End of support notice: On March 31, 2027, AWS will end support for AWS Service Management Connector. After March 31, 2027, you will no longer be able to access the AWS Service Management Connector console or AWS Service Management Connector resources. For more information, see [AWS Service Management Connector end of support](https://docs.aws.amazon.com/smc/latest/ag/smc-end-of-support.html). # AWS Service Management Connector for ServiceNow Connector for ServiceNow The AWS Service Management Connector for ServiceNow (formerly the AWS Service Catalog Connector) enables ServiceNow end users to provision, manage, and operate AWS resources natively through ServiceNow. ServiceNow administrators can: + Provide pre-approved, secured, and governed AWS resources to end users through Service Catalog. + Execute automation playbooks through AWS Systems Manager. + View and manage operational items as incidents through AWS Systems Manager OpsCenter. + Use AWS Config to track resources in the CMDB seamlessly on ServiceNow with the AWS Service Management Connector. + Define new resource types based on ServiceNow CMDB tables and synchronize these with AWS Config custom resources. + Sync AWS Security Hub CSPM findings to ServiceNow incidents or problems. ServiceNow end users can: + Browse, request, and provision pre-secured AWS solutions. + View AppRegistry applications, attribute groups, and related resource details with AppRegistry. + View, update, and resolve Incidents from AWS Systems Manager OpsItems. + View configuration item details. + Execute workflows in ServiceNow on AWS resources. + View, update, and resolve ServiceNow incidents or problems through AWS Security Hub CSPM findings. + View, create, add correspondence and resolve Support cases from ServiceNow (including AMS Accelerate support cases). + View and execute AWS Systems Manager Change Requests from a curated list of pre-approved AWS Change templates. + View resource performance and the availability of AWS services and account through AWS Health dashboard. + Manage and resolve incidents affecting AWS-hosted applications through the integration with AWS Systems Manager Incident Manager. These features minimize direct AWS platform access, simplify AWS product request and operational actions for ServiceNow users. They also provide streamlined Service Management governance and oversight over AWS resources and services. The AWS-supplied connector is available at no charge in the ServiceNow store. It supports ServiceNow platform releases San Diego(S), Rome (R), and Quebec (Q - Patch 5 going forward). These new features are generally available in all AWS Regions where AWS Service Catalog, AWS Config, and AWS Systems Manager services are available. For list of regions and service quotas of AWS services, see [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html). **Note** For the ServiceNow Quebec release, we only support Quebec Patch 5 going forward due to a deprecated ServiceNow REST API call, `getDeprecatedValue(),` which inhibited end users’ ability to request AWS Service Catalog products and AWS Systems Manager automation documents in the Connector. ServiceNow resolved the issue in Quebec Patch 5, so we now support only Patch 5 going forward. The following AWS services integrate into this Connector: + [Service Catalog](https://aws.amazon.com/servicecatalog) allows you to centrally manage commonly deployed AWS services and provisioned software products. It helps your organization achieve consistent governance and compliance requirements, while enabling users to quickly deploy only the approved AWS services they need. It also offers [AppRegistry](https://aws.amazon.com/servicecatalog/features/#AWS_Service_Catalog_AppRegistry_features), which creates a repository of your applications and associated resources. + [AWS Config](https://aws.amazon.com/config) enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations. It also lets you automate the evaluation of recorded configurations against desired configurations. + [AWS Systems Manager](https://aws.amazon.com/systems-manager) gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services, investigate and resolve operational issues through OpsCenter and Incident Manager, and automate operational tasks across your AWS resources. + [AWS Security Hub CSPM](https://aws.amazon.com/security-hub/?aws-security-hub-blogs.sort-by=item.additionalFields.createdDate&aws-security-hub-blogs.sort-order=desc) gives you a comprehensive view of your security alerts and security posture across your AWS accounts. With AWS Security Hub CSPM, there is a single place that aggregates, organizes, and prioritizes your security alerts, or findings. + [AWS Health](https://docs.aws.amazon.com/health/?id=docs_gateway) provides personalized information about events that can affect your AWS infrastructure, guides you through scheduled changes, and accelerates the troubleshooting of issues that affect your AWS resources and accounts. + [Support](https://aws.amazon.com/premiumsupport/) provides multiple tooling mechanisms, people, and programs designed to proactively help you optimize performance, lower costs, and innovate faster. Support enables you to be successful on your cloud journey. It addresses requests that range from answering best practices questions to providing guidance on configuration and break-fix and problem resolution. + [ServiceNow](https://www.servicenow.com/) is an enterprise service management platform that places a service-oriented lens on the activities, tasks, and processes that enable day-to-day work life and a modern work environment. [ServiceNow Service Catalog](https://www.servicenow.com/products/it-service-automation-applications/service-catalog.html) is a self-service application that end users can use to order IT services based on request fulfillment approvals and workflows. The [ServiceNow CMDB](https://docs.servicenow.com/bundle/orlando-servicenow-platform/page/product/configuration-management/concept/c_ITILConfigurationManagement.html) provides resource transparency and relationships for the logical components of a service. # Align the ServiceNow Connector to industry best practices This Connector aligns to industry best practices such as ITIL®’s service management areas by enabling tools (services) with the intersection of people, processes and partners. The Connector also addresses a baseline set of service management practices customers use within existing operational tooling: | Service Management Area | AWS service(s) integration | | --- | --- | | Service Catalog Management Deployment Management (Provisioning) | AWS Service Catalog or CloudFormation (Requesting and provisioning vetted or predictable products and performing post-provision actions) | | Incident Management (ticketing) | Support (AWS services or platform incidents) AWS Systems Manager OpsCenter (Operational incidents derived or detected for solutions built on AWS platform) AWS Security Hub CSPM (Incidents derived from security Findings) AWS Systems Manager Incident Manager (Incidents generated according to response plans) | | Service Configuration Management (CMDB) | AWS Config(AWS resource or configuration items tracking and detective control compliance) | | Change Enablement (management) | AWS Systems Manager Change Manager (Standard changes with automated runbooks as implementation task(s)) | | Measurement & Reporting | AWS Health Dashboard (Visibility into resource performance) | # Setting up AWS Service Management Connector for ServiceNow Setting up AWS Service Management Connector for ServiceNow Before installing the AWS Service Management Connector for ServiceNow, verify that you have the necessary permissions in your AWS account and ServiceNow instance. **Topics** + [ # AWS Service Management Connector for ServiceNow prerequisites ](aws-prereqs.md) + [ # Setting baseline permissions for AWS Service Management Connector for ServiceNow ](sn-base-perms.md) + [ # Creating Connector for ServiceNow users ](create-sc-users.md) + [ # Configuring core ServiceNow components ](sn-config-core-components.md) # AWS Service Management Connector for ServiceNow prerequisites Prerequisites Make sure you have AWS and ServiceNow prerequisites configured before you get started. + ** AWS Service Catalog with the Connector** — You must have an AWS account to configure your AWS portfolios and products. For details, refer to [Setting up for Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/setup.html) and [Using AppRegistry.](https://docs.aws.amazon.com/servicecatalog/latest/arguide/intro-app-registry.html) + **AWS Config details** — Configure the service settings to record data for the resource types of interest. We recommend you include provisioned products and CloudFormation stacks, in addition to the major resource types that your team uses. For more information, see [Setting up AWS Config with the console](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html). This version of the Connector enables the import of aggregated Config data in a single AWS account from more than one AWS Region or account. To use this feature, you must configure an aggregator in AWS. For more information, see [Setting up an aggregator using the console](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html). + **AWS Systems Manager Automation with the Connector** — This feature requires no AWS-side set up. As standard, AWS provides a number of automation documents (runbooks). If you want additional automation documents (runbook), retrieve them in the Connector. For more information, see [Working with Automation Runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). + **AWS Systems Manager OpsCenter with the Connector** — You must enable the service in all Regions and accounts where you want to sync OpsItems. For more information, see [ Getting started with OpsCenter](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) + **AWS Security Hub CSPM with the Connector** — You must enable the service in all Regions and accounts where you want to sync Findings. For details, see [Setting up Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html). We recommend you connect ServiceNow with the primary (main) AWS account for AWS Security Hub CSPM. For more information, see [Managing administrator and member accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts.html). + **Support with the Connector** — Your account must have a [Business](https://aws.amazon.com/premiumsupport/plans/business/) or [Enterprise](https://aws.amazon.com/premiumsupport/plans/enterprise/) Support plan to use support integration with the Connector. + **AWS Systems Manager Change Manager with the Connector** — You must enable the service in all Regions and accounts where you want to sync change templates. The AWS Systems Manager Change Manager integration of AWS Service Management Connector introduces a curated version of the integration. It allows customers to execute pre-approved change templates that contain at least one Automation Runbook and does not require approvals during execution from ServiceNow. For more information, see [Setting up Change Manager.](https://docs.aws.amazon.com/systems-manager/latest/userguide/change-manager-setting-up.html) + **AWS Systems Manager Incident Manager with the Connector** — You must enable Incident Manager in all AWS Regions and accounts from where you want to sync the incidents. For details, see [Setting up for AWS Systems Manager Incident Manager.](https://docs.aws.amazon.com/incident-manager/latest/userguide/setting-up.html) + **AWS Health with the Connector** — Your account must have a [Business](https://aws.amazon.com/premiumsupport/plans/business/) or [Enterprise](https://aws.amazon.com/premiumsupport/plans/enterprise/) Support plan to use AWS Health integration with the Connector. + **ServiceNow instance** — You need a ServiceNow instance to install the ServiceNow Connector scoped application. The initial installation should occur in either an enterprise sandbox or a [ServiceNow Personal Developer Instance](https://developer.servicenow.com/app.do#!/document/content/app_store_doc_getting_started_newyork_topic_lyf_bf2_3r?v=newyork) (PDI), depending on your organization’s technology governance requirements. The ServiceNow administrator needs the admin role to install the Connector for ServiceNow scoped application. # Setting baseline permissions for AWS Service Management Connector for ServiceNow This section describes how to configure Identity and Access Management (IAM) permissions, AWS Service Catalog, and other AWS services to use AWS Service Management Connector for ServiceNow. To use an CloudFormation template to set up the AWS configurations of the Connector for ServiceNow, refer to the AWS configurations for Connector for ServiceNow [AWS commercial Regions ](https://servicecatalogconnector.s3.amazonaws.com/SM_ConnectorForServiceNow-AWS_Configurations_Commercialv5.0.0.json), [AWS GovCloud Regions](https://servicecatalogconnector.s3.amazonaws.com/SM_ConnectorForServiceNow-AWS_Configurations_GovCloudv5.0.0.json), and [AWS China Regions](https://servicecatalogconnector.s3.amazonaws.com/SM_ConnectorForServiceNow-Amazon_Configurations_Chinav5.0.0.json). **Note** The CloudFormation template creates IAM users with permissions to all existing integrations, and *is intended to enable all supported integrations in a sandbox or developer ServiceNow instance*. For quality-assurance and production, you must apply least-privilege permissions based on the integrations enabled through the connector. Review the [Creating users]() section for additional information. **Note** If you choose to use the Connector for ServiceNow AWS Configuration template, go to the [AWS Service Catalog Administrator Guide ](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html). # Creating Connector for ServiceNow users Creating Connector for ServiceNow users For each AWS account, the Connector for ServiceNow requires two users: + **AWS Sync User**: A user to sync AWS resources (such as portfolios, products, automation documents (runbook), Ops Items, Incident Manager incidents, change templates and requests, configuration items, and security Findings), sync AWS support cases, and AWS Health events and resources to ServiceNow . + **AWS End User**: A user who can provision products as an end user, execute requests, and view resources that ServiceNow exposes. This role includes any required roles to provision and execute. **Note** To align with best practices, AWS recommends periodically rotating IAM user access keys. For more information, refer to [Manage IAM user access keys properly](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#securing_access-keys). # Creating the AWS Service Management Connector Sync user Creating AWS Service Management Connector Sync user This section describes how to create the AWS Sync user and associate the appropriate IAM permission. To perform this task, you need IAM permissions to create new users. The following steps to create a Sync user and End user are not required if you use the CloudFormation template to deploy the permissions. Review [Setting baseline permissions for AWS Service Management Connector for ServiceNow](sn-base-perms.md) for more information. **Note** The CloudFormation template to set up the AWS configurations of the Connector for ServiceNow creates the Sync user and End user with the required permissions for all the supported integrations. **To create AWS Service Management Connector sync user** 1. Follow the instructions in [Creating an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) to create a sync user (SMSyncUser). The user needs programmatic and AWS Management Console access to follow the Connector for ServiceNow installation instructions. 1. Set permissions for your sync user (SMSyncUser). Choose **Attach existing policies directly** and select: + **`AWSServiceCatalogAdminReadOnlyAccess`** (AWS managed policy) + **`AmazonSSMReadOnlyAccess`** (AWS managed policy) + **`AWSConfigUserAccess`** (AWS managed policy) + **`AWSSupportAccess`** (AWS managed policy) 1. Create this policy: `ConfigBidirectionalPolicy`. Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html), and add this code in the JSON editor: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "cloudformation:RegisterType", "cloudformation:DescribeTypeRegistration", "cloudformation:DeregisterType", "config:PutResourceConfig" ], "Resource": "*", "Effect": "Allow" } ] } ``` ------ The provided AWS Configuration template consists of two policies: `ConfigBiDirectionalPolicy` and `SecurityHubPolicy`. 1. Create this policy: `SecurityHubPolicy`. Then follow the instructions in [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html), and add this code in the JSON editor: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage" ], "Resource": "arn:aws:sqs:us-east-1:111122223333:QueueName", "Effect": "Allow" }, { "Action": [ "securityhub:BatchUpdateFindings" ], "Resource": "*", "Effect": "Allow" } ] } ``` ------ 1. Create this policy: `OpsCenterExecutionPolicy.` Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and add this code in the JSON editor: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:CreateOpsItem", "ssm:GetOpsItem", "ssm:UpdateOpsItem", "ssm:DescribeOpsItems" ], "Resource": "*" } ] } ``` ------ 1. Create this policy: `AWSIncidentBaselinePolicy`. Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and add this code in the JSON editor: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "ssm-incidents:ListIncidentRecords", "ssm-incidents:GetIncidentRecord", "ssm-incidents:UpdateRelatedItems", "ssm-incidents:ListTimelineEvents", "ssm-incidents:GetTimelineEvent", "ssm-incidents:UpdateIncidentRecord", "ssm-incidents:ListRelatedItems", "ssm:ListOpsItemRelatedItems" ], "Resource": "*", "Effect": "Allow" } ] } ``` ------ 1. [Optional] Create this policy: `AWSChangeManagerCloudtrailPolicy`. Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and add this code in the JSON editor: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "cloudtrail:DescribeQuery", "cloudtrail:ListEventDataStores", "cloudtrail:StartQuery", "cloudtrail:GetQueryResults" ], "Resource": "*", "Effect": "Allow" } ] } ``` ------ 1. Create this policy: `DescribeWorkSpacesPolicy`. Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and add this code in the JSON editor: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": ["workspaces:DescribeWorkspaces"], "Effect": "Allow", "Resource": "*" } ] } ``` ------ 1. Add a policy that allows `budgets:ViewBudget` on all resources (\$1). 1. Review and choose **Create User**. 1. Note the access and secret access information. Download the .csv file that contains the user credential information. **Note** To align with best practices, AWS recommends periodically rotating IAM user access keys. For more information, refer to [Manage access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#securing_access-keys). # Creating the AWS Service Management Connector end user Creating AWS Service Management Connector end user This section describes how to create the AWS Service Management Connector end user and associates the appropriate IAM permission. To perform this task, you need IAM permissions to create new users. ****To create AWS Service Management Connector end user**** 1. Follow the instructions in [Creating an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) to create a user (SMEndUser). The user needs programmatic and AWS Management Console access to follow the Connector for ServiceNow installation instructions. For products using CloudFormation StackSets, you need to create a StackSet inline policy. With CloudFormation StackSets, you are able to create products across multiple accounts and Regions. Using an administrator account, you define and manage a Service Catalog product. You also use it to provision stacks into selected target accounts across specified Regions. You need to have the necessary permissions defined in your AWS accounts. To set up the necessary permissions, see [Granting Permissions for Stack Set Operations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html). Follow the instructions to create an `AWSCloudFormationStackSetAdministrationRole` and an `AWSCloudFormationStackSetExecutionRole`. 1. Add the following permissions (policies) to the user: + `AWSServiceCatalogEndUserFullAccess` (AWS managed policy) + `StackSet` (inline policy) - For Service Catalog products with stack sets, you need to modify the SMEndUser to include the Read Only permissions for the services you want to provision. For example, to provision an Amazon S3 bucket, include the `AmazonS3ReadOnlyAccess` policy to the `SMEndUser`. + `OpsCenterExecutionPolicy` + `AmazonEC2ReadOnlyAccess` (AWS managed policy) + `AmazonS3ReadOnlyAccess` (AWS managed policy) # Creating the SCConnectLaunch role The `SCConnectLaunch` role is an IAM role that places baseline AWS service permissions into the AWS Service Catalog launch constraints. Configuring this role enables segregation of duty through provisioning product resources for ServiceNow end users. The `SCConnectLaunch` role baseline contains permissions to Amazon EC2 and Amazon S3 services. If your products contain more AWS services, you must either include those services in the `SCConnectLaunch` role or create new launch roles. This section describes how to create the `SCConnectLaunch` role. This role places baseline AWS service permissions in the Service Catalog launch constraints. For more information, see [Service Catalog Launch Constraints](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints-launch.html). ****To create SCConnectLaunch role**** 1. Create this policy: `AWSCloudFormationFullAccess` policy. Choose **create policy** and add this code in the JSON editor: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:List*", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DescribeChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:DeleteChangeSet", "s3:GetObject" ], "Resource":"*" } ] } ``` ------ **Note** `AWSCloudFormationFullAccess` includes additional permissions for ChangeSets. 1. Create this policy: `ServicecodeCatalogSSMActionsBaseline`. Follow the instructions in [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html), and add this code in the JSON editor: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Sid":"Stmt1536341175150", "Action":[ "servicecatalog:AssociateResource", "servicecatalog:DisassociateResource", "servicecatalog:ListServiceActionsForProvisioningArtifact", "servicecatalog:ExecuteprovisionedProductServiceAction", "ssm:DescribeDocument", "ssm:GetAutomationExecution", "ssm:StartAutomationExecution", "ssm:StopAutomationExecution", "ssm:StartChangeRequestExecution", "cloudformation:ListStackResources", "ec2:DescribeInstanceStatus", "ec2:StartInstances", "ec2:StopInstances" ], "Effect":"Allow", "Resource":"*" }, { "Effect":"Allow", "Action":"iam:PassRole", "Resource":"*", "Condition":{ "StringEquals":{ "iam:PassedToService":"ssm.amazonaws.com" } } } ] } ``` ------ 1. Create the `SCConnectLaunch` role. Then assign the trust relationship to Service Catalog. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "servicecatalog.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ 1. Attach the relevant policies to the `SCConnectLaunch` role. We recommend you customize and scope your launch policies to the specific AWS Services, which are in the associated CloudFormation template for the given Service Catalog product. For example, to provision EC2 and S3 products, your role policies are as follows: + `AmazonEC2FullAccess` AWS managed policy) + `AmazonS3FullAccess` AWS managed policy) + `AWSCloudFormationFullAccess` (custom managed policy) + `ServiceCatalogSSMActionsBaseline` (custom managed policy) # Configuring core ServiceNow components This section describes how to configure core components in ServiceNow. **Note** Before installing the AWS Service Management scoped app, we recommend you clear the ServiceNow platform and your browser cache. Ensure that you install the update set in a non-production or sandbox environment. Consult a ServiceNow system administrator if you need approval to clear the ServiceNow platform cache. **Topics** + [ # Activating ServiceNow plugins ](sn-activate-plugins.md) + [ # Installing ServiceNow Connector scoped application ](sn-install-connector.md) + [ # Configuring Connector using Guided Setup ](sn-guided-setup.md) + [ # Platform system administrator components ](sn-configure-connector.md) + [ # ServiceNow permissions for administrators of the Connector scoped app ](sn-permissions-admin.md) + [ # Configuring AWS Service Management Connector scoped application ](sn-configure-sc-connector-scoped-app.md) + [ # Configuring AWS accounts to synchronize in the Connector ](sn-configure-accounts.md) + [ # Validating ServiceNow connectivity to AWS Regions ](validate-regions.md) + [ # Manually syncing scheduled jobs ](manual-sync-scheduled-jobs.md) # Activating ServiceNow plugins AWS Service Management Connector uses three ServiceNow plugins to provide useful components to the integration features: + User Criteria Scoped API (for AWS Service Catalog integration) + Discovery and Service Mapping Patterns (for AWS Config integration) + Change Management – Change Model Foundation Data (for AWS Systems Manager Change Manager integration) **To activate the User Criteria Scoped API plugin** 1. In your ServiceNow dashboard, enter **plugins** into the navigation panel in the upper left. 1. When the **System Plugins** page populates, next to the **Name** dropdown, search for **User Criteria**. 1. Choose **User Criteria Scoped API** and then choose **Activate**. **To activate the Discovery and Service Mapping Patterns plugin** 1. In your ServiceNow dashboard, enter **plugins** into the navigation panel in the upper left. 1. When the **System Plugins** page populates, next to the **Name** dropdown, search for **Discovery**. 1. Choose **Discovery and Service Mapping Patterns** and then choose **Activate**. **Note** This plugin is free and aligns to the CMDB tables outside of ServiceNow’s family release CMDB updates. **To activate the Change Management – Change Model Foundation Data plugin** 1. In your ServiceNow dashboard, enter **plugins** in the navigation panel in the upper left. 1. When the System Plugins page populates, next to the **Name** dropdown, search for **Change Management**. 1. Choose **Change Management - Change Model Foundation Data** and then choose **Activate**. # Installing ServiceNow Connector scoped application The AWS Service Management Connector for ServiceNow is a conventional, scoped application that was developed and released through a ServiceNow update set. Update sets are code changes to the base platform that lets developers move code across ServiceNow instances. Download and install a certified version of the connector for no additional cost from the following locations: + [ ServiceNow store](https://store.servicenow.com/sn_appstore_store.do#!/store/application/f0b117a3db32320093a7d7a0cf961912/) + [ ServiceNow update set](https://servicecatalogconnector.s3.amazonaws.com/AWS_SC_update_set_5.1.12.zip): AWS Service Management Connector offers an update set for users who want to install the connector application in a ServiceNow Personal Developer Instance (PDI) or sandbox environment. If you don't already have a ServiceNow instance, start with the following first step. If you already have a ServiceNow instance, use the previous links to download and install the connector. To install the connector, complete the following steps. **Obtain a ServiceNow instance** 1. Open [ Obtaining a Personal Developer Instance](https://developer.servicenow.com/dev.do#!/guides/rome/developer-program/pdi-guide/obtaining-a-pdi). 1. Create ServiceNow developer program credentials. 1. Follow the instructions for requesting a ServiceNow instance. 1. Capture your instance details, including URL, administrative ID, and temporary password credentials. **To install the update set** 1. In your ServiceNow dashboard, enter **update sets** into the navigation panel in the upper left. 1. Choose **Retrieved Update Sets** from the results. 1. Choose **Import Update Set from XML** and upload the release XML file. 1. Choose the **AWS Service Management Connector for ServiceNow** update set. 1. Choose **Preview Update Set**, which makes ServiceNow validate the Connector update set. 1. Choose **Update**. 1. Choose **Commit Update Set** to apply the update set and create the application. This procedure should complete 100%. # Configuring Connector using Guided Setup The Connector for ServiceNow includes a Guided Setup mechanism to enable customers to configure and mark complete ServiceNow installation components for the AWS Service Management Connector. Guided Setup enables the customers to plan the roll-out of the Connector and perform the basic configurations of the Connector to launch it across ServiceNow staged environments. The Connector Guided Setup: + Provides a direct set of links to the pages in the ServiceNow instance where you can perform the configuration. + Tracks completed tasks so you can stop and start again where you left off. + Enables less maneuvering between AWS documentation and the ServiceNow instance. + Coordinates the deployment and configuration of the Connector for individuals and teams. **Note** Only ServiceNow admin users can access the Guided Setup to configure the Connectors. **To configure Connector using Guided Setup** 1. Log in to your ServiceNow instance as an admin user. 1. Enter **AWS Service Management Connector** in the left filter navigator. 1. Choose **Guided Setup**. 1. Review details on the Guided Setup homepage and choose **Get Started**. 1. Review details on each section. 1. To perform a task, select the task and choose **Configure**. 1. After completion of the task, choose **Mark as Complete**. To skip sections or tasks that do not apply to you, choose Skip. # Platform system administrator components To enable the AWS Service Management Connector scoped application named **AWS Service Management**, the system admin must create a discovery source, and configure specific platform tables, forms, and views. **Create a discovery source AWS Service Management Connector entry** You must create a new discovery data source, AWS Service Management Connector. **To enable AWS to report discovered CIs into your CMDB** 1. Choose **System Definition**. Then select **Choice Lists**. 1. Choose **New**. 1. Create a new entry with these details: + **Table:** **Configuration Item [cmdb\$1ci]** + **Element:** **discovery\$1source** + **Label:** **AWS Service Management Connector** + **Value:** **AWS Service Management Connector** **Note** Make sure you are in Global mode in ServiceNow System Settings to modify System Definitions. # Administering AWS Service Management Connector Dashboard As the system administrator, you can restrict access to the dashboard and its reports for specific users, roles or groups. **To restrict access to the connector dashboard** 1. In the ServiceNow instance, navigate to the AWS Service Management Connector dashboard. 1. Choose the **Share** icon and then select **Add users, groups, or roles**. 1. Add the users, groups, or roles that require access to the dashboard. 1. (optional) You can also restrict access to the reports available in the dashboard. For detailed instructions, review [ Administering reports](https://docs.servicenow.com/bundle/utah-now-intelligence/page/use/reporting/concept/c_AdminsteringReports.html) in the *ServiceNow product documentation*. # Enabling permissions on ServiceNow Platform For AWS products to display under AWS portfolios as sub-categories in the ServiceNow Service Catalog, you need to modify the Application Access form for Catalog Item Category tables. This action is necessary because a ServiceNow scoped API is not available for the Catalog Item Category table. **To view AWS Service Catalog products (Catalog Item Category)** 1. Enter **Tables** in the Navigator and choose **System Definition**, then choose **Tables**. 1. In the list of tables, search for a table with label **Catalog Item Category** (or with the name `sc_cat_item_category`). The list of tables displays. 1. Choose **Category** to view the form defining the table. 1. Choose the **Application Access** tab on the form and select **Can Create**, **Can Update**, and **Can Delete** on the form. 1. Choose **Update**. **To enable the connector to control visibility of Service Catalog products on Service Portal through Allowed Groups** **Note** This step is only required if the Application Access is not already enabled in your ServiceNow instance. Additionally, Service Management Connector recommends that you enable the `User Criteria Scope API` plugin. 1. Enter **Tables** in the Navigator and choose **System Definition**, then choose **Tables**. 1. In the list of tables, search for a table with label **Catalog Item Available for** (or with the name `sc_cat_item_user_criteria_mtom`). The list of tables displays. 1. Choose **Category** to view the form defining the table. 1. Choose the **Application Access** tab on the form and select **Can Create** and **Can Update** on the form. 1. Choose **Update**. # ServiceNow permissions for administrators of the Connector scoped app The AWS Service Management scoped app has two ServiceNow roles that enable access to configure the application. This feature enables system admins to grant one or more user's privileges to administer the application, without having to open full sysadmin access to them. System admins can assign these roles to either individual users or to one administrator user. **To set up Connector application administrator privileges** 1. Enter **Users** in the navigator and select **System Security – Users**. 1. Choose a user to grant one or both previous roles (such as admin). You can also [Administer the Now Platform](https://docs.servicenow.com/bundle/washingtondc-platform-administration/page/administer/general/concept/intro-now-platform-landing.html). 1. Choose **Edit** on the **Roles** tab of the form. 1. Filter the collection of roles by the prefix **x\$1126749\$1aws\$1sc**. 1. Choose one or more of the following and add them to the user: ** x\$1126749\$1aws\$1sc\$1account\$1admin**, **x\$1126749\$1aws\$1sc\$1portfolio\$1manager**,** x\$1126749\$1 aws\$1sc.appregistry\$1manager,** **x\$1126749\$1 aws\$1sc.automation\$1manager**, **x\$1126749\$1aws\$1sc.finding\$1manager**, **x\$1126749\$1aws\$1sc.opscenter\$1manager**, **x\$1126749\$1aws\$1sc.support\$1case\$1manager **, **x\$1126749\$1aws\$1sc.change\$1manager\$1manager**, **x\$1126749\$1aws\$1sc.productsearchaccess**, **x\$1126749\$1aws\$1sc.cloudtrail\$1event\$1user**, and **x\$1126749\$1aws\$1sc.health\$1dashboard\$1viewer.** 1. Choose **Save**. **To add Service Catalog to ServiceNow Service Catalog categories** 1. Choose **Self Service \$1 Service Catalog** and select the **Add content** icon in the upper right. 1. Choose the **AWS Service Catalog Product** entry. To add it to your catalog home page, choose the first **Add Here** link on the second row of the selection panel at the bottom of the page. **To add AWS Systems Manager automation documents (runbook) to ServiceNow Service Catalog categories** 1. Choose **Self Service \$1 Service Catalog** and select the **Add content** icon in the upper right. 