Discovery for AWS

  • Release version: Yokohama
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Discovery for AWS

    Discovery for AWS in ServiceNow provides automated, continuous identification and mapping of AWS cloud resources to populate and update the Configuration Management Database (CMDB). This visibility supports key business outcomes like cloud transformation, operational efficiency, regulatory compliance, and enhanced IT operations management (ITOM/ITSM/AIOps). Discovery can be performed using multiple methods, including agent-based, agentless, cloud APIs, and IP-based OS-level discovery, delivering near real-time or scheduled updates.

    Show full answer Show less

    Key Features

    • Discovery Approaches: Includes cloud metadata discovery for infrastructure overview, OS-level discovery for detailed system states, event-driven discovery for lifecycle tracking, IP-based discovery using Agent Client Collector (ACC-VC), and data import via Service Graph Connectors.
    • Discovery Techniques: Horizontal discovery identifies configuration items (CIs) without mapping dependencies, while top-down service mapping reveals application dependencies and service impact paths.
    • Integration with ServiceNow ITOM Visibility Apps: Supports multiple tools such as Discovery Admin Workspace, Service Mapping, and Certificate Inventory to visualize and monitor AWS resources.
    • Configuration Requirements: Requires appropriate AWS Identity and Access Management (IAM) roles and permissions on both AWS and the ServiceNow AI Platform side, including the discoveryadmin role for users running discovery processes.
    • Permissions and Roles: AWS root users have full access, while IAM users/groups require specific roles or temporary assumed roles. ServiceNow users must have configured roles to run discovery workflows.
    • Documentation and Updates: A Cloud Discovery spreadsheet outlines necessary REST API permissions, discovery patterns, and CI classes, updated quarterly to ensure current capabilities.

    Key Outcomes

    • Regulatory Compliance: Enables alignment with frameworks like MRA and DORA through accurate cloud data representation.
    • Software Asset Management (SAM): Improves tracking and management of cloud software deployments.
    • Financial Operations (FinOps): Provides comprehensive visibility into resource usage for cost optimization.
    • Security Operations (SecOps): Supports continuous monitoring of cloud configurations to enhance security posture.
    • Certificate Management: Facilitates discovery and monitoring of certificates, including expiry tracking.
    • Artificial Intelligence for IT Operations (AIOps): Enables advanced operational insights by mapping all cloud resources and their configurations.

    Amazon Web Services (AWS) cloud discovery enables visibility to your AWS cloud resources, to populate and update the Configuration Management Database (CMDB). Visibility into AWS supports business outcomes such as cloud transformation and optimizing efficiency for operations (ITOM/ITSM/AIOps).

    What is AWS cloud discovery

    AWS cloud discovery is an automated process that continuously identifies and maps AWS resources and populates the data in the Configuration Management Database (CMDB).

    AWS discovery can be performed by a combination of approaches such as agent-based or agentless, cloud APIs for metadata discovery, or IPs for OS-level discovery. The visibility can be provided near real time (using event-based discovery for example) or by timed discovery schedules.

    The Discovery and Service Mapping apps perform discovery by methods refereed to as horizontal discovery and top‑down mapping. Horizontal discovery identifies configuration items (CIs) without dependency mapping. Top‑down service mapping identifies application dependencies, connection paths, and service impact.

    Key outcomes and business value

    AWS discovery facilitates several vital business outcomes by populating the CMDB with essential cloud data:
    • Regulatory compliance enabled by the data support. Visibility can promote alignment with compliance frameworks such as the Mutual Recognition Agreement (MRA) or Digital Operational Resilience Act (DORA).
    • Software asset management (SAM) enabled by visibility into cloud software deployments.
    • Financial operations(FinOps) enabled by comprehensive visibility into AWS resources and their usage,
    • Security operations(SecOps) enabled by continuous visibility into cloud resources and their configurations.
    • Certificate management enabled by the discovery of certificates, their expiry, and usage.
    • Artificial intelligence for IT operations (AIOps) enabled by Identifying and mapping all cloud resources, and their configurations.

    AWS discovery approaches

    There are several approaches for discovering AWS environments.
    1. Cloud metadata discovery: Provides a high-level view of the AWS cloud infrastructure.
    2. Cloud OS-Level discovery: Provides a deeper level of discovery that indicates the state of the AWS cloud resources, such as installed software, active services, running processes, and system configurations.
    3. Event‑driven cloud discovery: Tracks changes in the life-cycle state or the configuration of AWS cloud resources. For more information, see AWS events-driven discovery
    4. Collecting data with Agent Client Collector (ACC-VC): Performs horizontal IP-based discovery for OS-related attributes such as system configurations, network interfaces, and running process. For more information, see Agent Client Collector for Visibility - Content.
    5. Collecting data with Service Graph Connectors: Imports and integrates AWS data into CMDB and non-CMDB tables. Specializes in collecting the data for AWS Organizations. For more information, see AWS discovery solutions comparison and Service Graph Connector for AWS.

    For comparison of AWS cloud discovery methods and requirements, see AWS cloud discovery methods and use cases

    How to perform AWS cloud discovery

    Multiple ITOM Visibility apps can collect (or discover) your data, visualize it, and help you monitor your AWS resources.

    Enabling Discovery or other Visibility solutions to access your AWS infrastructure depends on roles and permissions configured both in AWS and in ServiceNow AI Platform. The discovery process requires configuration within AWS, like setting up Identity and Access Management roles.

    Table 1. AWS user discovery permissions
    AWS Users Discovery permissions
    AWS Organizations with master and member accounts Access is based on the IAM roles defined for the master and member accounts.
    AWS account root user Has complete access to all AWS services and resources in the account.
    IAM users/IAM user group Has access to specific resources and services based on IAM roles or temporary access based on assumed roles.
    For more information, see Access to cloud environments for ITOM products
    In the ServiceNow AI Platform side, there are user configurations needed if you choose to use Discovery.
    • You must configure the discovery_admin role for a user, to be able to run the discovery. For more information, see Managing roles

    • Discovery runs commands and API queries to access and discover your AWS infrastructure. Before starting to configure Discovery roles and permissions, review the Cloud discovery spreadsheet and verify the REST API permissions.

    Verify the REST API Permissions

    Download the Cloud Discovery patterns spreadsheet so you can grant user permissions required for running the Discovery patterns. In addition to permissions, the spreadsheet also includes useful information such as pattern names, types, CI Classes, and links to vendor documentation. New patterns are available quarterly, so check periodically to be sure you have the latest version of the spreadsheet.