AWS resources used by the Service Graph Connector for AWS

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of AWS Resources Used by the Service Graph Connector for AWS

    The Service Graph Connector for AWS integrates with various Amazon Web Services (AWS) resources, primarily requiring AWS Config and AWS Systems Manager to function effectively. Understanding these services is crucial for setting up and optimizing the connector's capabilities.

    Show full answer Show less

    Key Features

    • AWS Config Service and Configuration Recorder: Essential for monitoring and recording configuration changes. The connector includes a script (EnableAWSConfig.yml) to enable this service.
    • AWS Config Aggregator: Optional but beneficial for collecting configuration data across multiple accounts and regions, streamlining data management and reducing the need for multiple API calls.
    • AWS Systems Manager and Inventory: Required for deep discovery, allowing the fetching of comprehensive server data from EC2 instances and managing software inventory across AWS accounts.

    Key Outcomes

    By implementing these AWS resources, ServiceNow customers can achieve improved visibility into their AWS environment, streamline the management of configuration items, and enhance the accuracy of their configuration management database (CMDB). Proper setup ensures the efficient collection of data, which is vital for maintaining compliance and operational efficiency across AWS deployments.

    Get familiar with the AWS concepts to learn how the Service Graph Connector for AWS is integrated with Amazon Web Services (AWS).

    AWS Config service and configuration recorder

    Important:
    The AWS Config service and AWS configuration recorder are required for setting up the connector.

    The AWS Config service monitors and records changes to your AWS resource configurations.

    The AWS configuration recorder detects changes in resource configurations and captures these changes as configuration items (CIs). The is required for setting up the connector. The configuration recorder enables recording all hardware data in AWS Config. See What Is AWS Config? on the AWS Documentation site.

    The Service Graph Connector for AWS includes the EnableAWSConfig.yml script to enable the AWS Config service that instead enables the configuration recorder. See Executing scripts required for setting up AWS.

    Note:
    Ensure that the AWS Config service is enabled for all applicable AWS accounts and regions.

    AWS Config aggregator

    Important:
    The AWS Config aggregator is optional for setting up the connector.
    The AWS Config aggregator collects the AWS Config configuration and compliance data from the following sources:
    • Multiple accounts and multiple regions
    • Single account and multiple regions
    • An organization in AWS organizations and all the accounts within the organization that have AWS Config enabled.

    The advantages of using an AWS Config aggregator with the Service Graph Connector for AWS are:

    • Gets all the data from a single location.
    • Gets the bootstrap updates (baseline configurations) and the incremental updates (new configurations added after the last update).
    • Doesn't require looping into each account and region.
    • Accelerates pulling data.

    Due to these advantages, consider leveraging the AWS Config aggregator for pulling data from multiple accounts or multiple regions.

    Note:
    For detecting any deleted resources, the connector uses the config:ListDiscoveredResources API to loop through each AWS account and region and update the CMDB CI accordingly. As a date range for selecting resources can't be specified in the ListDiscoveredResources API, the connector might make multiple API calls to gather all the data that might impact the performance of the connector.

    For more information on setting up an AWS Config aggregator, see Multi-Account Multi-Region Data Aggregation and Setting Up an Aggregator Using the Console on the AWS Documentation site.

    AWS Systems Manager and AWS Systems Manager Inventory

    Important:
    AWS Systems Managerand AWS Systems Manager Inventory are required for setting up the deep discovery feature.

    The AWS Systems Manager enables fetching server data, also called as deep discovery data, from EC2 instances across AWS accounts and regions through SSM documents. The deep discovery data includes host name, serial number, CPU data, TCP data, and process information.

    The AWS Systems Manager Inventory imports the software data installed on the EC2 instances. The Inventory resource group in AWS Systems Manager collects information about the EC2 instances and the software applications installed on them.

    Ensure that the following items are configured in all AWS accounts:
    • The AWS Systems Manager Agent (SSM Agent) is installed on all managed EC2 instances.
    • The AmazonSSMForInstancesRole IAM instance profile role is attached as the instance profile on EC2 instances.
    • The AWS Systems Manager Inventory is configured in each AWS region.
    • The AWS Systems Manager has access to the managed EC2 instances.
      Note:
      By default, AWS Systems Manager doesn’t have permission to perform actions on EC2 instances. You can grant access by attaching the AmazonSSMForInstancesRole IAM instance profile role to the EC2 instance. See Setting up AWS Systems Manager on the AWS Documentation site.

    The advantages of using AWS Systems Manager and AWS Systems Manager Inventory are:

    • The AWS Systems Manager enables getting the detailed server data such as host name, serial number, CPU data, TCP data, and process information.
    • The AWS Systems Manager Inventory enables the server classification and getting the software data.