1. Select the **AWS Systems Manager** entry. To add it to your catalog home page, choose the first **Add Here** link on the second row of the selection panel at the bottom of the page. **Note** This Connector release displays all AWS Systems Manager documents in the AWS account that has AWS Systems Manager selected. System administrators can deactivate AWS Systems Manager document requests. To deactivate requests, choose **AWS Systems Manager**, **Automation Documents**, and deselect **Active**. After deactivation of the document, you no longer see the document in the ServiceNow Service Catalog. The Connector creates closed change requests on post provision actions (such as update, terminate and self-service) for AWS Service Catalog products visible in ServiceNow. To achieve a closed change request from post provisioned actions, add a change request type and configure the `sys_id` for the group assigned to the closed change records in the Connector AWS Service Catalog system properties. **To add a change request type for closed change request from post provisioned actions** 1. If you upgrade from a previous version of the AWS Service Management scoped app, you must remove the **AWS Product Termination** change request type before you create a new change request type. 1. You must add a new change request type called **AWS Provisioned Product Event** for the scoped application to trigger an automated change request in Change Management. For more information, see [IT Service Management](https://docs.servicenow.com/bundle/washingtondc-it-service-management/page/product/it-service-management/reference/r_ITServiceManagement.html). 1. Open an existing change request. 1. Open (right-click) the context menu for **Type** and then choose **Show Choice List**. 1. Choose **New** and complete these fields: + **Table**: **Change Request** + **Label**: **AWS Provisioned Product Event** + **Value**: **AWSProvisionedProductEvent** + **Sequence**: pick the next unused value 1. Submit the form. **To add a change request type for executing AWS Systems Manager Change Manager change templates** You must add a new change request type called `AWSChangeRequest` for the scoped application to view and execute AWS Change Manager change templates in ServiceNow Change Management. For more information, see [IT Service Management](https://docs.servicenow.com/bundle/washingtondc-it-service-management/page/product/it-service-management/reference/r_ITServiceManagement.html). 1. Open an existing change request. 1. Open (right-click) the context menu for **Type** and then choose **Show Choice List**. 1. Choose **New** and complete these fields: + Table: **Change Request** + Label: **AWS Change Request** + Value: **AWSChangeRequest** + Sequence: pick the next unused value 1. Submit the form. **To enable AWS Systems Manager Change Manager integration Change models** AWS Systems Manager Change Manager integration in ServiceNow requires Change Model feature in ServiceNow. 1. In the navigator, enter **sys\$1properties.list**. 1. Enter **\$1change\$1model** in the **Search** panel to view and edit the properties. 1. Review the available settings and recommendations in the table below. **Note** For more information on Change model system properties, see [IT Service Management](https://docs.servicenow.com/bundle/washingtondc-it-service-management/page/product/it-service-management/reference/r_ITServiceManagement.html). | Available settings | Desired value | | --- | --- | | com.snc.change\$1management.change\$1model.hide | false | | com.snc.change\$1management.change\$1model.type\$1compatibility | true | **ServiceNow Permissions Recap** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/smc/latest/ag/sn-permissions-admin.html) # Configuring AWS Service Management Connector scoped application After installing and configuring the AWS Service Management Connector, you must configure the scoped application and applicable roles. **To configure the AWS Service Management Connector scoped application permissions** 1. In your ServiceNow instance, create a user group called **Order\$1AWS\$1Products**. Members of this group can order Service Catalog products. For instructions, see [Administer the Now Platform.](https://docs.servicenow.com/bundle/washingtondc-platform-administration/page/administer/general/concept/intro-now-platform-landing.html) 1. Grant ServiceNow permissions to these users: + **System Administrator (admin)**: For simplicity in this example, user **admin** is the administrator of the AWS Service Management scoped application. Grant this user both of the administrative permissions from the adapter:** x\$1126749\$1aws\$1sc\$1account\$1admin,** **x\$1126749\$1aws\$1sc\$1portfolio\$1manager**, **x\$1126749\$1 aws\$1sc.appregistry\$1manager**, **x\$1126749\$1 aws\$1sc.automation\$1manager**, **x\$1126749\$1aws\$1sc.finding\$1manager**,** ****x\$1126749\$1aws\$1sc.opscenter\$1manager**, **x\$1126749\$1aws\$1sc.support\$1case\$1manager** and **x\$1126749\$1aws\$1sc.change\$1manager\$1manager**, **x\$1126749\$1aws\$1sc.productsearchaccess**, **x\$1126749\$1aws\$1sc.cloudtrail\$1event\$1user**, and **x\$1126749\$1aws\$1sc.health\$1dashboard\$1viewer**. Add **System Administrator** to the new ServiceNow group **Order\$1AWS\$1Products**. In a real scenario, these roles would likely be granted to different users or groups. + **Abel Tuter**: The user **abel.tuter** is an illustrative end user. Grant Abel the new role **Order\$1AWS\$1Products**. This permission allows Abel to order products from AWS. # Configuring AWS accounts to synchronize in the Connector Learn how to configuring AWS accounts to synchronize in the Connector. 1. Log in as the system administrator. 1. Enter **AWS** in the navigator. Choose the **AWS Service Management** scoped app. 1. In the **Accounts** menu, create one entry for every AWS account. Use the keys and secret keys from the users you created in AWS. **To create an account entry** 1. Enter the name as an account entry identifier, such as **Connector\$1Demo** (for Commercial Region), or **Connector\$1Demo\$1GovCloud** (for GovCloud Region). 1. Enter the access key and secret access key from the AWS account *sync user *IAM configurations. 1. Enter the access key and secret access key from the AWS account *end user* IAM configurations. 1. Choose the visible AWS service integrations for this AWS account. The choices include: + Integrate with Service Catalog (including AppRegistry) + Integrate with AWS Config Choose AWS Config if you plan to integrate AWS Config cloud resources per each AWS account or through the latest AWS Config aggregator integration feature. The Connector for ServiceNow includes an AWS Config aggregator feature that enables ServiceNow administrators to align aggregated AWS Config details into one AWS account. If you plan to view AppRegistry related resources details, choose **AWS Config **with **AWS Service Catalog**. + Integrate with AWS Systems Manager Automation Choose AWS Systems Manager Automation if you want to execute automation documents (runbook) to remediate incidents from OpsItems. + Integrate with AWS Systems Manager OpsCenter + Integrate with AWS Security Hub CSPM + Integrate with Support + Integrate with AWS Systems Manager Change Manager + Integrate with AWS Health + Integrate with AWS Systems Manager Incident Manager 1. Choose **Account Regions**. Select the **Commercial** or **GovCloud Region**. To see the AWS account Regions, double-click **Insert a new row…**. **Note** AWS Support API uses a specific GovCloud endpoint for GovCloud accounts to enable Support integration for GovCloud accounts. Choose a GovCloud Region in Account Regions when you onboard the account in ServiceNow. 1. Repeat the step above to insert additional Regions. 1. Save or update the account entries. 1. Validate AWS account connectivity by following the steps in [Validating connectivity to AWS Regions](validate-regions.md). Note that in this Connector for ServiceNow, **Validate Accounts** only appears once after you submit or update the account entry. **Note** AWS Service Management Connector allows synchronization of updated keys using any automation or integration through a REST endpoint. For more information, see [Syncing updated keys programatically in ServiceNow](sn-sync-keys.md). # Validating ServiceNow connectivity to AWS Regions You can now validate connectivity to AWS accounts between the ServiceNow **Connector\$1Demo** account and the AWS IAM `SMSyncUser` and `SMEndUser`. **To validate connectivity to AWS account** 1. In the AWS Service Management scoped app, choose **Setup**, then **AWS Accounts**. 1. Choose **Connector\$1Demo** and select **Validate Account**. A successful connection results in the message, *Successfully validating AWS account in each referenced Region*. If the AWS IAM access key or secret access key are incorrect, you receive an error message. # Manually syncing scheduled jobs The Connector for ServiceNow includes nine sync jobs related to AWS services integrations. During the initial setup, manually execute the sync job for your AWS service integration instead of waiting for Scheduled Jobs to run. **To sync AWS service integrations or accounts manually** 1. Log in as system administrator. 1. Find **Scheduled Jobs** in the navigator panel. 1. Search the following AWS Service Management Connector scheduled jobs (including default sync intervals) in the table below: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/smc/latest/ag/manual-sync-scheduled-jobs.html) 1. Choose the desired sync job, and choose **Execute Now**. **Note** If you do not see **Execute Now** in the upper left corner, choose **Configure Job Definition**. **Execute Now** is visible. ServiceNow Administrator can adjust the Scheduled Job repeat interval as required. Data is visible in the AWS Service Management scoped app menus after the Connector’s scheduled synchronization job has run. # AWS Service Catalog in ServiceNow AWS Service Catalog After you create two IAM users with baseline permissions in each account, the next step is to configure AWS Service Catalog. Use the Amazon S3 template in [Creating an Amazon S3 Bucket for Website Hosting for your preliminary product](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-s3.html#scenario-s3-bucket-website). Copy and save the Amazon S3 template to your device. For an interactive workshop using ServiceNow, review the [ServiceNow Connector workshop](https://catalog.us-east-1.prod.workshops.aws/workshops/d40750d7-a330-49be-9945-cde864610de9/en-US/5-itsm/getting-started) in the *AWS workshop studio*. **Topics** + [ # Configuring AWS Service Catalog ](sn-config-sc.md) + [ # Configuring AWS Service Catalog in ServiceNow ](sn-config-sn.md) + [ # Using service integration features to validate AWS Service Catalog integration in ServiceNow ](sn-sc-validate.md) + [ # Viewing products in the Standard User Interface (Fulfiller View) ](view-products.md) + [ # Ordering Service Catalog products through the ServiceNow Service portal ](service-portal.md) # Configuring AWS Service Catalog Configuring AWS Service Catalog This section provides the configurations you need to integrate AWS services in ServiceNow. **To configure Service Catalog** 1. Follow the steps to [create a Service Catalog portfolio](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/portfoliomgmt-create.html). 1. To add the Amazon S3 bucket product to the portfolio you created in Step 1, go to the Service Catalog console. In the **Upload new product** page, enter the product details. 1. For **Select template**, choose the Amazon S3 bucket CloudFormation template you saved to your device. 1. Set **Constraint type** to **Launch** for the product that you created now with the `SCConnectLaunch` role in the baseline permissions. For additional launch constraint instructions, see [AWS Service Catalog Launch Constraints](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints-launch.html). **Note** The AWS configuration design requires each Service Catalog product to have a launch constraint. Failure to follow this step could result in an *Unable to Retrieve Parameter* message in the ServiceNow Service Catalog. 1. Add the SMEndUser user to the Service Catalog portfolio. For additional user access instructions, see [Granting Access to Users](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_users.html). **Note** The AWS configuration design requires each Service Catalog product to have either a launch constraint or a stack set constraint. Failure to follow this step could result in an *Unable to Retrieve Parameter* error in the ServiceNow Service Catalog. # Creating StackSet constraints CloudFormation StackSets enable users to create and deploy products across multiple accounts and Regions. ****To apply a stack set constraint to a Service Catalog product**** 1. As a catalog admin in Service Catalog, choose the portfolio that contains the product. 1. Expand **Constraints** and choose **Add constraints**. 1. Choose the product from **Product** and set **Constraint type ** to **Stack Set**. Choose **Continue**. 1. On the StackSet constraint page, enter a description. 1. Choose the account(s) in which you want to create products. 1. Choose the Region(s) in which you want to deploy products. Products deploy in these Regions in the order you specify. 1. Choose the following: **`AWSCloudFormationStackSetAdministrationRole`** to manage your target accounts. **`AWSCloudFormationStackSetExecutionRole`** for the role the Administrator will assume. 1. Choose **Submit**. # Relating budgets to products and portfolios The Connector for ServiceNow enables ServiceNow administrators to view budgets related to Service Catalog products and portfolios. Service Catalog administrators can create or associate existing budgets to products and portfolios. For more information on creating and associating budgets, see [Managing Budgets.](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_budgets.html) # Service Catalog Terraform Open Source product type support AWS Service Management Connector supports AWS Service Catalog's Terraform open source product type. For more information, review [Getting started with Terraform product](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted-Terraform.html) in the *AWS Service Catalog admin guide*. As of the 4.8.5 release, you can provision AWS Service Catalog products and their resources using either [AWS CloudFormation](https://aws.amazon.com/cloudformation/) or [Hashicorp Terraform](https://www.terraform.io/) (Terraform open source). The **CloudFormation** product type in AWS Service Catalog allows you to request provisioning, create provisioned product plans, perform self-service actions, and request termination or update for the provisioned product. The connector also dynamically makes API calls to list available parameters such as VPC ID, Subnet IDs, and Security Groups in a drop down format. When provisioning fails for a CloudFormation product, the provisioned product **Status** changes to `TERMINATED`. The **Terraform open source** product type in AWS Service Catalog allows you to request provisioning for Terraform open source products as well as request termination or update for the provisioned product. **Note** The Terraform open source product type does not support self-service actions and provisioned product plans. When the provisioning fails for a Terraform open source product, the provisioned product **Status** changes to `TAINTED`. # Configuring AppRegistry To configure AppRegistry, follow the steps in the [AWS Service Catalog AppRegistry Administrator Guide](https://docs.aws.amazon.com/servicecatalog/latest/arguide/intro-app-registry.html). # Configuring AWS Service Catalog in ServiceNow This section provides the configurations you need to integrate AWS Service Catalog in ServiceNow. **Topics** + [ # Configuring the AWS Service Catalog product widget components and assignment group for closed change records ](configure-sc-widget.md) + [ # Granting access to AWS Service Catalog portfolios ](grant-access-portfolios.md) + [ # Configuring AWS tags for provisioned products ](configure-aws-tags.md) + [ # Adding the My AWS Products widget to the Service Portal view ](add-aws-product-widget.md) + [ # Activate AWS Service Catalog portfolio categorization in ServiceNow Service Portal ](sc-portfolio-categorization.md) + [ # Viewing budgets related to Service Catalog portfolios and products ](view-budgets.md) # Configuring the AWS Service Catalog product widget components and assignment group for closed change records To address the varying personas of end users requesting AWS products, the Connector for ServiceNow includes a scoped app setting to enable or disable components of the AWS product widget. By default, all AWS product components are active. **To modify the AWS product view** 1. In the navigator, enter **System Properties** and select **Service Catalog**. **Note** Make sure you are in the AWS Service Management Connector scoped application mode. 1. Deselect any AWS product component to enable: + Editing of the Service Catalog product name. + Selection of launch options for Service Catalog Products. (This component is only visible if the AWS product has more than one launch path.) + Selection of product versions for Service Catalog. (This component is only visible if the AWS product has more than one product version.) + Tags for Service Catalog products. + Plans (ChangeSet) creation for product. (If set to false the plan section is not visible.) 1. Choose **Save**. The AWS Service Catalog system properties also include a section that identifies an assignment group. This group associates with closed change records from post provision actions of products (such as terminate, update, or self-service actions). **To associate the assignment group for change records from AWS Service Catalog post provision actions** 1. In the navigator, enter **System Properties** and choose **AWS Service Catalog**. Make sure you are in the AWS Service Management Connector scoped application mode. 1. Choose the section **Set the ‘assignment group’ sys\$1id or name that the connector will use when creating change requests**. 1. Enter the assignment **group sys\$1id**. If you need to find the `group sys_id`, enter **System Security** in the left navigator. 1. Choose **Groups** module. 