AmazonEVSServiceRolePolicy
Description: Grants permissions to EVS to manage resources on your behalf
AmazonEVSServiceRolePolicy is an AWS managed policy.
Using this policy
This policy is attached to a service-linked role that allows the service to perform actions on your behalf. You cannot attach this policy to your users, groups, or roles.
Policy details
-
Type: Service-linked role policy
-
Creation time: May 16, 2025, 23:37 UTC
-
Edited time: August 14, 2025, 16:04 UTC
-
ARN:
arn:aws:iam::aws:policy/aws-service-role/AmazonEVSServiceRolePolicy
Policy version
Policy version: v3 (default)
The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.
JSON policy document
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "DescribeNetworkStatement", "Effect" : "Allow", "Action" : [ "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeNetworkInterfaces" ], "Resource" : "*" }, { "Sid" : "CreateEniInSubnetStatement", "Effect" : "Allow", "Action" : [ "ec2:CreateNetworkInterface" ], "Resource" : [ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Sid" : "ManageSubnetStatement", "Effect" : "Allow", "Action" : [ "ec2:DeleteSubnet" ], "Resource" : "arn:aws:ec2:*:*:subnet/*", "Condition" : { "Null" : { "aws:ResourceTag/AmazonEVSManaged" : "false" } } }, { "Sid" : "CreateEniWithTagStatement", "Effect" : "Allow", "Action" : [ "ec2:CreateNetworkInterface" ], "Resource" : "arn:aws:ec2:*:*:network-interface/*", "Condition" : { "Null" : { "aws:RequestTag/AmazonEVSManaged" : "false" } } }, { "Sid" : "TagOnCreateNetworkInterface", "Effect" : "Allow", "Action" : [ "ec2:CreateTags" ], "Resource" : "arn:aws:ec2:*:*:network-interface/*", "Condition" : { "Null" : { "aws:RequestTag/AmazonEVSManaged" : "false" }, "StringEquals" : { "ec2:CreateAction" : [ "CreateNetworkInterface" ] } } }, { "Sid" : "ManageEniStatement", "Effect" : "Allow", "Action" : [ "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:AssignIpv6Addresses" ], "Resource" : "arn:aws:ec2:*:*:network-interface/*", "Condition" : { "Null" : { "aws:ResourceTag/AmazonEVSManaged" : "false" } } }, { "Sid" : "ManageInstanceStatement", "Effect" : "Allow", "Action" : [ "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeInstanceAttribute" ], "Resource" : "arn:aws:ec2:*:*:instance/*", "Condition" : { "Null" : { "aws:ResourceTag/AmazonEVSManaged" : "false" } } }, { "Sid" : "DescribeInstanceAndVolumeStatement", "Effect" : "Allow", "Action" : [ "ec2:DescribeInstances", "ec2:DescribeVolumes" ], "Resource" : "*" }, { "Sid" : "ManageVolumeStatement", "Effect" : "Allow", "Action" : [ "ec2:DeleteVolume", "ec2:DetachVolume" ], "Resource" : [ "arn:aws:ec2:*:*:volume/*" ], "Condition" : { "Null" : { "aws:ResourceTag/AmazonEVSManaged" : "false" } } }, { "Sid" : "ManageSecretStatement", "Effect" : "Allow", "Action" : [ "secretsmanager:DeleteSecret" ], "Resource" : [ "arn:aws:secretsmanager:*:*:secret:*" ], "Condition" : { "Null" : { "aws:ResourceTag/AmazonEVSManaged" : "false" } } }, { "Sid" : "UpdateSecurityGroupStatement", "Effect" : "Allow", "Action" : [ "ec2:ModifyNetworkInterfaceAttribute" ], "Resource" : "arn:aws:ec2:*:*:security-group/*" }, { "Sid" : "CloudWatchPutMetricDataStatement", "Effect" : "Allow", "Action" : [ "cloudwatch:PutMetricData" ], "Resource" : "*", "Condition" : { "StringEquals" : { "cloudwatch:namespace" : [ "AWS/Usage", "AWS/EVS" ] } } } ] }
Learn more
