated the policy to allow the service to retrieve vCenter credentials from AWS Secrets Manager and decrypting secrets encrypted with KMS keys. To learn more, see AWS managed policy: AmazonEVSServiceRolePolicy. |  March 23, 2026