1. Search for the **Group** name. 1. Choose the group that you want to associate to close changed records and choose **Copy sys\$1id**. You are now able to paste the copied `sys_id` into the AWS Service Catalog Properties for the Connector under **Set the ‘assignment group’ sys\$1id or name that the connector will use when creating change requests**. If the `sys_id` is blank, the change record sends a message that no assignment group exists for the record, which causes change requests created from the Connector to be in an open state. # Granting access to AWS Service Catalog portfolios This release of the Connector does not require you to link AWS identities to ServiceNow roles. To grant access to Service Catalog products in ServiceNow, you must establish a link between the Service Catalog portfolios and the ServiceNow group (for example, **Order\$1AWS\$1Products** from an earlier installation example). **To grant access to Service Catalog portfolios in ServiceNow** 1. In the AWS Service Management scoped app, choose **Service Catalog**, then the **Portfolios** module. 1. Choose the desired Portfolio ARN. You can double-click the Service Catalog portfolio name. 1. Choose the **Allowed Groups** tab. 1. Choose **New** and enter the **Group** named **Order\$1AWS\$1Products**. 1. Choose **Submit**. # Configuring AWS tags for provisioned products Configuring AWS tags The AWS Service Management Connector enables ServiceNow administrators to add tags (metadata) to provisioned products globally across the scoped app or granularly at the portfolio level. These tags are not visible to end users. Three tag types are available in this release: + Generic tags in which the administrator can enter the key and value. + ServiceNow Request Item tags in which the admin can enter the syntax for Key and Value in the table below. + ServiceNow table(s) values that end users can select as tags for provisioned AWS resources. This release now enables administrators to identify any ServiceNow tables, such as Cost center or Department, and makes values from that table selectable for end users. **Note** Generic tags (from administrators) and ServiceNow Request Item tags are not viewable by end users. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/smc/latest/ag/configure-aws-tags.html) **To add generic AWS tags to Service Catalog provisioned products in ServiceNow** 1. In the AWS Service Management scoped app, choose **Setup**, then the **Automated Tags** module. 1. Choose **New**. 1. For Global tags, enter the Key and Value entries and choose **Submit**. 1. For Portfolio tags, deselect **Global check**. The **Portfolio** field appears. Choose the Service Catalog portfolio, enter the Key and Value entries, and choose **Submit**. **To add in-scope ServiceNow request item AWS tags to Service Catalog provisioned products derived from ServiceNow** 1. In the AWS Service Management scoped app, choose **Setup**, then the **Automated Tags** module. 1. Choose **New**. 1. For Global tags, enter the specific Key and Value entries for either User or Request Item Number, and choose **Submit**. 1. For Portfolio tags, deselect **Global check**. The Portfolio field appears. Select the AWS Service Catalog portfolio, enter the Key and Value entries, and choose **Submit**. **To add tags to AWS provisioned products from ServiceNow tables and fields that are selectable by end users** 1. In the AWS Service Management scoped app, choose **Setup**, then the **Automated Tags** module. 1. Choose **New**. 1. Choose **Selectable by End User**. 1. Choose a table from the dropdown list: **Table Name**. 1. Choose a field from the dropdown list: **Table Field**. 1. [Optional] Add a filter for the table selected using the **Table Filter** field. 1. For Global tags, enter the Key and Value entries and choose **Submit**. 1. For Portfolio tags, deselect **Global check**. The **Portfolio** field appears. Select the AWS Service Catalog portfolio, enter the Key and Value entries, and choose **Submit**. The ServiceNow table and field value appear on the AWS Product (ServiceNow catalog item). It is a required value prior to ordering. After product provisioning, you can see in the AWS console that these tags associate with the resource. # Adding the My AWS Products widget to the Service Portal view We recommend ServiceNow administrators add the **My AWS Products** widget to the ServiceNow Portal view. The widget enables users to view their AWS product requests, view outputs, and perform post-operational actions such as update, terminate, and service actions (AWS Systems Manager documents). **To include the My AWS Products widget on the Service Portal view** 1. Log in as system administrator in the ServiceNow standard user interface (Fulfiller view). 1. In the navigator panel, find **Service Portal**. 1. Choose **Service Portal Configuration**. 1. Choose **Designer**. 1. Search for **Service Portal** in the filter. 1. Choose the** Service Portal** box with a house image and the word **Index** in the lower right corner. 1. In the left panel in **Widgets**, enter **My AWS Products** in the **Filter Widget.** 1. Drag the widget to the Service Portal edit view to your desired location. 1. Preview your changes. **To include the Search AWS Products widget on the Service Portal view** 1. Log in as system administrator in the ServiceNow standard user interface (Fulfiller view). 1. In the navigator panel, find **Service Portal**. 1. Choose **Service Portal Configuration**. 1. Choose **Designer**. 1. Search for Service Portal in the filter. 1. Choose the Service Portal box with a house image and the word Index in the lower right corner. 1. In the left panel in **Widgets,** enter **AWS Custom Product Search in the Filter Widget**. 1. Drag the widget to the Service Portal edit view to your desired location. 1. Preview your changes. **Note** Ensure that the end user has **x\$1126749\$1aws\$1sc.productsearchaccess** to view and use the widget. # Activate AWS Service Catalog portfolio categorization in ServiceNow Service Portal AWS Service Management Connector can display portfolios with an additional categorization of AWS Account and Region names in the ServiceNow Service Portal. This allows you to identify the account and region a portfolio and its product belongs to if the end user has access to multiple portfolios with the same name. **To activate Portfolio categorization in ServiceNow Portal** 1. Log in as system administrator. 1. In the **System Properties** menu, choose **AWS Service Catalog**. 1. In the option **If set to Account/Region/Portfolio, the hierarchy of categories created will be set to portfolio, region and account. If set to Portfolio, only portfolio category will be created**, choose **Account/Region/Portfolio**. 1. In the **System Definition** menu, choose **Scheduled Jobs**. **To activate Portfolio categorization for existing users** 1. In the **System Definition** menu, choose **Scheduled Jobs**. 1. Select the scheduled job, and then choose **Synchronize AWS Service Catalog**. 1. In the **Active** field, choose **False**, and then choose **Update**. 1. In the **System Definition** menu, choose **Fix Script**. 1. Select the fix script, and then choose **AWS Service Catalog Category Delete**, and then choose **Run Fix script**. 1. Follow the steps in *To activate Portfolio categorization in ServiceNow Portal* above. # Viewing budgets related to Service Catalog portfolios and products ServiceNow administrators can view budgets and actual costs related to Service Catalog portfolios and products in the ServiceNow standard user interface. **To view portfolio budgets** 1. Log in as system administrator. 1. In the navigator panel, search for **Service Catalog**. 1. Choose the **Portfolios** module. 1. Choose the Service Catalog portfolio that contains an associated budget. 1. Choose the **Budget** tab. **To view product budgets** 1. Log in as system administrator. 1. In the navigator panel, search for **Service Catalog**. 1. Choose the **Products** module. 1. Choose the Service Catalog product that contains an associated budget. 1. Choose the **Budget** tab. # Using service integration features to validate AWS Service Catalog integration in ServiceNow Validating AWS Service Catalog integration This section describes how you can use service integration features to validate AWS Service Management Connector for ServiceNow installation. ****To order a Service Catalog product**** 1. Log in to your ServiceNow instance as the end user (for this example, Abel Tuter). 1. Enter **Service Catalog** in the navigation filter and choose **Service Catalog**. 1. Choose the **AWS Service Catalog S3 Storage** product to provision. 1. Enter the product request details, including product name, parameters, and tags. 1. Choose **Order Now** to submit the ServiceNow request and provision the Service Catalog product. After approximately one minute, you receive an order status acknowledging the submission. **To view provisioned products** End users can view products in two places on the ServiceNow portal: **request items (Requests)** or **My AWS Service Catalog Products** widgets. ****To view products in Service Portal Requests**** 1. Choose **Requests** in the home page navigation bar. 1. Choose the request item with the Service Catalog product and request the item number. **Note** AWS product events and outputs update the request item. When you terminate the AWS product, the ServiceNow request item enters a state of **Closed Complete**. ****To view products in the My AWS Products widget Service Portal Requests**** 1. In the **My AWS Products** widget, choose the AWS Select product name on the request form. 1. View **Status and Product Events**. 1. If you want to perform post-provisioned operational actions, choose **Request Update**, **Request Self-Service Action**, or **Terminate**. ****To override workflows on Portfolios**** 1. Log in to your ServiceNow fulfiller view (standard user interface). 1. Enter **AWS Service Catalog** in the navigation filter and choose **Portfolios**. 1. Choose **Display Name** to open a portfolio. 1. Select the required workflow from the search to set **Workflow Override.** 1. Choose **Update**. ****To view AppRegistry applications**** 1. Log in to your ServiceNow fulfiller view (standard user interface). 1. Enter **AWS Service Catalog** in the navigation filter and choose **AppRegistry Applications**. 1. Choose the AppRegistry application. ****To view AppRegistry attribute groups**** 1. Log in to your ServiceNow fulfiller view (standard user interface). 1. Enter **AWS Service Catalog** in the navigation filter and choose **AppRegistry Attribute Groups**. 1. Choose the AppRegistry attribute group. ## Video: Integrate AWS Products into Your ServiceNow Portal with the AWS Service Management Connector This video (18:33) describes how to integrate AWS products in your ServiceNow Portal with the AWS Service Management Connector. [![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/YCvNK-fzgoc/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/YCvNK-fzgoc) # Viewing products in the Standard User Interface (Fulfiller View) Viewing products in the Standard User Interface View provisioned products as an end user and from the scoped app as an administrator. **To view provisioned products as an end user** 1. Choose **My Assets** in the ServiceNow standard user interface. 1. In **My Asset Requests**, view the requests. 1. To view the product, personalize the list view to show the associated configuration item. To show the items, choose **Settings** in the header row of the table of asset requests. 1. Choose **Configuration item (configuration\$1item)**. Then use the **>** icon to add it to the view. Move the configuration item to below **Stage** in the list. You can see it (the ordered product) in the list of assets. 1. To view the product, choose the configuration item name. 1. In the **Outputs** tab of the form, view the **Outputs** for the provisioned product. 1. In the **Product Events** tab of the form, view the provisioning history of the product . **To view provisioned products from the scoped app as an administrator** 1. Log in to your ServiceNow instance as the end user (for example, Abel Tuter). 1. Enter **Service Catalog** in the navigation filter and choose **Provisioned Products**. The user interface view displays the provisioned products. 1. Choose a provisioned product to view the current status. You can also select post provisioned actions such as **Request Update**, **Request Termination**, as well as associated service actions. # Ordering Service Catalog products through the ServiceNow Service portal Ordering Service Catalog products The Connector for ServiceNow supports the ordering of Service Catalog products through Service Portal. You can use the **Service Catalog **and** Order Something** views. The release also includes pages and widgets you can add to Service Portal that enable users to view their provisioned products. **Note** The audience for the Service Portal Features section is a ServiceNow administrator or equivalent. The ServiceNow user requires permissions to modify the Service Portal. ## Service portal widgets The Connector for ServiceNow includes widgets you can add to your Service Portal. It also includes two alternative view Portal Pages for the following: + **My AWS Products** – Overview of all provisioned products the user owns + **AWS Product Details** – Details of a single provisioned product + **Search AWS Products** – Search for AWS Service Catalog products by providing AWS account, Region, and portfolio details. To access the new widgets, update the Service Portal Designer. To access the new widgets, update the Service Portal Designer. **To update the Service Portal Designer** 1. Go to [Create and edit a page using the Service Portal Designer](https://docs.servicenow.com/bundle/kingston-servicenow-platform/page/build/service-portal/task/t_ConfigureAPage.html). 1. Following the instructions, choose the **Service Portal Index** page. 1. Under the **Order Something** container, add the **My AWS **widget. The new widget appears on your main Service Portal view. ## Service portal pages This section describes the two new pages available in the Service Portal Beta release of the AWS Service Management Connector: **My AWSProducts** and **AWS Product Details**. You can add links to these pages on the Service Portal home page or other pages by using the usual page configuration mechanism in Service Portal. ****My AWS Products**** An overview of all provisioned products that the user owns. Terminated products display separately from current products in a collapsed panel on the initial page load. Use the following format to access the **My AWS Products** page. ``` http://.service-now.com/sp?id=aws_sc_pp ``` ****AWS Product Details**** Details of a single provisioned product. Use the following format to access the **AWS Product Details** page: ``` http://.service-now.com/sp?id=aws_sc_pp_details&sys_id= ``` **Search AWS Products** Search feature for AWS Service Catalog products Use the following format to access the **Search AWS Products** page: ``` http://.service-now.com/sp?id=aws_sc_product_search> ``` **Note** Ensure that the end user has **x\$1126749\$1aws\$1sc.productsearchaccess** to view and use this service portal # AWS Config in ServiceNow AWS Config This section shows you how to use AWS Config to integrate to ServiceNow. To allow the Connector to synchronize Config data for a given Region, you must enable AWS Config in that Region. For more information, see [Setting Up AWS Config with the Console](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html). AWS Service Management Connector for ServiceNow enables ServiceNow administrators to specify select ServiceNow tables as custom resources within AWS Config. To set up these resources, use the preconfigured files in the Connector. These required files include the custom resource schema. **Topics** + [ # Configuring system properties, aggregators, and custom resources ](sn-configuration-integ.md) + [ # Validating AWS Config integration in ServiceNow ](sn-validate-config.md) + [ # Updating the AWS Load Balancer resource details in the ServiceNow CMDB ](update-balancer.md) # Configuring system properties, aggregators, and custom resources This version of the AWS Service Management Connector enables ServiceNow administrators to configure system properties, Config Aggregators, and AWS Config custom resources from select ServiceNow tables. **To configure the new AWS Config integration System properties** 1. In the navigator, enter **AWS Service Management**. 1. Choose **System Properties**, and then choose **AWS Config**. 1. Review the available settings and recommendations in the table below. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/smc/latest/ag/sn-configuration-integ.html) # Validating the synchronization of Amazon WorkSpaces from AWS Config Validate the synchronization of Amazon WorkSpaces in AWS Config by executing a scheduled job. **To validate the synchronization of Amazon WorkSpaces in AWS Config** 1. Execute the scheduled job **synchronize Amazon WorkSpaces** manually. 1. Navigate to **AWS Config**, and then choose **WorkSpaces**. 1. Validate the data. **Note** Amazon WorkSpaces synchronization is only supported for stand-alone accounts, not for AWS Config Aggregator accounts. The **SyncUser** role must include the `DescribeWorkSpacesPolicy` for the synchronization to execute successfully. # Addressing stale AWS Config items in the ServiceNow CMDB **Note** ServiceNow administrators are the target audience for this section. In addition to the AWS Config settings, AWS SMC for ServiceNow now exposes a global API to identify stale config items from the AWS Config integration. Stale Config items are the existing AWS Config items that did not update during the most recent sync for the same source (such as account, Region, and Aggregator name). **Note** This feature requires you to enable the creation relationship to sync the status setting in the AWS Config System Properties in the ServiceNow scoped app. The script includes `x_126749_aws_sc.AwsSmc` and exposes a public API. You can use this script to access any application scope, including *global* scope. As an example, run this script: ``` x_126749_aws_sc.AwsSmc.asSyncUser().getStaleConfigItems().forAll(function(object) { gs.info( object.accountNumber + '/' + object.region + ' ' + (object.aggregatorName ? 