AWS

Request apps on the Store

Visit the ServiceNow Store to view all the available apps, and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

The integration uses AWS native technologies and AWS security best practices to enable cloud teams to connect the data within their ServiceNow workflow. For more information about the Service Graph Connector for AWS, see the Service Graph Connector for AWS - Introduction article on the ServiceNow Community site.

Supported ServiceNow versions

Xanadu
Yokohama
Zurich
Australia

Use cases

The following are examples on how you can use the Service Graph Connector for different ServiceNow applications:

Visibility into cloud resources, relationships, and state in real time.
Deep discovery of applications for ITAM or SAM outcomes.
Governance and compliance outcome.

Important information for upgrading Service Graph Connector for AWS

Before you begin the upgrade process, complete the following tasks:

If there are any customizations, delete the records associated with the Service Graph Connector for AWS from the Customer Updates [sys_update_xml] table. See Customer Updates table.
Upgrade any dependencies.

After you've installed the latest version of the Service Graph Connector for AWS:

Perform a full import of data from your AWS instance. Verify that the Use last run datetime field value is cleared for all the AWS data sources in the Data Source [sys_data_source] table.
Download and rerun the AWS scripts. See Configure the AWS environment.

Configuring a connection for the connector

You can configure a connection for the connector by using the SGC Central view in the Service Graph Workspace or CMDB Workspace. The view enables you to discover and install connectors, and then effectively manage the full life cycle of creating, editing, monitoring, and debugging connections. To configure the connector using SGC Central, see Configure Service Graph Connector for AWS using SGC Central.

Importante:

Unless there are configuration issues, use the SGC Central view in the Service Graph Workspace or CMDB Workspace to configure the connection for the connector, as the guided setup method is planned for deprecation.

CMDB integrations dashboard

The Integration Commons for CMDB store app provides a dashboard with a central view of the status, processing results, and processing errors of all installed integrations. You can see metrics for all integration runs. You can filter the view to a specific CMDB integration, a specific time duration, or a specific integration run. For more details about monitoring AWS integrations in the CMDB Integrations Dashboard, see Using the CMDB Integrations Dashboard.

Data mapping

Data from the AWS data sources is mapped and transformed into the ServiceNow CMDB Configuration Item (CI) class definitions using the Robust Transform Engine (RTE). Data is inserted into the ServiceNow CMDB using the Identification and Reconciliation Engine (IRE).

Nota:

If the Use last run datetime field for an AWS data source in the Data Source [sys_data_source] table is empty, the connector imports all available initial data. If the Use last run datetime field includes a date stamp, the connector imports incremental data that has been newly added since the previous run.

The following table lists the import schedule order, the data sources and import schedules of the same name, the staging tables, the target tables as CMDB CI classes, the import schedule requirement type, and the import schedule dependencies for AWS.

