AWS Security ChangesHomeSearch

AWS evs high security documentation change

Service: evs · 2026-07-04 · Security-related high

File: evs/latest/userguide/evs-env-create-connector.md

Summary

Updated prerequisites section with detailed credential requirements per connector type, clarified secret management procedures in AWS Secrets Manager, and added tagging requirements for secrets/KMS keys.

Security assessment

Explicitly mandates least-privilege credentials (read-only access) and provides specific secret key requirements per connector type. Requires security tagging ('EvsAccess=true') for Secrets Manager secrets and associated KMS keys, directly addressing access control and credential security.

Diff

diff --git a/evs/latest/userguide/evs-env-create-connector.md b/evs/latest/userguide/evs-env-create-connector.md
index 7023eaec7..76236512f 100644
--- a//evs/latest/userguide/evs-env-create-connector.md
+++ b//evs/latest/userguide/evs-env-create-connector.md
@@ -6,0 +7,2 @@
+Prerequisites
+
@@ -15 +17 @@ More info on connectors can be found under [Concepts and components of Amazon EV
-Before creating a connector, we recommend you create a dedicated vCenter user with a ReadOnly role. Avoid using credentials with elevated or administrative permission.
+Use credentials with the minimum permissions required for the appliance type. For **vCenter** and **Operations Manager** , create a dedicated read-only user. For **SDDC Manager** , scope the API key to the read-only access that Amazon EVS requires. Avoid using credentials with elevated or administrative permissions.
@@ -17 +19 @@ Before creating a connector, we recommend you create a dedicated vCenter user wi
-###### Note
+## Prerequisites
@@ -19 +21 @@ Before creating a connector, we recommend you create a dedicated vCenter user wi
-Before creating a connector, you must create a secret in AWS Secrets Manager with your appliance credentials. The secret must contain two keys `username` and `password`. The values must be the login credentials for the dedicated user you created for the appliance specified in the connector.
+Before you create a connector, store the appliance credentials in AWS Secrets Manager and tag the secret so that Amazon EVS can access it. Each connector maps to a single appliance FQDN, so create a separate secret for each appliance.
@@ -21 +23 @@ Before creating a connector, you must create a secret in AWS Secrets Manager wit
-###### Important
+  1. In AWS Secrets Manager, create a secret that contains the keys for your connector type:
@@ -23 +25,5 @@ Before creating a connector, you must create a secret in AWS Secrets Manager wit
-You must add the tag `EvsAccess=true` to your Secrets Manager secret. If you encrypted the secret with your own AWS KMS key, then add the `EvsAccess=true` tag to the AWS KMS key as well.
+Connector type | VCF version | Required secret keys | Description  
+---|---|---|---  
+`VCENTER` |  5.2.x, 9.0.x, 9.1.x |  `username` and `password` |  Monitors VM lifecycle events for entitled VMs.  
+`OPERATIONS_MANAGER` |  9.0.x, 9.1.x |  `username` and `password` |  VCF 9.0.x and 9.1.x appliance that Amazon EVS uses to verify that your environment has valid entitlements. Replaces the license-management functions of SDDC Manager.  
+`SDDC_MANAGER` |  5.2.x |  `apiKey` |  VCF 5.2.x appliance that Amazon EVS uses to validate host counts and license-key coverage.  
@@ -25 +31,3 @@ You must add the tag `EvsAccess=true` to your Secrets Manager secret. If you enc
-###### Note
+The values must be the login credentials for the dedicated user you created for the appliance specified in the connector.
+
+  2. Add the tag `EvsAccess=true` to the Secrets Manager secret. If you encrypted the secret with your own AWS KMS key, also add the `EvsAccess=true` tag to the AWS KMS key.
@@ -27 +34,0 @@ You must add the tag `EvsAccess=true` to your Secrets Manager secret. If you enc
-Each connector maps to a single appliance FQDN.
@@ -29 +35,0 @@ Each connector maps to a single appliance FQDN.
-###### Note
@@ -31 +36,0 @@ Each connector maps to a single appliance FQDN.
-Only one connector of type vCenter is allowed per environment.
@@ -35 +40 @@ Only one connector of type vCenter is allowed per environment.
-The FQDN must be valid, match the domain name used when creating your EVS environment, and be unique across all connectors in the environment.
+If the required connector is not created or becomes unreachable, Amazon EVS reports impaired environment health through AWS Health notifications.
@@ -39 +44 @@ The FQDN must be valid, match the domain name used when creating your EVS enviro
-Connector creation does not validate appliance reachability or credentials. After the connector state is Active, the reachability check status will update from Unknown to Passed or Failed asynchronously within 10 minutes.
+Connector creation is asynchronous and does not validate appliance reachability or credentials. After the connector state reaches `ACTIVE`, the reachability check status updates from `UNKNOWN` to `PASSED` or `FAILED` within 10 minutes.