'aggregator: ' + object.aggregatorName + ' ' : '') + 'ci: ' + object.ci.name + ' - ' + object.ci.getDisplayValue('install_status') ); }); ``` As a background script, it would log the following: ``` Info: 11111111/us-east-1 ci: i-1234567fg6j8 - Installed Info: 11111111/us-west-1 ci: i-9876541fdgfd - Installed Info: 22222222/eu-west-1 aggregator: all-dev ci: i-1df5235ftt55 - Installed ``` Each *object* contains the properties below: **** | Property | Type | Description | | --- | --- | --- | | accountNumber | String | The account number from which the stale config item originates. | | region | String | The Region from which the stale config item originates. | | aggregatorName | String | The Aggregator name (if applicable) from which the stale config item originates. | | lastSynced | GlideDateTime | The GlideDateTime of the when the last synchronization occurred. | | CI | GlideRecord | The GlideRecord of the stale config item. | Optionally, you can also pass an `options` object as the second argument to the `forAll` method that allows you to customize the search for stale items. | Property | Type | Description | | --- | --- | --- | | lowerTimeLimit | GlideDateTime | The threshold GlideDateTime from when you should search items. Any stale item last updated prior to that date does not return. | | upperTimeLimit | GlideDateTime | The threshold GlideDateTime until you should search for items. Any item last updated after that date does not return. | | excludeStatus | Number | The install\$1status to filter on. | Timestamps of sync resources: + `LastSyncTimeField`(default `checked_in`): The start of the current sync process. + `first_discovered` (for new records): The current time. We set the `LastDiscoveredField` (default `last_discovered`) to the `configurationItemCaptureTime` of the resource, if it exists or is undefined. **Additional notes on stale records** When AWS Service Management Connector reads AWS Config records that refer to other resources, it often creates a relationship to those resources. In some cases, the related resource does not have an entry in the ServiceNow CMDB. In these cases, the Connector creates a record for that relationship, with an install status of *absent*. When the Connector reads the AWS Config record for the related resource, that record populates. To see active resources, you should filter ServiceNow records synced from AWS Config by an install status of *not Absent*. **Disclaimer** Because the script compares items linked to stale sync records, it is unable to identify stale resources synced before the installation of this SMC version. When switching to sync with an Aggregator or switching from Aggregator sync to non-Aggregator sync, the script also fails to detect items that became stale between the last non-Aggregator sync and the first Aggregator sync. # Configuring synchronization of AWS Config data using an Aggregator in ServiceNow CMDB **Prerequisite**: You need to opt-in and configure the AWS account that contains the aggregated AWS Config resources details prior to performing the steps below. For more information, see [Configuring AWS Accounts to Synchronize in the Connector. ](sn-configure-accounts.md) **To configure the Connector to use an Aggregator to synchronize AWS Config data** 1. In the AWS Service Management scoped app, choose the **Setup** module. 1. Choose **Aggregators for AWS Config**. 1. Choose **New**. 1. Enter the name of the new Config Aggregator. 1. Choose the Region where you created the new Config Aggregator. 1. Choose the AWS account that should use the new Aggregator. Only AWS accounts opted into the Connector for ServiceNow that have **Integrate with AWS Config** are viewable. 1. Choose **Submit**. If you define an Aggregator for an AWS account and Region, the Aggregator integration becomes the only AWS Config to ServiceNow CMDB synchronization mechanism for that AWS account. The Connector can now synchronize Config data from multiple accounts and Regions using an Aggregator. You must configure the Config Aggregator in AWS before using this feature. For more information, see [Setting up an Aggregator](https://docs.aws.amazon.com/config/latest/developerguide/setup-aggregator-console.html) in the console. **Note** The Config Aggregator view in AWS displays only current config item resources in AWS Config. Thus, terminated resources are not available in the Config Aggregator view. To minimize stale config item records from rendering in the ServiceNow CMDB from the AWS Config Aggregator, we recommend you remove Config rules associated to terminated resources. For more information, see [ Evaluating Resources with AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) # Configuring available ServiceNow tables to sync as AWS Config custom resources In this Connector for ServiceNow release, you can now sync a set of ServiceNow tables in the CMDB to AWS Config as custom resources. The ServiceNow tables and AWS Config custom resource mapping are as follows: | ServiceNow CMDB table | AWS custom resource | | --- | --- | | cmdb\$1ci\$1apache\$1web\$1server | Apache Web Server | | cmdb\$1ci\$1app\$1server | Application Server | | cmdb\$1ci\$1app\$1server\$1java | Java Server | | cmdb\$1ci\$1app\$1server\$1tomcat | Tomcat Server | | cmdb\$1ci\$1app\$1server\$1tomcat\$1war | Tomcat Web Application | | cmdb\$1ci\$1app\$1server\$1websphere | IBM Websphere Application | | cmdb\$1ci\$1app\$1server\$1ws\$1ear | Websphere Enterprise Archive | | cmdb\$1ci\$1appl | Application | | cmdb\$1ci\$1appl\$1dot\$1net | A .Net Application | | cmdb\$1ci\$1appl\$1now\$1app\$1comp | ServiceNow Application Component | | cmdb\$1ci\$1appl\$1sap | SAP Application | | cmdb\$1ci\$1appl\$1sap\$1hana\$1db | SAP Hana Database | | cmdb\$1ci\$1appl\$1sap\$1system | SAP System | | cmdb\$1ci\$1appl\$1sharepoint | Microsoft Sharepoint Application | | cmdb\$1ci\$1application\$1cluster | Application Cluster | | cmdb\$1ci\$1application\$1server\$1resource | Application Server Resource | | cmdb\$1ci\$1application\$1software | Application Software | | cmdb\$1ci\$1db\$1mssql\$1database | MySql Database | | cmdb\$1ci\$1db\$1mysql\$1instance | MySql Instance | | cmdb\$1ci\$1kubernetes\$1cluster | Kubernetes Cluster | **To configure ServiceNow tables as AWS Config custom resources** **Note** When you configure ServiceNow tables as AWS Config custom resources you might encounter an increase in your billing statement for the creation of additional resources. 1. In the navigator, enter **AWS Service Management**. 1. Choose **Setup**, then **Tables Sync to AWS Config**. 1. Choose **New**. 1. Choose an in scope ServiceNow table. 1. Choose an account and Region for the new resource type. You can select any supported Region, in addition to preconfigured Regions for the account. 1. Click **Submit**. 1. Repeat steps above to include additional ServiceNow tables available to sync as AWS Config custom resources. The amount of time to create new AWS Config resources depends on the number of ServiceNow tables you selected. You can see resources in the **Schema version** field upon successful completion. The period synchronization of resources automatically includes the new AWS Config custom resource type. As details in the ServiceNow table update, this information syncs to AWS Config custom resource. # Validating AWS Config integration in ServiceNow Validating AWS Config integration To see AWS Config details, configure the service settings to record data for the resource types of interest. For more information, see [Setting Up AWS Config with the Console](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html). **To view configuration item details from AWS Config in the ServiceNow CMDB** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (Standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. Choose **AWS Config**. Select and view the relationships for available AWS resources. This table illustrates the available AWS resources, ServiceNow CMDB label, and table name. | AWS resources (AWS Config) | ServiceNow CMDB/Scoped App Table Label | ServiceNow CMDB/Scoped App Table Name | | --- | --- | --- | | Accounts | CMDB CI Cloud Service Accounts | cmdb\$1ci\$1cloud\$1service\$1account | | VPCs | Cloud Networks | cmdb\$1ci\$1network | | Availability Zones | Availability Zone | cmdb\$1ci\$1availability\$1zone | | EC2 Instances | Virtual Machine Instance | cmdb\$1ci\$1vm\$1instance | | EBS Volumes | Storage Volume | cmdb\$1ci\$1storage\$1volume | | Security Groups | Compute Security Group | cmdb\$1ci\$1compute\$1security\$1group | | Auto Scaling Group | Auto Scaling Groups | x\$1126749\$1aws\$1sc\$1cmdb\$1ci\$1autoscaling\$1group | | Network Interfaces | Cloud Mgmt Network Interface | cmdb\$1ci\$1nic | | RDS Instances | Cloud DataBase | cmdb\$1ci\$1cloud\$1database | | Subnets | Cloud Subnet | cmdb\$1ci\$1cloud\$1subnet | | Load Balancers (V2) | Cloud Load Balancer | cmdb\$1ci\$1cloud\$1load\$1balancer | | S3 Buckets | Cloud Object Storages | cmdb\$1ci\$1cloud\$1object\$1storage | | CloudFormation Stacks | CloudFormation Stack | x\$1126749\$1aws\$1sc\$1cmdb\$1ci\$1cloudformation\$1stack | | CloudFormation Provisioned Products | CloudFormation Provisioned Product | x\$1126749\$1aws\$1sc\$1cmdb\$1ci\$1config\$1pp | | Tags | Key Value | cmdb\$1key\$1value | | Lambdas | Cloud Function | cmdb\$1ci\$1cloud\$1function | | Dynamo DB | DynamoDB Table | cmdb\$1ci\$1dynamodb\$1table | | OS images | Images | cmdb\$1ci\$1os\$1template | | AppRegistry Applications | AppRegistry Application | x\$1126749\$1aws\$1sc\$1cmdb\$1ci\$1appregistry\$1application | | AppRegistry Attribute Groups | AppRegistry Attribute Group | x\$1126749\$1aws\$1sc\$1cmdb\$1ci\$1appregistry\$1attribute\$1group | | AppRegistry Resources | AppRegistryResource | x\$1126749\$1aws\$1sc\$1cmdb\$1ci\$1appregistry\$1resource | | RDS Cluster | Cloud Database Clusters | cmdb\$1ci\$1cloud\$1db\$1cluster | | API Gateway | Cloud Gateways | cmdb\$1ci\$1cloud\$1gateway | | Amazon Workspaces | Virtual Desktop | cmdb\$1ci\$1virtual\$1desktop | | Amazon Elastic Container Service (ECS) | AWS Cloud ECS Cluster | cmdb\$1ci\$1cloud\$1ecs\$1cluster | | Amazon Elastic Kubernetes Service (EKS) | Kubernetes Cluster | cmdb\$1ci\$1kubernetes\$1cluster | | Amazon Elastic File System (EFS) | File System | cmdb\$1ci\$1file\$1service | # Updating the AWS Load Balancer resource details in the ServiceNow CMDB AWS Load Balancer resources map to the ServiceNow table: Cloud Load Balancer (`cmdb_ci_cloud_load_balancer`). The previous table in the Connector was Load Balancer Service (`cmdb_ci_lb_service`). This change aligns with ServiceNow’s cloud resource best practices. **Note** The following transition steps are required only if you are upgrading from version 3 of the Connector to version 4. **Fix Scripts to address changes to ELB mappings in ServiceNow CMDB** If you are using AWS Config integration before version 4, the Connector includes two fix scripts that migrate existing Connector resources in the Load Balancer Service (`cmdb_ci_lb_service`) table to the Cloud Load Balancer (`cmdb_ci_cloud_load_balancer`) table. **Fix Script 1: AWS SMC - Migrate ELB data** This fix script migrates ELBv2 data from the legacy Load Balancer Service (`cmdb_ci_lb_service`) table with `discovery_source` *AWS Service Management Connector* to the new Cloud Load Balancer (`cmdb_ci_cloud_load_balancer`) table with all the relationships. (Legacy records remain undeleted for audit). **Note** The **AWS SMC - Migrate ELB data fix script** migrates all existing relationships of the ELBv2 resource in Load Balancer Service (`cmdb_ci_lb_service`), where the discovery source is *AWS Service Management Connector* to the newly created resource in the Cloud Load Balancer (`cmdb_ci_cloud_load_balancer`) table. **Fix Script 2: AWS SMC - Delete ELB legacy relationship (optional)** This fix script deletes the relationships where a child or parent is a resource in the original Load Balancer Service (`cmdb_ci_lb_service`) table, and the discovery source of the resource is *AWS Service Management Connector*. **Note** We recommend you execute **AWS SMC - Delete ELB legacy relationship fix** **script** after executing **AWS SMC - Migrate ELB data fix** **script**, and receiving approvals from your ServiceNow admin based on your organization’s data retention policies. ****To run a fix script in ServiceNow**** 1. Log in to your ServiceNow instance as an admin user (for example, System Administrator) in the fulfiller view (Standard user interface view). 1. In the filter navigator, enter **System Definition**. 1. Choose **Fix Scripts**. 1. To migrate resources to the new Cloud Load Balancer table, choose **AWS SMC - Migrate ELB data**. To delete relationships from the Load Balancer Service table, choose **AWS SMC - Delete ELB legacy relationship fix script**. 1. Open the fix script to execute. 1. Choose **Run Fix Script**. # AWS Security Hub CSPM in ServiceNow AWS Security Hub CSPM AWS Security Hub CSPM enables users to view security Findings from AWS services such as Amazon Guard Duty and Amazon Inspector, as well as AWS Partner solutions. If you use both [AWS Security Hub CSPM](https://aws.amazon.com/security-hub/?aws-security-hub-blogs.sort-by=item.additionalFields.createdDate&aws-security-hub-blogs.sort-order=desc) and ServiceNow ITSM, the AWS Service Management Connector for ServiceNow allows you to create an automated, bidirectional integration between Security Hub and ServiceNow ITSM. This two-way integration synchronizes your Security Hub CSPM findings and ServiceNow tickets. Specifically, as a ServiceNow administrator, you can use this integration to automatically create ServiceNow incident or problem tickets from AWS Security Hub CSPM findings. When you update those tickets in ServiceNow, the changes are automatically replicated back to the original Security Hub CSPM findings. For example, when you resolve the ticket in ServiceNow, the workflow status of the Security Hub finding also changes to `RESOLVED`. This action ensures that Security Hub CSPM always has up-to-date information about your security posture. View the following video, *AWS Security Hub CSPM - Bidirectional integration with ServiceNow ITSM*, for an overview of the AWS Security Hub CSPM integration to the Connector for ServiceNow. [![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/OYTi0sjEggE/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/OYTi0sjEggE) # Configuring AWS Security Hub CSPM in ServiceNow Configuring AWS This section describes how to configure your AWS services in ServiceNow. **To configure AWS Security Hub CSPM integration features** 1. Enable AWS Security Hub CSPM. For more information, see [Setting up AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html) with the Console. 1. Set up an SQS queue to receive updated Findings. Name the queue, `AwsServiceManagementConnectorForSecurityHubQueue`, to align with the default name in the ServiceNow System Properties for the AWS Security Hub CSPM integration. For more information, see [Getting started with Amazon SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-getting-started.html). 1. Set up an Amazon EventBridge rule to detect changes to Findings and push these to the queue. For more information, see [Getting started with Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-get-started.html). The rule should have this event pattern and point to the SQS queue created in Step 2. ``` "EventPattern": { "source": [ "aws.securityhub" ] } ``` 1. You can also customize this CloudWatch Events rule to only pull in Security Hub CSPM findings that have specific finding types, severity labels, workflow statuses, or compliance statuses. For details about how to filter the event pattern, see [Configuring an EventBridge rule for automatically sent findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-all-findings.html) in the *AWS Security Hub User Guide*. **Note** You can use the CloudFormation templates for the Connector for ServiceNow to automate the AWS Config custom resource and AWS Security Hub CSPM integration features. For more information, see [Baseline Permissions](https://docs.aws.amazon.com/smc/latest/ag/sn-base-perms.html). # Synchronizing AWS Security Hub CSPM to the Connector in ServiceNow This section shows you how to synchronize AWS Security Hub CSPM to the Connector in ServiceNow. **To configure AWS Security Hub CSPM synchronization behavior to the Connector in ServiceNow** 1. In the ServiceNow filter navigator in the fulfiller (stand user interface) view, enter **AWS Service Management Connector**. 1. Choose **System Properties**, then **AWS Security Hub CSPM**. 1. Set these configuration items: + Choose the types of AWS Security Hub CSPM Findings to sync in ServiceNow: **CRITICAL**, **HIGH**, **MEDIUM**, **LOW**, and **INFORMATIONAL**. + Choose an action for a newly synced Finding to the Connector in ServiceNow: + **Do Nothing**. This action only imports Security Finding types for the scoped app. Users with scoped app permissions can view and choose to create an Incident or Problem. **Do Nothing** is the default value in the Connector. + **Create Incident**. This action automatically creates Incidents from Security Findings and syncs updates in ServiceNow to AWS Security Hub CSPM. + **Create Problem**. This action automatically creates Incidents from Security Findings and syncs updates in ServiceNow to AWS Security Hub CSPM. + **Create Incident and Problem**. This action automatically creates Incidents and Problems from Security Findings and syncs updates in ServiceNow to AWS Security Hub CSPM. + Adjust the maximum number of messages to fetch from the SQS queue per sync, account, or Region (default 50). By default, the sync process runs every five minutes. + Change the SQS Queue name if you’re not using the default that the Connector created. The CloudFormation template supplies the Connector. **Note** We recommend you not change the SQS name in the ServiceNow scoped app (`AwsServiceManagementConnectorForSecurityHubQueue`) unless you change the SQS name in the AWS account. 