AWS Integration for Security Exposure Management integrations

  • Release version: Australia
  • Updated April 2, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of AWS Integration for Security Exposure Management integrations

    The AWS Integration for Security Exposure Management enables ServiceNow customers to seamlessly ingest and manage security vulnerability and misconfiguration findings from AWS services such as AWS Inspector and AWS Security Hub. This integration supports automated, scheduled data synchronization to consolidate AWS-hosted security exposure data within ServiceNow's Vulnerability Response and Configuration Compliance applications.

    Show full answer Show less

    Required Roles and Dependencies

    • Roles: Users configuring or using the integration must have snvulaws.configureintegration for setting up AWS authentication and snvulaws.readintegration for read-only access to AWS integration data.
    • Dependencies: The integration requires the core Vulnerability Response application. Container vulnerability integrations require the Container Vulnerability Response application, and AWS Security Hub Test Results integration requires the Configuration Compliance application.

    Integration Details and Scheduling

    • AWS Inspector Integrations:
      • Host Vulnerability Integration: Retrieves EC2 and Lambda host vulnerabilities, creates Vulnerable Items (VITs), Discovered Items, and Detections. Runs first daily.
      • Container Vulnerability Integration: Retrieves container vulnerabilities for ECR images, creates Container Vulnerable Items (CVITs), Discovered Container Images, and Findings. Runs second daily.
    • AWS Security Hub Integrations:
      • Host Vulnerability Integration: Retrieves host vulnerabilities, creates VITs, discovered items, and detections. Runs first daily.
      • Container Vulnerability Integration: Retrieves container vulnerabilities, creates CVITs, discovered container images, and Findings. Runs second daily.
      • Test Results Integration: Retrieves asset misconfigurations, creates tests and test results within Configuration Compliance. Runs third daily.

    Technical Details: API and Data Handling

    • The integrations use AWS APIs via REST POST methods to retrieve findings data with support for delta synchronization using timestamp filters (e.g., 'updatedAt' or 'findinginfo.modifiedtimedt').
    • Pagination is handled using nextToken (camelCase) for AWS Inspector and NextToken (PascalCase) for AWS Security Hub; the integration manages these differences automatically.
    • Temporary security credentials are obtained via AWS STS AssumeRole API calls to securely access AWS data.

    What Customers Can Expect

    By implementing this integration, ServiceNow customers can centrally manage and track vulnerabilities and misconfigurations detected by AWS services within their ServiceNow Vulnerability Response and Configuration Compliance workflows. Scheduled synchronization ensures data is up-to-date daily, facilitating timely remediation and risk management. The integration handles authentication, pagination, and data mapping to create actionable records such as Vulnerable Items, Discoveries, Detections, Tests, and Test Results.

    Integrations, roles, dependencies, and REST messages used for the AWS Integration for Security Exposure Management.

    Required roles

    Users who configure and use the integration must be assigned the appropriate ServiceNow roles.

    sn_vul_aws.configure_integration
    Allows you to configure authentication credentials for the AWS plugin.
    sn_vul_aws.read_integration
    Provides read access to AWS integrations and AWS tables.

    Dependencies

    AWS Integration for Security Exposure Management requires the following ServiceNow® applications:

    • Vulnerability Response (required) — Core application for vulnerability management.
    • Container Vulnerability Response (optional) — Required for the AWS Inspector Container and AWS Security Hub Container integrations.
    • Configuration Compliance (optional) — Required for the AWS Security Hub Test Results integration.

    AWS Inspector Integrations

    Table 1. AWS Inspector integration details
    Integration Description Run sequence and frequency
    AWS Inspector Host Vulnerability Integration
    • Retrieves all host vulnerability findings from AWS Inspector for EC2 Instances and Lambda Functions.
    • Uses API: POST /findings/list.
    • Supports delta synchronization using 'updatedAt' filter
    • Uses 'nextToken' and 'maxResults' for pagination.
    • Creates vulnerable items (VIT)s, discovered items, and Detections.
    		 First, Daily.
    AWS Inspector Container Vulnerability Integration
    • Retrieves all container vulnerability findings from AWS Inspector for ECR Container Images.
    • Uses API: POST /findings/list.
    • Supports delta synchronization using 'updatedAt' filter
    • Uses 'nextToken' and 'maxResults' for pagination.
    • Creates container vulnerable items (CVIT)s, discovered container images, and Findings.
    		 Second, Daily.

    AWS Security Hub Integrations

    Table 2. Supported integration details
    Integration Description Run sequence and frequency
    AWS Security Hub Host Vulnerability Integration
    • Retrieves host vulnerability findings (EC2 Instances, Lambda Functions) from AWS Security Hub.
    • Uses API: POST /findingsv2.
    • Supports delta synchronization using 'finding_info.modified_time_dt'.
    • Uses 'maxResults' and 'nextToken' for pagination.
    • Creates vulnerable items (VIT)s, discovered items, and detections.
    		 First, Daily.
    AWS Security Hub Container Vulnerability Integration
    • Retrieves container vulnerability findings (ECR Container Images) from AWS Security Hub.
    • Uses API: POST /findingsv2.
    • Supports delta synchronization using 'finding_info.modified_time_dt'
    • Creates container vulnerable items (CVIT)s, discovered container images, and Findings.
    		 Second, Daily.
    AWS Security Hub Test Results Integration
    • Retrieves misconfigurations of various assets types from AWS Security Hub.
    • Uses API: POST /findingsv2.
    • Supports delta synchronization using 'finding_info.modified_time_dt'
    • Creates tests and test results in Configuration Compliance.
    		 Third, Daily

    AWS Inspector REST messages

    Name Endpoint HTTP method Description
    List Findings https://inspector2.${region}.amazonaws.com/findings/list POST Retrieves findings from AWS Inspector. Uses nextToken and maxResults for pagination.
    STS AssumeRole https://sts.${region}.amazonaws.com/ POST Retrieves temporary security credentials via AWS STS AssumeRole.

    AWS Security Hub REST messages

    Name Endpoint HTTP method Description
    Get Findings https://securityhub.${region}.amazonaws.com/findingsv2 POST Retrieves findings from AWS Security Hub. Uses NextToken (PascalCase) for pagination.
    STS AssumeRole https://sts.${region}.amazonaws.com/ POST Shared with Inspector. Retrieves temporary security credentials.
    Note:

    The nextToken field uses PascalCase (NextToken) in Security Hub responses, unlike Inspector which uses camelCase (nextToken). The integration handles this difference automatically.