Tabela 1. Data mapping for AWS
Order	Name (data source or import schedule)	Staging table	CMDB CI classes	Import schedule requirement type	Import schedule dependencies
1	SG-AWS-Organization	SG-AWS-Organization [sn_aws_integ_sg_aws_organization]	Cloud Organizations	Required	None
2	SG-AWS-Org-Units	SG-AWS-Org-Units [sn_aws_integ_sg_aws_org_units]	AWS Organizational Unit	Optional	SG-AWS-Organization
3	SG-AWS-Service-Account	SG-AWS-Service-Account [sn_aws_integ_sg_aws_service_account]	Cloud Service Account Cloud Organizations Key Value	Required	SG-AWS-Organization
4	SG-AWS-Service-Account-Tags	SG-AWS-Service-Account-Tags [sn_aws_integ_sg_aws_service_account_tags]	Cloud Service Account Key Value	Optional	SG-AWS-Organization SG-AWS-Service-Account
5	SG-AWS-Org-Unit-Accounts	SG-AWS-Org-Unit-Accounts [sn_aws_integ_sg_aws_org_unit_accounts]	Cloud Service Account	Optional	SG-AWS-Organization SG-AWS-Service-Account
6	SG-AWS-Datacenters	SG-AWS-Datacenters [sn_aws_integ_sg_aws_datacenters]	Cloud Service Account AWS Datacenter	Required	SG-AWS-Organization SG-AWS-Service-Account
7	SG-AWS-VPC	SG-AWS-VPC [sn_aws_integ_sg_aws_vpc]	Cloud Service Account Cloud Network AWS Datacenter Key Value SG-AWS Extension Attributes	Required	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters
8	SG-AWS-Subnets	SG-AWS-Subnets [sn_aws_integ_sg_aws_subnets]	Availability Zone Cloud Network Cloud Subnet AWS Datacenter Key Value SG-AWS Extension Attributes	Required	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC
9	SG-AWS-Network-Interface	SG-AWS-Network-Interface [sn_aws_integ_sg_aws_network_interface]	Cloud Network Cloud Subnet Cloud Mgmt Network Interface AWS Datacenter Key Value SG-AWS Extension Attributes	Required for a virtual machine (VM) instance	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC
10	SG-AWS-Security-Group	SG-AWS-Security-Group [sn_aws_integ_sg_aws_security_group]	Cloud Network Compute Security Group AWS Datacenter Key Value SG-AWS Extension Attributes	Required for a VM instance	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC
11	SG-AWS-Storage-Volume	SG-AWS-Storage-Volume [sn_aws_integ_sg_aws_storage_volume]	Storage Volume Storage Volume Snapshot AWS Datacenter Key Value SG-AWS Extension Attributes	Required for a VM instance	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC
12	SG-AWS-Image-Private	SG-AWS-Image [sn_aws_integ_sg_aws_image]	Image	Required for a VM instance	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC
13	SG-AWS-Image-Id	SG-AWS-Image-Id [sn_aws_integ_sg_aws_image_id]	Image	Required for a VM instance	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC
14	SG-AWS-Hardware-Type	SG-AWS-Hardware-Type [sn_aws_integ_sg_aws_hardware_type]	Hardware Type AWS Datacenter	Required for a VM instance	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC
15	SG-AWS-EC2	SG-AWS-EC2 [sn_aws_integ_sg_aws_ec2]	Virtual Machine Instance The following CIs are populated when populating the Virtual Machine Instance CI: Server VNIC Endpoint Storage Mapping Block Endpoint IP Address Network Adapter Key Value	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC SG-AWS-Subnets SG-AWS-Network-Interface SG-AWS-Hardware-Type SG-AWS-Security-Group SG-AWS-Storage-Volume SG-AWS-Image-Private SG-AWS-Image-Id
16	SG-AWS-ELB-V1	SG-AWS-ELB-V1 [sn_aws_integ_sg_aws_elb_v1]	Cloud Load Balancer Compute Security Group Availability Zone AWS Datacenter Key Value SG-AWS Extension Attributes	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters
17	SG-AWS-ELB-V2	SG-AWS-ELB-V2 [sn_aws_integ_sg_aws_elb_v2]	Cloud Load Balancer Compute Security Group Availability Zone AWS Datacenter Key Value SG-AWS Extension Attributes	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters
18	SG-AWS-RDS	SG-AWS-RDS [sn_aws_integ_sg_aws_rds]	Cloud DataBase AWS Datacenter Key Value SG-AWS Extension Attributes	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters
19	SG-AWS-API-Gateway	SG-AWS-API-Gateway [sn_aws_integ_sg_aws_api_gateway]	Cloud Gateway [cmdb_ci_cloud_gateway] AWS Datacenter Key Value SG-AWS Extension Attributes	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters
20	SG-AWS-Lambda	SG-AWS-Lambda [sn_aws_integ_sg_aws_lambda]	Cloud Function	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters
21	SG-AWS-S3	SG-AWS-S3 [sn_aws_integ_sg_aws_s3]	Cloud Object Storage	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters
22	SG-AWS-DynamoDb	SG-AWS-DynamoDb [sn_aws_integ_sg_aws_dynamodb]	DynamoDB Table AWS Datacenter Key Value SG-AWS Extension Attributes	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters
23	SG-AWS-Software-Inventory	SG-AWS-Software-Inventory [sn_aws_integ_sg_aws_software_inventory] SG-AWS-Software-Staging [sn_aws_integ_sg_aws_temp_software_staging]	When the Software Asset Management (SAM) application isn't installed: Software Packages Software Instance Server When the SAM application is installed: Software Installation Server	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC SG-AWS-Subnets SG-AWS-Network-Interface SG-AWS-Hardware-Type SG-AWS-Security-Group SG-AWS-Storage-Volume SG-AWS-Image-Private SG-AWS-Image-Id SG-AWS-EC2
24	SG-AWS-Software-Remove	SG-AWS-Software-Remove [sn_aws_integ_sg_aws_software_remove]	None	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC SG-AWS-Subnets SG-AWS-Network-Interface SG-AWS-Hardware-Type SG-AWS-Security-Group SG-AWS-Storage-Volume SG-AWS-Image-Private SG-AWS-Image-Id SG-AWS-EC2 SG-AWS-Software-Inventory
25	SG-AWS-SSM-SendCommand	SG-AWS-SSM-SendCommand [sn_aws_integ_sg_aws_ssm_sendcommand]	Application Running Process [cmdb_running_process] TCP Connections [cmdb_tcp]	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC SG-AWS-Subnets SG-AWS-Network-Interface SG-AWS-Security-Group SG-AWS-Storage-Volume SG-AWS-Image-Private SG-AWS-Image-Id SG-AWS-EC2
26	SG-AWS-Tags	SG-AWS-Tags [sn_aws_integ_sg_aws_tags]	DynamoDB Table Cloud Load Balancer Cloud Function Key Value	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-ELB-V1 SG-AWS-ELB-V2 SG-AWS-DynamoDb SG-AWS-Lambda
27	SG-AWS-VM-Hw-Consolidation	SG-AWS-VM-Hw-Consolidation [sn_aws_integ_sg_aws_vm_hw_consolidation]	Virtual Machine Instance Server	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC SG-AWS-Subnets SG-AWS-Network-Interface SG-AWS-Security-Group SG-AWS-Storage-Volume SG-AWS-Image-Private SG-AWS-Image-Id SG-AWS-EC2 SG-AWS-Hardware-Type
28	SG-AWS-EKS-Cluster	SG-AWS-EKS-Cluster [sn_aws_integ_sg_aws_eks_cluster]	Kubernetes Cluster AWS Datacenter Key Value SG-AWS Extension Attributes	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC SG-AWS-Subnets SG-AWS-Network-Interface SG-AWS-Security-Group SG-AWS-Storage-Volume SG-AWS-Image-Private SG-AWS-Image-Id SG-AWS-EC2 SG-AWS-Hardware-Type SG-AWS-VM-Hw-Consolidation
29	SG-AWS-EKS-Cluster-2	SG-AWS-EKS-Cluster-2 [sn_aws_integ_sg_aws_eks_cluster_2]	Kubernetes Cluster AWS Datacenter Key Value SG-AWS Extension Attributes	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC SG-AWS-Subnets SG-AWS-Network-Interface SG-AWS-Security-Group SG-AWS-Storage-Volume SG-AWS-Image-Private SG-AWS-Image-Id SG-AWS-EC2 SG-AWS-Hardware-Type SG-AWS-VM-Hw-Consolidation SG-AWS-EKS-Cluster
30	SG-AWS-EKS-FULL	SG-AWS-EKS-FULL [sn_aws_integ_sg_aws_eks_full]	Kubernetes Cluster Server Kubernetes Namespace Kubernetes Node Kubernetes Service Kubernetes Pod Docker Container Docker Image Kubernetes Volume Kubernetes Deployment Kubernetes DaemonSet Kubernetes ReplicaSet	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC SG-AWS-Subnets SG-AWS-Network-Interface SG-AWS-Security-Group SG-AWS-Storage-Volume SG-AWS-Image-Private SG-AWS-Image-Id SG-AWS-EC2 SG-AWS-Hardware-Type SG-AWS-VM-Hw-Consolidation SG-AWS-EKS-Cluster SG-AWS-EKS-Cluster-2
31	SG-AWS-Generic-Resources	SG-AWS-Generic-Resources [sn_aws_integ_sg_aws_generic_resources]	Cloud Resource SG-AWS Extension Attributes	Optional	SG-AWS-Organization
32	SG-AWS-Redshift-Cluster	SG-AWS-Redshift-Cluster [sn_aws_integ_sg_aws_redshift_cluster]	Amazon Redshift	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters
33	SG-AWS-Get-Inventory	SG-AWS-Get-Inventory [sn_aws_integ_sg_aws_get_inventory]	Server	Required	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters
34	SG-AWS-GenericTags	SG-AWS-GenericTags [sn_aws_integ_sg_aws_generictags]	Cloud Resource Key Value	Optional	SG-AWS-Organization SG-AWS-Generic-Resources
35	SG-AWS-SendCommand	SG-AWS-SendCommand [sn_aws_integ_sg_aws_ssm_sendcommand]	None Nota: The SG-AWS-SendCommand data source doesn't have target CMDB CI classes. This data source populates the data into the sn_aws_integ_sg_aws_ssm_sendcommand staging table, but the import records aren't transformed, and the import sets remain in pending state.	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC SG-AWS-Subnets SG-AWS-Network-Interface SG-AWS-Security-Group SG-AWS-Storage-Volume SG-AWS-Image-Private SG-AWS-Image-Id SG-AWS-EC2
36	SG-AWS-SSM-GetS3Object	SG-AWS-SSM-GetS3Object [sn_aws_integ_sg_aws_ssm_gets3object]	Server Running Process [cmdb_running_process] TCP Connections [cmdb_tcp]	Optional	SG-AWS-Organization SG-AWS-Service-Account SG-AWS-Datacenters SG-AWS-VPC SG-AWS-Subnets SG-AWS-Network-Interface SG-AWS-Security-Group SG-AWS-Storage-Volume SG-AWS-Image-Private SG-AWS-Image-Id SG-AWS-EC2 SG-AWS-SendCommand