1. Choose **Save** after any changes. **Fields synchronized from AWS Security Hub CSPM Findings to the ServiceNow scoped app AWS Security Hub CSPM Findings module in ServiceNow** | | | | --- |--- | | Region | The Region that generated the Finding. | | Account Id | The account that generated the Finding. | | Company Name | The company that generated the Finding (e.g. AWS). | | Compliance | Whether a resource passes the configured compliance criteria. Contains status (PASSED, WARNING, FAILED, NOT\$1AVAILABLE). If the resource does not pass, it will contain information about the reason. | | Created At | The creation time of the Finding. | | Description | A description of the Finding. | | Criticality | The level of importance for the resource associated with the Finding. | | First Observed At | First observation of when Findings captured any potential security issues. | | Last Observed at | The most recent time Findings captured any potential security issues. | | Product Name | The name of the product that generates the Finding (such as Security Hub). | | Product Arn | The ARN of the product that generates the Finding. | | Record State | Either ACTIVE or ARCHIVED. | | Severity (normalized) | A value from 0 to 100 that indicates the severity of the problem associated with the Finding. | | Status | PASSED, WARNING, FAILED, or NOT AVAILABLE. | | Title | The title of the Finding. | | Updated At | When the Finding provider last updated the record. | | Workflow Status | The workflow status can be: NEW, ASSIGNED, IN PROGRESS, RESOLVED, DEFERRED, or DUPLICATE. | | Remediation Text | A description of suggested action to resolve the discovered issue. | | Remediation Url | A link to a resource that can resolve the discovered issue. | **Note** ServiceNow does not duplicate findings. If a Security Hub CSPM finding is sent to ServiceNow with the same finding ID as one previously sent to ServiceNow, we update the ticket with the most recent information in the finding. # Validating AWS Security Hub CSPM integration in ServiceNow Validating AWS Security Hub CSPM integration This section describes how to validate AWS Security Hub CSPM integration in ServiceNow. **To view Findings from AWS Security Hub CSPM** To view AWS Security Hub CSPM Findings, you must have the role, **x\$1126749\$1aws\$1sc.finding\$1manager**, from the Connector scope app. 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. Choose **AWS Security Hub CSPM**. 1. Choose **Findings** to show a list of all synced Findings. 1. Choose a Finding to open the record. 1. The **Incident and Problem** fields show the Incident and Problem related to the Finding if these exist. 1. Choose the ⓘ symbol to the right of the field to preview the Incident or Problem. 1. Choose **Open Record** on the preview form to open the Incident or Problem. 1. If the Connector does not automatically create a ServiceNow Incident or Problem when a new Finding syncs, choose the link at the bottom of the form to create one manually. This table shows how fields map from ServiceNow Findings records to ServiceNow as Incident or Problem records. | Finding | Incident | Problem | | --- | --- | --- | | Created at | Opened at | Opened at | | Company Name | Company | Company | | Description | Description | Description | | Criticality | Impact | Impact | | Severity | Urgency | Urgency | | Hardcoded to software | Category | Category | | Id of record in cmdb\$1ci\$1service with name AWS Security Hub CSPM | Business service | Business service | | Description | Short description | Short description | | Reference to related Problem if it exists | problem\$1id | n/a | This table shows how fields synchronize between AWS Security Findings and ServiceNow Incidents or Problems. | AWS Security Hub CSPM value | ServiceNow Incident | ServiceNow Problem | | --- | --- | --- | | Severity Label | Urgency | Urgency | | Criticality | Impact | Impact | **Fields synchronized between AWS Security Findings, Incidents, and Problems in ServiceNow** + Finding severity label → Problem/Incident urgency + INFORMATIONAL or LOW → LOW + MEDIUM → MEDIUM + HIGH or CRITICAL → HIGH + Finding criticality → Problem/Incident impact + 0 - 29 → LOW + 30 - 69 → MEDIUM + 70 - 100 → HIGH **Fields synchronized from Findings to AWS Security Hub CSPM** + Severity (Label and Normalized) + WorkflowStatus # AWS Systems Manager OpsCenter in ServiceNow AWS Systems Manager OpsCenter To allow the Connector to synchronize AWS Systems Manager OpsCenter data for a specific Region, you must enable OpsCenter in that account and Region. For more information, see [AWS Systems Manager OpsCenter](https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html). **Topics** + [ # Configuring ServiceNow for AWS Systems Manager OpsCenter ](sn-opscenter-integ.md) + [ # Validating AWS Systems Manager OpsCenter integration in ServiceNow ](sn-opscenter-validate.md) + [ # Fields mapped from OpsCenter OpsItem records to ServiceNow Incident records ](fields-opsitems.md) # Configuring ServiceNow for AWS Systems Manager OpsCenter Configuring ServiceNow This section shows you how to integrate AWS Systems Manager OpsCenter in ServiceNow. **To configure the AWS Systems Manager OpsCenter integration system properties** 1. In the navigator, enter **AWS Service Management**. 1. Choose **System Properties**, then **AWS Systems Manager - OpsCenter**. 1. Review the available settings and recommendations in the table below. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/smc/latest/ag/sn-opscenter-integ.html) # Validating AWS Systems Manager OpsCenter integration in ServiceNow Validating AWS Systems Manager OpsCenter integration This section describes how to validate AWS Systems Manager OpsCenter integration in ServiceNow. ****To view OpsItems from AWS Systems Manager - OpsCenter**** To view AWS OpsItem, you must have the role, `x_126749_aws_sc.opscenter_manager`, with the Connector scope app. 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (Standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. Choose **AWS Systems Manager - OpsCenter**. 1. Choose **OpsItems** to show a list of all synced Findings. 1. Choose an OpsItems to open the record. The **Incident** and **Problem** fields show the Incident for the OpsItems, if these exist. 1. Choose the ⓘ icon to the right of the field to preview the Incident. 1. Choose **Open Record** on the preview form to open the Incident. If the Connector configuration does not to automatically create a ServiceNow Incident when a new Finding syncs, you can create one manually. To do so, choose the link at the bottom of the form. ****To execute an AWS Systems Manager – Automation Document from an AWS OpsItems associated to a ServiceNow Incident**** One of the following conditions must be true to view or execute automation documents (runbooks): + The user has the role Account Manager or Automation Manager. + The user has a linked Incident. + The system parameter **Assignment Group (SYS\$1ID) for created incidents** is set to a valid group and a linked Incident whose Assignment group is set to that group, and the user is a member of that group. **Note** To enable this feature, you must activate AWS Systems Manager Automation in the AWS Account and opt in to the Connector. 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management**. Then choose **AWS Systems Manager - OpsCenter**. 1. Choose OpsItems to show a list of all synced Findings. Then choose **Execute Automation Document**. 1. Choose your Automation Document. **Note** You can configure an OpsItem with Automation Documents and mark it as *Associated*. 1. Choose **Order Execution** next to the Automation Document you want to execute. You’ll see the ServiceNow catalog item associated with the Automation Document. 1. Enter the necessary AWS parameters and choose **Order Now**. 1. In OpsItems in the scoped app, choose the OpsItem in the Automation Document where you executed it. 1. In **OpsItem Automation Executions**, review the success or failure status. 1. Follow your organization's Incident management procedures to determine related Incident resolution actions. # Fields mapped from OpsCenter OpsItem records to ServiceNow Incident records This table shows how AWS OpsItems map to ServiceNow Incidents. | AWS Ops Center | ServiceNow Incident | | --- | --- | | Title | short\$1description | | Description | description | | CreatedTime | opened\$1at | | Status | incident\$1state | | Severity | impact/urgency | | Priority | priority | | CreatedBy | Not synced | | LastModifiedTime | Not synced | | LastModifiedBy | Not synced | | Source | Not synced | | OpsItemId | Not synced | | OperationalData | Not synced | | Category | Software | **Incident Status** is an integer in ServiceNow. We map OpsItem status values to values. | ServiceNow Incident Status | OpsCenter Status | | --- | --- | | New (primary) | Open | | On Hold | Open | | In Progress | In Progress | | Resolved (primary) | Resolved | | Closed | Resolved | | Cancelled | Resolved | In this type of subjective mapping, we only change the target value if it is incompatible. An example of subjective mapping would be if *New* and *On Hold* in ServiceNow both map to *Open* in AWS. An example of an incompatible target would be if the Incident is *On Hold*, while we're synchronizing from AWS an OpsItem that is *Open*, and we don't change *On Hold*. **Priority** - In Incident, you can’t set the Priority field directly. The values of the **Impact** and **Urgency** fields calculate the **Priority** field. When synchronizing from AWS, we set by default the fields shown in the table below: | OpsItem Priority | ServiceNow Incident | | --- | --- | | | Impact | Urgency | Priority (Calculated) | | 1 | High | High | Critical (1) | | 2 | Medium | High | High (2) | | 3 | Medium | Medium | Moderate (3) | | 4 | Low | Medium | Low (4) | | 5 | Low | Low | Planning (5) | You can find these mappings in a ServiceNow table *Priority Data Lookup*. While we can use this table to find the required values of **Impact** and **Urgency**, note that you can customize the mappings and also define new priority values. Additionally, you might want a specific priority in AWS to map to an entirely different priority in an Incident or Problem. # Integrating AWS Systems Manager Automation in ServiceNow AWS Systems Manager Automation To allow the Connector to execute Automation Documents, you must ensure that the Connector Sync and End user has the permissions required to sync and execute Automation Documents. For more information, see [Setting up Automation](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html). This table describes the available settings to configure Support integration system properties. | Available settings | Description | | --- | --- | | Name of the Systems Manager category to assign to Automation Documents from AWS Systems Manager | The setting allows the Automation Documents to be created under the specified category. By default, the category sets to AWS Systems Manager Automation. | | Name of a workflow that starts the execution of an Automation Document from AWS Systems Manager | The setting allows you to use custom workflow with the AWS Systems Manager Automation integration. | # Validating AWS Systems Manager Automation integration in ServiceNow Validating AWS Systems Manager Automation integration This section describes how to validate AWS Systems Manager Automation integration in ServiceNow. ****To request an AWS Systems Manager Automation document (runbook) execution**** 1. Log in to your ServiceNow instance as the end user (for this example, Abel Tuter). 1. In the navigation filter, enter **AWS Systems Manager**, then choose **Systems Manager**. 1. Choose an AWS Systems Manager document to execute. 1. Enter the request details, including parameters and tags. 1. Choose **Order Now** to submit the ServiceNow request and execute the AWS Systems Manager document. You receive an order status acknowledging your request submission. ****To view AWS Systems Manager document executions**** 1. Log in to your ServiceNow instance as the end user (for example, Abel Tuter). 1. In the navigation filter, enter **AWS Systems Manager**, then choose **Automation Executions**. The user interface view displays the latest executions and provides the status. # Support in ServiceNow Support To allow the Connector to synchronize Support tickets, the account should have a [Business](https://aws.amazon.com/premiumsupport/plans/business/) or [Enterprise](https://aws.amazon.com/premiumsupport/plans/enterprise/) Support plan. For more information, see [Getting started with Support.](https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html) **Note** AWS Service Management Connector allows AWS Managed Services (AMS) Accelerate users to create Incidents and Service Requests through ServiceNow. To ensure that your account has the required permissions to create AMS Accelerate support cases, make sure you onboard your account to Accelerate. For more information, see [Getting Started with AWS Managed Services.](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/getting-started-acc.html) **Topics** + [ # Configuring Support integration in ServiceNow ](sn-support-config-aws.md) + [ # Configuring ServiceNow for integration with Support ](sn-aws-support-config.md) + [ # Advanced Mode for Support integration (optional) ](enabling-advanced-mode-aws-support.md) + [ # Validating Support in ServiceNow ](sn-aws-support-validate.md) # Configuring Support integration in ServiceNow This section describes how to configure Support integration in ServiceNow. **To configure AWS Support integration features** 1. Set up an SQS queue (in N.Virginia (us-east-1) for Commercial regions and US West (us-gov-west-1) for GovCloud regions) to sync AWS Support cases. Name the queue, **AwsServiceManagementConnectorForSupportQueue**, to align with the default name in the ServiceNow System Properties for the AWS Support integration. For more information, see [Getting started with Amazon SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-getting-started.html). 1. Set up an Amazon EventBridge rule to detect changes to AWS Support Cases and push these to the queue. For more information, see [Getting started with Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-get-started.html). The rule should have this event pattern and point to the SQS queue created in Step 1. ``` "EventPattern": { { "detail-type": ["Support Case Update"], "source": ["aws.support"] } } ``` **Note** You can use baseline CloudFormation tempates for the Connector for ServiceNow to automate the Support integration features. For more information, see [Baseline Permissions](https://docs.aws.amazon.com/en_us/smc/latest/ag/sn-base-perms.html). To create the required SQS queue and EventBridge rule, use Connector for ServiceNow - [AWS Support Commercial Regions](https://servicecatalogconnector.s3.amazonaws.com/SMC-AWS_Support_SQS.json), and Connector for Service Management - [AWS Support GovCloud West Region](https://servicecatalogconnector.s3.amazonaws.com/SMC-AWS_Support_SQS.json). # Configuring ServiceNow for integration with Support This section shows you how to integrate Support in ServiceNow. ****To configure the Support integration System Properties**** 1. In the navigator, enter **AWS Service Management**. 1. Choose **System Properties**, then **Support**. 1. Set the system property, as required. | Available settings | Description | | --- | --- | | **Interval**, in minutes, between the execution of full synchronization | Default: **1440 min** | | SQS Name created by the CloudFormation stack. The same name must be used for all accounts | Default: AwsServiceManagementConnectorForSupportQueue | | (Advanced mode) Enable an intermediate table (SMC Support Case table) to synchronize data to and from Support. Use caution; enabling an intermediate table replaces the default Incident table. | Default: False | # Advanced Mode for Support integration (optional) Advanced Mode for Support (optional) AWS Service Management Connector allows you to enable an intermediate table for the creation of Support Cases. This allows you to add custom logic using ServiceNow business rules and workflows to align with your internal Incident or Case Management process. For more information about enabling advanced mode, refer to the *Advanced mode* row in the above table. After you create an Support Case, the API only allows specific changes by an end user. The allowable changes for design considerations while using Support integration are: + Adding a correspondence to the case + Resolving the case + Reopening a case, which occurs if you add correspondence to a previously resolved support case # Validating Support in ServiceNow Validating Support integration This section describes how to create, view, and manage integration features for Support in order to validate integration. **To view Cases from Support** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. To show a list of all synched Support Cases, choose **Incidents** under **Support**. **To manually sync a Support Case** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. To show a list of all synched Support Cases, choose **Incidents** under **Support**. 1. Choose an Incident to open the record. 1. Choose **Sync From AWS**. **To create a general Support Case** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. To show a list of all synched Support Cases, choose **Incidents** under **Support**. 