AWS Integration for Security Exposure Management integrations

  • Release version: Yokohama
  • Updated April 2, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of AWS Integration for Security Exposure Management integrations

    The AWS Integration for Security Exposure Management enables ServiceNow customers to import and manage vulnerability data from AWS Inspector and AWS Security Hub within ServiceNow’s Vulnerability Response framework. This integration supports both host and container vulnerability findings, as well as misconfiguration test results, facilitating comprehensive exposure management directly in ServiceNow.

    Show full answer Show less

    Required Roles and Dependencies

    • Roles: Users must have the snvulaws.configureintegration role to configure AWS credentials and the snvulaws.readintegration role to access AWS integration data.
    • Dependencies: The integration requires the Vulnerability Response application. For container vulnerability data, the Container Vulnerability Response app is needed, and for test results from AWS Security Hub, the Configuration Compliance app is required.

    Key Features

    • AWS Inspector Integrations:
      • Host Vulnerabilities: Retrieves EC2 and Lambda host vulnerabilities using a paginated POST API with delta sync based on update timestamps; creates vulnerable items, discovered items, and detections.
      • Container Vulnerabilities: Retrieves container image vulnerabilities similarly and creates container vulnerable items and findings.
    • AWS Security Hub Integrations:
      • Host Vulnerabilities: Retrieves host vulnerabilities using POST API with pagination and delta sync based on modification time; creates vulnerable items and detections.
      • Container Vulnerabilities: Retrieves container vulnerabilities and creates corresponding container vulnerable items and findings.
      • Test Results: Retrieves asset misconfiguration test results to populate Configuration Compliance tests and results.
    • Synchronization: All integrations support delta synchronization to efficiently update records based on timestamps, and use pagination tokens for handling large data sets.
    • REST Endpoints: The integration uses specific AWS APIs for findings retrieval and AWS STS AssumeRole for temporary credentials. It handles naming conventions differences in pagination tokens between AWS Inspector (camelCase) and Security Hub (PascalCase) transparently.

    Operational Details

    • Integrations run sequentially on a daily schedule with host vulnerability integrations running first, container integrations second, and test results third.
    • The integration creates and updates vulnerable items, discovered assets, detections, and compliance tests within ServiceNow, enabling centralized security exposure management.

    Integrations, roles, dependencies, and REST messages used for the AWS Integration for Security Exposure Management.

    Required roles

    Users who configure and use the integration must be assigned the appropriate ServiceNow roles.

    sn_vul_aws.configure_integration
    Allows you to configure authentication credentials for the AWS plugin.
    sn_vul_aws.read_integration
    Provides read access to AWS integrations and AWS tables.

    Dependencies

    AWS Integration for Security Exposure Management requires the following ServiceNow® applications:

    • Vulnerability Response (required) — Core application for vulnerability management.
    • Container Vulnerability Response (optional) — Required for the AWS Inspector Container and AWS Security Hub Container integrations.
    • Configuration Compliance (optional) — Required for the AWS Security Hub Test Results integration.

    AWS Inspector Integrations

    Table 1. AWS Inspector integration details
    Integration Description Run sequence and frequency
    AWS Inspector Host Vulnerability Integration
    • Retrieves all host vulnerability findings from AWS Inspector for EC2 Instances and Lambda Functions.
    • Uses API: POST /findings/list.
    • Supports delta synchronization using 'updatedAt' filter
    • Uses 'nextToken' and 'maxResults' for pagination.
    • Creates vulnerable items (VIT)s, discovered items, and Detections.
    		 First, Daily.
    AWS Inspector Container Vulnerability Integration
    • Retrieves all container vulnerability findings from AWS Inspector for ECR Container Images.
    • Uses API: POST /findings/list.
    • Supports delta synchronization using 'updatedAt' filter
    • Uses 'nextToken' and 'maxResults' for pagination.
    • Creates container vulnerable items (CVIT)s, discovered container images, and Findings.
    		 Second, Daily.

    AWS Security Hub Integrations

    Table 2. Supported integration details
    Integration Description Run sequence and frequency
    AWS Security Hub Host Vulnerability Integration
    • Retrieves host vulnerability findings (EC2 Instances, Lambda Functions) from AWS Security Hub.
    • Uses API: POST /findingsv2.
    • Supports delta synchronization using 'finding_info.modified_time_dt'.
    • Uses 'maxResults' and 'nextToken' for pagination.
    • Creates vulnerable items (VIT)s, discovered items, and detections.
    		 First, Daily.
    AWS Security Hub Container Vulnerability Integration
    • Retrieves container vulnerability findings (ECR Container Images) from AWS Security Hub.
    • Uses API: POST /findingsv2.
    • Supports delta synchronization using 'finding_info.modified_time_dt'
    • Creates container vulnerable items (CVIT)s, discovered container images, and Findings.
    		 Second, Daily.
    AWS Security Hub Test Results Integration
    • Retrieves misconfigurations of various assets types from AWS Security Hub.
    • Uses API: POST /findingsv2.
    • Supports delta synchronization using 'finding_info.modified_time_dt'
    • Creates tests and test results in Configuration Compliance.
    		 Third, Daily

    AWS Inspector REST messages

    Name Endpoint HTTP method Description
    List Findings https://inspector2.${region}.amazonaws.com/findings/list POST Retrieves findings from AWS Inspector. Uses nextToken and maxResults for pagination.
    STS AssumeRole https://sts.${region}.amazonaws.com/ POST Retrieves temporary security credentials via AWS STS AssumeRole.

    AWS Security Hub REST messages

    Name Endpoint HTTP method Description
    Get Findings https://securityhub.${region}.amazonaws.com/findingsv2 POST Retrieves findings from AWS Security Hub. Uses NextToken (PascalCase) for pagination.
    STS AssumeRole https://sts.${region}.amazonaws.com/ POST Shared with Inspector. Retrieves temporary security credentials.
    Note:

    The nextToken field uses PascalCase (NextToken) in Security Hub responses, unlike Inspector which uses camelCase (nextToken). The integration handles this difference automatically.