The SG-AWS-Generic-Resources data source imports data for generic resources that aren't tracked by other data sources. The connector uses the Service Graph Resource Inclusion Whitelist [sn_cmdb_int_util_service_graph_resource_inclusion_whitelist] table to differentiate between generic and other supported resource types.
The connector first populates all supported resources in the Service Graph Resource Inclusion Whitelist [sn_cmdb_int_util_service_graph_resource_inclusion_whitelist] table. These resources, categorized under their respective supported resource types, have specific data sources designated for ingestion within the connector. When the SG-AWS-Generic-Resources data source is executed and retrieves unsupported resource types, they are added to the Service Graph Resource Inclusion Whitelist [sn_cmdb_int_util_service_graph_resource_inclusion_whitelist] table and categorized as generic.
To import global generic resources such as IAM user and IAM group, specify a standard AWS region that has Config enabled with includeGlobalResourceTypes set to true by updating the value of the sn_aws_integ.global_generic_resource_region system property for the SG-AWS-Generic-Resources data source.
If an aggregator is configured, and the sn_aws_integ.global_generic_resource_region value is not specified, the aggregator region is assigned as the value of this system property for importing global generic resources.
If the AWS Systems Manager (SSM) service isn't enabled, the connector populates the server records in the Server [cmdb_ci_server] class. If the AWS SSM service is enabled, then based on the platform type obtained through the SSM service, the server records are populated in either the Linux Server [cmdb_ci_linux_server] class or the Windows Server [cmdb_ci_win_server] class. The Server [cmdb_ci_server] class is the parent class of the Linux Server [cmdb_ci_linux_server] and the Windows Server [cmdb_ci_win_server] classes.
All labels associated with an AWS resource are added to the Key Value [cmdb_key_value] table.
Nota:
You can use the CMDB Data Manager to delete tag data from retired CIs in the Key Value [cmdb_key_value] table based on conditions like retention time and discovery source. A scheduled job runs the policy, which can be configured to execute during off-peak hours.
The basic information about an AWS resource is stored in the SG-AWS Extension Attributes [sn_aws_extension_attributes] table.
Starting with the Service Graph Connector for AWS 2.10.0 version, the SG-AWS-Get-Inventory data source runs before the SG-AWS-EC2 data source and creates a Server [cmdb_ci_server] CI with the host name mapped to the Name attribute, instead of being mapped to the VM name.
The SG-AWS-GenericTags data source imports tag data only for generic resources that have an ARN key. You can use the SG-AWS Extension Attributes [sn_aws_extension_attributes] table to verify which generic resources have an ARN key.