1. Choose **New** from list header. 1. Complete the mandatory fields on the form. + **Subject**- Brief summary of the question or issue + **Description** – Detailed account of the question or issue + **AWS Account** – AWS account against which the support case is initiated + **AWS Service** – AWS Service related to the support case + **AWS Category** – Category of the case under the related service + **Caller** – ServiceNow field that indicates who created the support ticket 1. Choose **Submit**. 1. Choose the Incident you created from the list. The **AWS Case Id** and **AWS Case Status** displays. **For AWS Managed Services Accelerate customer to create AMS Accelerate Service Request** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. To show a list of all synched Support Cases, choose **Incidents** under **Support**. 1. Choose **New** from list header. 1. Complete the mandatory fields on the form. + **Subject**- Brief summary of the question or issue + **Description** – Detailed account of the question or issue + **AWS Account** – AWS account against which the support case is initiated + **AWS Service** – AWS Service related to the support case (Select **AMS Operations – Service Request**) + **AWS Category** – Category of the case under the related service + **Caller** – ServiceNow field that indicates who created the support ticket 1. Choose **Submit**. 1. Choose the Incident you created from the list. The **AWS Case Id** and **AWS Case Status** displays. **For AWS Managed Services Accelerate customer to create AMS Accelerate Report Incident** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. To show a list of all synched Support Cases, choose **Incidents** under **Support**. 1. Choose **New** from list header. 1. Complete the mandatory fields on the form. + **Subject**- Brief summary of the question or issue + **Description** – Detailed account of the question or issue + **AWS Account** – AWS account against which the support case is initiated + **AWS Service** – AWS Service related to the support case (Select **AMS Operations – Report Incident**) + **AWS Category** – Category of the case under the related service + **Caller **– ServiceNow field that indicates who created the support ticket 1. Choose **Submit**. 1. Choose the Incident you created from the list. The **AWS Case Id** and **AWS Case Status** displays. **To add a correspondence to an existing Support Case** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. To show a list of all synched Support Cases, choose **Incidents** under **Support**. 1. Choose an Incident to open the record. 1. In the Incident form, scroll to the middle of the page to view and open the **Notes** tab. 1. Add correspondence on the **Additional Comments **(Customer visible) field. 1. Choose **Post**. **To add an attachment to an existing Support Case** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. To show a list of all synched Support Cases, choose **Incidents** under **Support**. 1. Choose an Incident to open the record. 1. On the Incident form header, choose paper clip icon to add attachment. 1. Choose the file from your disk to add as an attachment. **To resolve a Support Case** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. To show a list of all synched Support Cases, choose **Incidents** under **Support**. 1. Choose an Incident to open the record. 1. In the Incident form, scroll to the middle of the page to view and open the Resolution Information tab. 1. Complete the **Resolution Code** and **Resolution Notes** fields. 1. On the Incident form header, choose **Resolve**. ## Fields mapped from Support Case records to ServiceNow Incident records This table shows how Support Case map to ServiceNow Incidents. | Support case | ServiceNow incident | | --- | --- | | Subject | short\$1description | | First correspondence | description | | Case ID | x\$1126749\$1aws\$1sc\$1awssupportcaseid | | Status | x\$1126749\$1aws\$1sc\$1awscasestatus | | Service | x\$1126749\$1aws\$1sc\$1awsservice | | Category | x\$1126749\$1aws\$1sc\$1awscategory | | Additional contacts | x\$1126749\$1aws\$1sc\$1awscasecommunicationemails | | AWS account | x\$1126749\$1aws\$1sc\$1awsaccount | Incident State is an integer in ServiceNow. We map Support case status values to ServiceNow state. | ServiceNow incident Status | Support case status | | --- | --- | | New | Unassigned | | New | Open | | In Progress | Work in progress | | In Progress | Reopened | | On Hold | Pending customer action | | Resolved | Resolved | | Resolved | Closed | | Resolved | Closed | **Priority**: In Incident, you can’t set the Priority field directly. The values of the **Impact** and **Urgency** fields calculate the **Priority** field. When synchronizing from AWS, we set by default the fields shown in the table below. | Support Case Severity label | Support Case Severity value | ServiceNow Incident priority label | ServiceNow Incident priority value | | --- | --- | --- | --- | | Business Critical System Down (Enterprise support plan only) | critical | 1 – Critical | 1 | | Production System Down | urgent | 2 – High | 2 | | Production System Impaired | high | 3 – Moderate | 3 | | System Impaired | normal | 4 – Low | 4 | | General Guidance | low | 5 – Planning | 5 | Support integration also enables you to customize the priority values, and maps Support Case Severity to ServiceNow Incident Priority. **To create custom priority mappings** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. Under **Setup**, choose **Priority Mappings**. Then choose **New**. 1. Choose **AWS Record** **Type** as **Support Case**. 1. For mapping, choose **Support Case Severity** and **ServiceNow Incident Priority**. 1. Choose **Submit**. # AWS Systems Manager Change Manager in ServiceNow AWS Systems Manager Change Manager AWS Service Management Connector includes a curated version of the Change Manager integration. To allow the Connector to synchronize change templates, the change templates should be: + An Approved status in AWS + At least one Automation Runbook associated with it + Enabled as auto-approval For more information, see [AWS Systems Manager Change Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/change-manager.html). You can also view resources affected by the changes that were executed on their AWS accounts from the AWS CloudTrail events available on the AWS change request. **Note** Currently, only the first level events that occurred in the execution of an automation document will be tracked and synched. Steps which have nested automations will not have the events synced. This can however be traced separately in the AWS CloudTrail console using Lake feature by their unique automation execution ID. # Configuring AWS for AWS Systems Manager Change Manager in ServiceNow Configuring AWS AWS Systems Manager uses the service-linked role named `AWSServiceRoleForAmazonSSM.` AWS Systems Manager uses this IAM service role to manage AWS resources on your behalf. For more information, see [Using service-linked roles for AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/using-service-linked-roles.html). **To create a service-linked role for AWS Systems Manager** 1. Follow the instructions in [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html#create-service-linked-role) (console) to create the role. 1. Choose **AWS Service as Systems Manager** and the use case as** Systems Manager – Inventory and Maintenance Window**. 1. Review the details and be sure to attach `AmazonSSMServiceRolePolicy`. Then choose **Create Role**. **To create AutomationAssumeRole** 1. Follow the instructions in [Creating an IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html) in your AWS account to create a role, `ServiceNowChangeManagerRole.` 1. Add permissions for `ServiceNowChangeManagerRole.` Choose the use case as Systems Manager and choose `AmazonSSMAutomationRole` (AWS managed policy). **Note** You can use baseline CloudFormation tempates to create the `ServiceNowChangeManagerRole` role. For more information, see [Setting baseline permissions for AWS Service Management Connector for ServiceNow](sn-base-perms.md). **Note** `ServiceNowChangeManagerRole` contains the minimum baseline permissions to execute change templates that contain automation runbooks on EC2 instances. To invoke automation runbooks on other services, you need to attach additional policies. For more information, see [Create a service role for Automation](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup-iam.html#automation-role). **To create an event data store (optional)** To create AWS CloudTrail Lake, follow the instructions outlined in [Create an event data store](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-event-data-store.html) in your AWS account to create the event data store. # Configuring Support integration system properties with ServiceNow The AWS Systems Manager Change Manager integration for AWS Service Management Connector aligns with the Change Management process in ServiceNow. It enables you to align the internal Change Management process for executing pre-approved change templates directly from a ServiceNow instance. ****To configure the AWS Support integration system properties**** 1. In the navigator, enter **AWS Service Management**. 1. Choose **System Properties**, then **AWS Systems Manager Change Manager**. 1. Review the available settings and recommendations in the table below. | Available settings | Description | | --- | --- | | Name of the Change Manager category to assign to AWS Change Template from AWS Systems Manager Change Manager | The setting correlates to the Catalog item category in ServiceNow to which the synchronized AWS Change templates are associated. | | Assignment Group (`SYS_ID`) to use when creating Change Requests from Change Template | The setting automatically assigns the change requests created from the change templates to the Assignment Group that relates to the `sys_id`. | | Default role name that allows the Automation to perform the actions on your behalf | The setting contains the default role to create change requests from AWS change templates. The setting is available if the user does not fill in the `AutomationAssumeRole` field when requesting a change from AWS Systems Manager Change Manager. The value is case-sensitive and must exist in every account using the AWS Systems Manager Change Manager. | | AWS CloudTrail Lake: Event Data Store Name | Defines the Name of the AWS CloudTrail Lake: Event Data Store Name to target. Note that to use AWS Systems Manager Change Manager's CloudTrail Lake Event integration an Event Data Store with this Name MUST exist in all regions defined in AWS Accounts with AWS Systems Manager Change Manager enabled. | | AWS CloudTrail Lake: Maximum number of events to retrieve per synchronization | Default : 1000 | # Validating AWS Systems Manager Change Manager integration in ServiceNow Validating AWS Systems Manager Change Manager integration This section describes how to validate AWS Systems Manager Change Manager integration in ServiceNow. **To view AWS Systems Manager Change templates** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management Connector**. 1. To show a list of all synched Change templates, choose **Change Templates** under **Systems Manager**. **To view Systems Manager Change Request** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management Connector**. 1. To show a list of all synched Change Requests created from ServiceNow, choose **Change Requests** under **Systems Manager**. 1. Choose a Change Request to open the record. **To view AWS Systems Manager Change Request Ops Items** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management Connector**. 1. To show a list of all synched Change Requests created from ServiceNow, choose **Change Request Ops Items **under **Systems Manager**. 1. Choose an Ops Item to open the record. **To create AWS Systems Manager Change Manager change** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **Change**. Then choose **Create New** to view the various Change options. 1. Choose **Create AWS Systems Manager Change Manager Change: Make changes to AWS resources using Change Manager Templates**. 1. Choose the runbook you want to execute and complete all the required fields. 1. Choose **Submit** to create a ServiceNow Change Request. 1. Choose **Request Approval** to send approval requests to members of the Assignment group. After change approval, it moves to a *Scheduled state*. 1. Choose **Implement**. 1. Scroll to the bottom and view Change Tasks under related lists to view the Change task associated with Automation Execution. After the Change Execution is complete, the change moves to a *Closed state*. **To view AWS CloudTrail events for the Change execution** This procedure requires you to create and configure AWS CloudTrail Lake on AWS and configure the Lake name on the AWS Systems Manager Change Manager system properties in ServiceNow 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter**AWS Service Management Connector**. 1. To show a list of all synched Change Requests created from ServiceNow, choose **Change Requests** under **AWS Systems Manager**. 1. Choose a Change Request to open the record. 1. Use UI Action, **Sync CloudTrail Events**, to start the synchronization of events. 1. Choose the same Change Request to reopen the record. 1. Scroll to the bottom of the Change Request form and use **CloudTrail Events** related list to review the events of the Change execution. ## Fields mapped from AWS Change Request Ops Item records to ServiceNow Change Request records This table shows how AWS Change Request Ops items map to ServiceNow Change Request. | AWS Change Request Ops Item | ServiceNow Change Request | | --- | --- | | AWS Account | x\$1126749\$1aws\$1sc\$1awsaccount | | AWS Request ID | x\$1126749\$1aws\$1sc\$1awsrequestid | | AWS Region | x\$1126749\$1aws\$1sc\$1awsregion | | AWS Status | x\$1126749\$1aws\$1sc\$1awsstatus | # AWS Systems Manager Incident Manager in ServiceNow AWS Systems Manager Incident Manager To allow the Connector to synchronize Incidents from AWS Systems Manager Incident Manager for a specific Region, you must enable Incident Manager in that account and Region. For more information, see [What is AWS Systems Manager Incident Manager](https://docs.aws.amazon.com/incident-manager/latest/userguide/what-is-incident-manager.html). # Configuring ServiceNow for integration with AWS Systems Manager Incident Manager This section shows you how to integrate AWS Systems Manager Incident Manager in ServiceNow. **To configure the AWS Systems Manager Incident Manager integration system properties** 1. In the navigator, enter **AWS Service Management Connector**. 1. Choose **System Properties**, then **AWS Systems Manager Incident Manager.** 1. Review the available settings and recommendations in the table below. | Available settings | Description | | --- | --- | | Assignment Group value (SYS\$1ID) to use when creating ServiceNow Incidents from AWS Systems Manager Incident Manager synchronization | sys\$1id of the assignment group that the Connector uses when synching Incidents from AWS Systems Manager Incident Manager Default value: | | Synchronization of the resolved status | Bidirectional. Sync Resolve status of the incident from AWS to ServiceNow and ServiceNow to AWS Unidirectional: AWS to ServiceNow. Sync Resolve status of the incident only from AWS to ServiceNow Unidirectional: ServiceNow to AWS. Sync Resolve status of the incident only from ServiceNow to AWS None. Resolve status are not synched Default value: Bidirectional | # Validating AWS Systems Manager Incident Manager integration This section describes how to validate AWS Systems Manager Incident Manager integration in ServiceNow. **To view Incident Manager incidents** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (Standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. Choose** AWS Systems Manager Incident Manager**. 1. Choose **Incidents **to show a list of all synced Incidents. **To view Incident Manager incident details** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (Standard user interface view). 1. In the navigator, enter **AWS Service Management** . 1. Choose **AWS Systems Manager Incident Manager**. 1. Choose **Incidents** to show a list of all synced Incidents. 1. To open the record, choose the **Number** field of an Incident. 1. Open the AWS Systems Manager Incident Manager tab to display details of the IM Incident. 1. To open the Incident Manager incident on the AWS Incident Management console, choose the AWS Incident URL. **To resolve an Incident Manager incident** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (Standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. Choose **AWS Systems Manager Incident Manager**. 1. Choose **Incidents** to show a list of all synced Incidents. 1. To open the record, choose the **Number **field of an Incident 1. In the **Resolution Information** tab, complete **Resolution Code and Resolution Notes**. 1. Choose **Resolve**. **To view AWS Systems Manager Incident Manager Ops Items** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (Standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. Choose **AWS Systems Manager Incident Manager**. 1. Choose **Incidents** to show a list of all synced Incidents. 1. To open the record, choose the **Number** field of an Incident. 