Access setup for AWS service accounts

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Access setup for AWS service accounts

    This document outlines the configuration of access for AWS service accounts used by Cloud Discovery and Cloud Provisioning and Governance within ServiceNow's IT Operations Management. It emphasizes the importance of establishing proper access to AWS resources for effective cloud management.

    Show full answer Show less

    Key Features

    • Types of AWS Credentials: Users can opt for permanent credentials for straightforward management or temporary credentials via IAM roles for enhanced security.
    • MID Server Communication: Inbound traffic authorization to Amazon EC2 instances from the MID Server is necessary for initial setup.
    • Credential Caching: The MID Server caches temporary credentials for 60 minutes, allowing multiple discovery processes without generating new credentials.
    • IAM Roles and Permissions: Custom IAM roles can be configured to enhance security beyond the default OrganizationAccountAccessRole.
    • Access Methods: Access can be configured using permanent AWS credentials or temporary credentials based on trusted accounts.

    Key Outcomes

    By following the outlined configurations, ServiceNow customers can:

    • Efficiently manage AWS service account access, choosing between permanent and temporary credentials based on security needs.
    • Utilize the MID Server effectively for discovery and governance of cloud resources.
    • Implement IAM roles to streamline access management across multiple AWS accounts, improving security and reducing complexity.
    • Ensure proper credential use for AWS resource discovery, optimizing the process while maintaining security standards.

    Cloud Discovery and Cloud Provisioning and Governance need access to resources in the Amazon Web Services (AWS) service accounts. Learn about different methods of configuring such access.

    Cloud Discovery and Cloud Provisioning and Governance access resources in AWS service accounts through MID Servers. You must authorize inbound traffic to Amazon EC2 instances from the MID server for setting up initial communication. For more information, see Configure security group inbound rules using the AWS Management Console.

    Types of AWS credentials

    There are permanent and temporary AWS credentials that you can use for configuring access to AWS service accounts.
    Permanent
    The permanent credentials are the actual AWS credentials for the service account that you add to the Connections and Credentials module of ServiceNow AI Platform. While it may be time consuming to manage credentials on ServiceNow AI Platform, you avoid the complex configurations involved in using temporary credentials.
    Temporary

    The temporary credentials are generated by the AWS Security Token Service (AWS STS) for IAM roles. After you configure IAM roles for AWS accounts, the MID Server accesses AWS resources with these temporary credentials. You can use the default IAM role, OrganizationAccountAccessRole, or create custom IAM roles.

    Assuming IAM roles in a large AWS organization is more convenient and offers better security than using large numbers of permanent credentials for all AWS accounts. Temporary credentials are only acquired on behalf of a service account when there’s no permanent credential specified for that service account in the Service Accounts [cmdb_ci_cloud_service_account] table.

    The MID Server uses the AssumeRole action in the AWS Security Token Service API to assume a member account role. Parameters passed to this API determine which additional security restrictions are applied to the role when it accesses the AWS resources.

    By default, the MID Server is configured to assume the OrganizationAccountAccessRole, which grants temporary credentials to all the members of a primary account. This action occurs automatically if no permanent credentials exist for the member accounts. This configuration doesn't apply any additional security or restrict access to any resources in member accounts.

    By default, the ServiceNow instance caches temporary credentials for member accounts for 60 minutes. This interval allows the horizontal discovery process to run multiple times without generating new credentials during each discovery. You can prevent credential caching or modify the caching period using MID Server properties.

    IAM roles and permissions

    To enhance security provided by the default AWS OrganizationAccountAccessRole role, you can customize the AWS roles that MID Servers can assume to receive temporary credentials for member accounts. You can configure additional permissions to improve security and customize the way that the member account’s role is assumed when discovering cloud resources.

    Methods of granting access

    For the purposes of configuring access for AWS accounts, the following terms are used:
    Trusting accounts
    The trusting accounts don't have permanent AWS credentials. You configure the trust relationship for IAM roles in these accounts to rely on other accounts for access.
    Trusted accounts
    The trusted accounts are used by the trusting accounts for access. The ServiceNow UI refers to the trusted accounts as accessor accounts.
    Typically, you set up access to the AWS accounts in your organization using the following methods:
    • Configure access to the AWS accounts using permanent AWS credentials

      Configure the actual AWS credentials at the ServiceNow AI Platform to avoid the complexity of creating and setting up IAM roles.

    • Configure access using temporary credentials based on trusted AWS accounts with AWS credentials

      Configure the AWS accounts to rely on the trusted account for access. This setup works for any type of account: discrete (independent), management, or member. If you configure the trusted account with the AWS credentials at the ServiceNow AI Platform, you can configure an IAM role belonging to the trusting accounts to trust the user of the trusted account. This way you can use only one set of AWS credentials for providing access to multiple AWS accounts.

      Figure 1. Setting up any AWS account to rely on a trusted account with AWS credentials

      Set up the IAM role of the trusting AWS account to trust the user of the trusted AWS account for access
    • Configure access using temporary credentials based on trusted AWS accounts without AWS credentials

      To use an account without AWS credentials (credential-less account), you must first configure that account with an IAM role and permissions to access the trusting service account. Then you set up the IAM role of the trusting account to grant access to the IAM role of the trusted account.

      Figure 2. Setting up any AWS account to rely on a trusted account without AWS credentials

      Set up the IAM role of the trusting AWS account to trust the IAM role of the trusted AWS account for access
    • Configure access using temporary credentials for trusting AWS member accounts

      If there are AWS Organizations, you can configure AWS member accounts to rely on their management account for access. In that case, you configure the IAM roles of the member accounts to trust to trust the IAM role of their management account. It doesn't matter if the management account relies on an account with or without AWS credentials.

      Figure 3. Configuring member accounts to use their management account for access

      Set up the IAM role of the trusting member accounts to trust their management account

    How Cloud Discovery determines which credentials to use

    Cloud Discovery uses the following logic to determine which credentials to use to discover AWS cloud resources in member accounts:
    1. If permanent credentials are defined for the member account in the Cloud Service Account [cmdb_ci_cloud_service_account] table, Discovery uses those credentials. The Cloud Service Accounts [cmdb_ci_cloud_service_account] table contains the information on the service account types, like management or member, and their credentials.
    2. If no permanent credentials are defined for the member account, Discovery checks the Cloud Service Account AWS Org Assume Role Params [cloud_service_account_aws_org_assume_role_params] table for any special parameters associated with the member account. If parameters exist in that table, Discovery uses the temporary credentials acquired from specifying a role and its parameters in the AWS Security Token Service API AssumeRole action.
    3. If no special parameters are associated with the member account in the [cloud_service_account_aws_org_assume_role_params] table, Discovery checks that table for parameters associated with the management account. If parameters exist that define a role for the management account, Discovery uses the temporary credentials provided by that role.
    4. If no special parameters are present in the [cloud_service_account_aws_org_assume_role_params] table for either management or member accounts, Discovery uses the defaults defined for the OrganizationAccountAccessRole role.