For more information on where data is saved when pulling data from AWS, see CMDB classes targeted in Service Graph Connector for AWS and Supported AWS resource types.

When you run the diagnostic test, the data is loaded in the following tables:

SG AWS Diagnostic Details [sn_aws_integ_sg_aws_diagnostic_details]
SG-AWS Diagnostic Summary [sn_aws_integ_sg_aws_diagnostic_summary]
SG AWS Diagnostic Summary Notes [sn_aws_integ_sg_aws_diagnostic_summary_notes]

You can use the IntegrationHub ETL app to view the data maps. See IntegrationHub ETL for more information.

The AWS configuration data for each connection is stored in the SG AWS Application properties [sn_aws_integ_sg_aws_application_properties] table.

For more information about how CI information is pulled from AWS, see the Service Graph Connector for AWS - Functional Spec and CI article on the ServiceNow Community site.

BYOL support

Bringing your own licenses (BYOL) is the process of bringing previously purchased on-premises licenses to Amazon AWS Cloud. The connector supports the BYOL of the Image CIs for Oracle Database servers on Amazon AWS Cloud by populating the Key Value [cmdb_key_value] table with the licensing information. When the licensing information is found, the key is set to Windows_OS_License_Type_automatic and the key value is set to BYOL in the Key Value [cmdb_key_value] table.

To support BYOL, the sn_aws_integ.load_all_images system property is enabled during the initial pull to import the metadata of all Image CIs included in the SG-AWS-Image-Id data source. After the initial pull, the property is deactivated automatically. The SG-AWS-Image-Id data source then imports the metadata of the Image CIs without names only.

Event-based discovery

The Service Graph Connector for AWS works with event-based discovery. Events that are pulled from AWS can create and update CIs that were brought by the Service Graph Connector for AWS.

Managing retired CIs in EKS components

If the Amazon Elastic Kubernetes Services (EKS) CIs are deleted in EKS components such as pods, services, and volumes, the corresponding CI entries are automatically set to Retired in the following CMDB CI classes:

Kubernetes Cluster, Kubernetes Node, Kubernetes Pod, Kubernetes Service, Kubernetes DaemonSet Kubernetes Namespace, Kubernetes Deployment, Docker Container, Kubernetes Volume

Shared VPC and subnets support

Import CI relationships established between virtual private clouds (VPCs), subnets, and network interfaces hosted in different AWS accounts. For example, a VPC in one AWS account can be connected to a subnet in the same account, which can then link to a network interface and a virtual machine in another AWS account.

Additional resources

See the following articles on the ServiceNow Community site for any additional information on the AWS set up:

AWS

Australia ServiceNow AI Platform Capabilities

Service Graph Connector for AWS