1. Scroll to the bottom of the Incident form and use the AWS OpsItems related list to see associated OpsItems. ## Fields mapped from Incident Manager incident to ServiceNow Incident records This table shows how AWS Incident Manager Incidents map to ServiceNow Incidents. | AWS Incident Manager incident | ServiceNow Incident | | --- | --- | | Title | short\$1description | | Summary | description | | Incident ARN | x\$1126749\$1aws\$1sc\$1awsincidentarn | | AWS Account | x\$1126749\$1aws\$1sc\$1awsaccount | | AWS Region | x\$1126749\$1aws\$1sc\$1awsregion | | Status | x\$1126749\$1aws\$1sc\$1awsstatus | | Start time | x\$1126749\$1aws\$1sc\$1awscreationtime | | Resolved time | x\$1126749\$1aws\$1sc\$1awsresolvetime | | Updated time | x\$1126749\$1aws\$1sc\$1awslastupdatedtime | | Incident Sync time | x\$1126749\$1aws\$1sc\$1awslastsynctime | | AWS incident URL | x\$1126749\$1aws\$1sc\$1awsincidenturl | | Impact | impact | **Incident Status** is an integer in ServiceNow. We map Incident Manager incident status values to ServiceNow status values. | Incident Manager Incident Status | ServiceNow Incident Status | | --- | --- | | Open | New | | Resolved | Resolved | | Resolved | Cancelled | **Priority** - In ServiceNow Incident, you can’t set the Priority field directly. The values of the **Impact **and **Urgency** fields calculate the **Priority** field. When synchronizing from AWS, we set the default priorities as below: | Incident Manager Incident | ServiceNow Incident | | --- | --- | | | Impact | Urgency | Priority (Calculated) | | Critical | High | High | Critical (1) | | High | High | High | Critical (1) | | Medium | Medium | High | High (2) | | Low | Low | High | Moderate (3) | | No Impact | Low | High | Moderate (3) | # AWS Health in ServiceNow AWS Health AWS Health integration includes a dashboard that provides ongoing visibility into your resource performance and the availability of your AWS services and accounts. This enables deeper visibility into resource issues, upcoming changes, and important notifications. To allow the Connector to synchronize AWS Health events and resource information, the account should have a [Business](https://aws.amazon.com/premiumsupport/plans/business/) or [Enterprise](https://aws.amazon.com/premiumsupport/plans/enterprise/) Support plan. For more information, refer to [What is AWS Health?](https://docs.aws.amazon.com/health/latest/ug/what-is-aws-health.html) **Topics** + [ # Configuring AWS ](sn-config-health.md) + [ # Synchronizing AWS Health events with ServiceNow ](sn-health-configure.md) + [ # Validating AWS Health integration ](sn-health-validate.md) # Configuring AWS This section describes how to configure AWS Health integration in ServiceNow. **Configure AWS for health-integration features** 1. Set up an Amazon SQS queue to sync AWS Health events. Name the queue, **AwsServiceManagementConnectorForHealthDashboardQueue**, to align with the default name in the ServiceNow System Properties for the AWS Health integration. For more information, refer to [Getting started with Amazon SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-getting-started.html). 1. Set up an Amazon EventBridge rule to detect **Health Event** changes and push them to the queue. For more information, refer to [Getting started with Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-get-started.html). The rule should have the following event pattern and point to the Amazon SQS queue from step 1: ``` "EventPattern": { "source": [ "aws.health" ] } ``` **Note** The SQS queue synchronizes every five minutes. To change this threshold, navigate to **Scheduled Jobs**, and modify the **Repeat Interval** value of the **Synchronize AWS Health** job. **Note** You can use baseline CloudFormation tempates to automate AWS Health integration features. For more information, refer to [Setting baseline permissions for AWS Service Management Connector for ServiceNow](sn-base-perms.md). # Synchronizing AWS Health events with ServiceNow This section shows you how to synchronize AWS Health events with ServiceNow. 1. In the ServiceNow filter navigator in the fulfiller (stand user interface) view, enter **AWS Service Management Connector**. 1. Choose **System Properties** and then **AWS Health**. Configure the SQS name created by the CloudFormation stack. Note that a queue with this name must exist in all Regions defined in any AWS accounts with the AWS Health integration enabled. The default value is **AwsServiceManagementConnectorForHealthDashboardQueue**. **Note** Unless you change the SQS name in the AWS account, don't change the Amazon SQS name in the ServiceNow scoped app (`AwsServiceManagementConnectorForHealthDashboardQueue`). 1. Review and modify the following settings as needed: **ServiceNow settings** | Setting | Description | Default value | | --- | --- | --- | | SQS queue name | Name of the queue to fetch messages from. Only change this setting if you change the CloudFormation template that creates the queue. | AwsServiceManagementConnectorForHealthDashboardQueue | | | Enable auto-creation for issue and investigation | Automatically creates a ServiceNow incident for new health events for issue and investigation types. If this setting is disabled, users can manually create incidents through the health dashboard. | none | | | Enable auto-creation for accountNotification | Automatically creates a ServiceNow change request for new health events of type accountNotification. If this setting is disabled, users can manually create change requests through the health dashboard. | none | | | Enable auto-creation for scheduledChange | Automatically creates a ServiceNow change request for new health events of type scheduledChange. If this setting is disabled, users can manually create change requests through the health dashboard. | none | | | Assignment group | System ID of the default assignment group, which is the ServiceNow group that automatically assigns incidents and change requests. If this field is blank, no default group is assigned. | none | | **Note** The types of change requests are `Standard`, `Normal`, and `Emergency`, but custom types are also available. The default type is `Standard`. # Validating AWS Health integration **View AWS Health dashboard** **Note** To view the the AWS Health dashboard, you must use the role **x\$1126749\$1aws\$1sc.health\$1dashboard\$1viewer**. 1. Log in to your ServiceNow instance in the fulfiller (standard) view. 1. In the search box, enter **AWS Service Management Connector**. 1. Choose **AWS Health** and then **Dashboards**. 1. At the top-right, select your account from the **Select an AWS account** dropdown list. The following four tabs are available: + **Open and recent issues** (opens by default) displays health events that were updated within the past seven days. Choose an event to display its details and a list of affected resources. + **Scheduled changes** displays future health events with start times after the current date and time. + **Other notifications** displays health events that were updated within the past seven days. + **Event log** displays all health events for the selected AWS account. **View AWS Health incidents** 1. Log in to your ServiceNow instance in the fulfiller (standard) view. 1. In the navigator, enter **AWS Service Management Connector**. 1. Under **AWS Health**, choose **AWS Health Incidents**. **View AWS Health change requests** 1. Log in to your ServiceNow instance in the fulfiller (standard) view. 1. In the navigator, enter **AWS Service Management Connector**. 1. Under **AWS Health**, choose **AWS Health Requests**. **Manually create an AWS Health incident** 1. Log in to your ServiceNow instance in the fulfiller (standard) view. 1. In the navigator, enter **AWS Service Management Connector**. 1. Choose **AWS Health** and then **Dashboards**. 1. Choose an event that doesn't already have an incident linked to it. 1. Choose **Create a New Incident**. You are redirected to the new-incident form, which has prefilled data fields for the selected health event. **Manually create an AWS Health change** 1. Log in to your ServiceNow instance in the fulfiller (standard) view. 1. In the navigator, enter **AWS Service Management Connector**. 1. Choose **AWS Health** and then **Dashboards**. 1. Choose an event that doesn't already have a change linked to it. 1. Choose **Create a New Change**. You are redirected to the new-incident form, which has prefilled data fields for the selected health event. **Validate the automatic creation of AWS Health incidents and changes** 1. Log in to your ServiceNow instance in the fulfiller (standard) view. 1. In the navigator, enter **AWS Service Management Connector**. 1. Navigate to **AWS Health** system properties, and enable automatic creation for health event types. 1. Generate new health events, and then sync AWS Health. # AWS Service Management Connector for ServiceNow Pricing The AWS Service Management Connector for ServiceNow is a conventional ServiceNow scoped application developed and released through a ServiceNow Update Set. This application is available for no-cost download and use in your ServiceNow instance. You may still incur costs related to the use of AWS services integrated with the connector, and any licensing for Information Technology Service Management (ITSM) tools. The certified version of the AWS Service Management Connector is available for no-cost install from the [ServiceNow store](https://store.servicenow.com/sn_appstore_store.do#!/store/application/f0b117a3db32320093a7d7a0cf961912/). AWS Service Management Connector (SMC) for ServiceNow uses security approved public APIs of the AWS service for all supported integrations. See the product pages of the AWS service to view pricing details. Contact the account manager or AWS Sales representatives for more information. | AWS Service | Pricing details | | --- | --- | | AWS Service Catalog | [https://aws.amazon.com/servicecatalog/pricing/ ](https://aws.amazon.com/servicecatalog/pricing/) | | AWS Config | [https://aws.amazon.com/config/pricing](http://aws.amazon.com/config/pricing) | | AWS Systems Manager | [https://aws.amazon.com/systems-manager/pricing](https://aws.amazon.com/systems-manager/pricing/) | | AWS Security Hub CSPM | [https://aws.amazon.com/security-hub/pricing/?nc=sn&loc=3](https://aws.amazon.com/security-hub/pricing/?nc=sn&loc=3) | | AWS Health and AWS Support | [https://aws.amazon.com/premiumsupport/pricing/](https://aws.amazon.com/premiumsupport/pricing/) | AWS Service Management Connector is a ServiceNow scoped application certified and released through the ServiceNow store. SMC includes custom tables as part of the connector for the various integrations. For more information on your custom table limits and cost implications, contact your ServiceNow account manager. SMC has dependency on ServiceNow plugins for managing visibility of resources and aligning with ServiceNow best practices. For more information, see the plugin documentation in the table below. | ServiceNow plugin | Documentation | | --- | --- | | User Criteria Scoped API | [https://docs.servicenow.com/bundle/washingtondc-application-development/page/build/custom-application/concept/build-applications.html ](https://docs.servicenow.com/bundle/washingtondc-application-development/page/build/custom-application/concept/build-applications.html) | | Discovery and Service Mapping Patterns | [https://docs.servicenow.com/bundle/store-release-notes/page/release-notes/store/it-operations-management/store-rn-itom-patterns.html](https://docs.servicenow.com/bundle/store-release-notes/page/release-notes/store/it-operations-management/store-rn-itom-patterns.html) | # Release notes for AWS Service Management Connector for ServiceNow Release notes The latest version includes support for Zurich, Yokohama, and Xanadu and minor fixes to existing integrations. The prior version included enhancements to the existing AWS Health integration. ## Version 5.1.10 **AWS ServiceNow Connector Core Features** + Supports the latest ServiceNow platform releases of Zurich, Yokohama, and Xanadu. **Support** + Fix for region selection for AWS Support integration. ## Version 5.1.6 **AWS ServiceNow Connector Core Features** + Supports the latest ServiceNow platform releases of Yokohama and Xanadu. **AWS Config** + Fix for AWS tags filtering. ## Version 5.1.3 **AWS ServiceNow Connector Core Features** + Supports the latest ServiceNow platform releases Xanadu (X), Washington DC (W), and Vancouver (V). **AWS Security Hub CSPM** + Fix an issue with date and timestamp for AWS Security Hub CSPM findings to show the correct format. **Note** To maintain the integration capabilities of the Xanadu ServiceNow release, upgrade the connector to version 5.1.3. ## Version 5.0.0 **AWS Health** + Create incidents, including changes, from AWS Health events. + Supports affected resource tracking for planned lifecycle events. + Supports pagination by syncing health events with visual information. + Supports AWS Organizations to view and consolidate multiple AWS accounts via Amazon EventBridge. + Updated dashboard that allows selecting accounts and events. + Support for ServiceNow Vancouver release. + Support for ServiceNow Washington DC release. ## Version 4.8.5 **AWS ServiceNow Connector Core Features** + Dashboard that displays reports/charts for AWS Service Catalog, AWS Config, and AWS Security Hub CSPM integrations in the ServiceNow platform. + Support for China Regions (Beijing and Ningxia) for all AWS services compatible with China Regions. + Support for ServiceNow Utah release. **AWS Service Catalog** + Support for the Terraform open source product type, enabling self-service provisioning with governance for your Terraform configurations within AWS from Service Catalog at scale. + Fix validation issue with mandatory parameters input on catalog item submission. **AWS Config** + Support for the following new resource types: Amazon WorkSpaces, Amazon Elastic Container Service (ECS), Amazon Elastic Kubernetes Service (EKS), Amazon Elastic File System (EFS), and Amazon RDS Cluster. + Ability to change synchronization to use many-to-many (MTM) table in the connector. **AWS Systems Manager OpsCenter** + Synchronize **Action Item** type OpsItems from AWS Systems Manager Incident Manager. ## Version 4.7.5 **AWS ServiceNow Connector Core Features** + Supports latest ServiceNow platform releases for Tokyo (T), San Diego (S), and Rome (R). + Enables conditional dependency on ServiceNow plugins based on the AWS integrations in use. **AWS Service Catalog** + Ability to filter Service Catalog synced portfolios in the ServiceNow Service Portal using AWS accounts and regions. **AWS Systems Manager Incident Manager** + Displays formatted Timeline Events of an incident in ServiceNow incident comments. + Provides a new Open Incident module to display in-progress incidents. **Support** + Ability to configure Support cases through automatic incident creation or staged support cases, allowing you to create custom ServiceNow Business Rules and workflow logic. ## Version 4.5.5 ** AWS Systems Manager OpsCenter** + Prevents duplicate incidents created for OpsItems synched to ServiceNow. ## Version 4.5.0 ** AWS Health** + Syncs AWS Health events and resource information. + Provides a dashboard to view AWS Health status of AWS accounts. **AWS Systems Manager Incident Manager** + Syncs AWS Systems Manager Incident Manager incidents as ServiceNow Incidents. + Creates relationship between synched incident from Incident Manager and the associated Ops Item. + Provides configuration to allow bidirectional or unidirectional synchronization of the ‘resolved’ status between ServiceNow incident and corresponding AWS incident. **AWS ServiceNow Connector Core Features** + Displays AWS account number for validated accounts. + Supports latest ServiceNow platform releases for Quebec (Q - Patch 5 going forward), Rome (R), and San Diego (S). **AWS Service Catalog** + Provides Service Portal widget to search AWS Service Catalog products from ServiceNow Service Portal. + Configures independent workflows for different portfolios. + Provides feature to set a table filter for user selectable Automated Tags. **Support ** + Offers near real-time sync of Support cases to ServiceNow using Amazon EventBridge and Amazon SQS queue. + Syncs Support case severity back into ServiceNow incident. + Supports AWS accounts with different service accesses. **AWS Security Hub CSPM ** + Provides revised AWS Security Hub CSPM Findings form to show remediation information. **AWS Systems Manager Change Manager ** + Syncs AWS CloudTrail events and resource information related to the AWS Change Request. **AWS Config** + Supports Amazon API Gateway resource type. + Creates relationship between RDS Instances and RDS Cluster, if present. + Introduces new attribute mappings and relationships on existing resource types. ## Version 4.0.1 **AWS ServiceNow Connector Core Features** + Supports the latest ServiceNow platform releases for Quebec (Q - Patch 5 going forward), Rome (R), and San Diego (S). **AWS Service Catalog** + Accurately retrieves launch paths/parameters for catalog items in order guides. **Support ** + Uses GovCloud accounts with Support integration. **AWS Security Hub CSPM** + Syncs ServiceNow Incident state updates to AWS Security Hub CSPM Findings. ## Version 4.0.0 **AWS ServiceNow Connector Core Features** + Uses Guided Setup to enable you to configure and mark complete ServiceNow install components for the AWS Service Management Connector. + Supports the latest ServiceNow platform releases for Rome (R), Quebec (Q - Patch 5 going forward). **Support ** + Views, creates, updates, adds correspondence, and resolves Support cases from ServiceNow as incidents. + Tracks and manages AWS cases (incidents) within ServiceNow as incidents to ascertain the health of their AWS services and resources as opposed to swiveling between multiple platforms. **AWS Systems Manager Change Manager** + Creates Change Requests from a curated list of AWS Change Templates that are vetted in AWS Systems Manager Change Manager. + Enables you to customize the change workflow in ServiceNow and streamline and align the maintenance and Service Management governance of AWS resources with your existing Change Management process. **AWS Systems Manager Automation** + Updates mappings to accurately display Status values of Automation document execution in ServiceNow. ## Version 3.8.5 **AWS ServiceNow Connector Core Features** + Enhances AWS services (AWS Service Catalog, AWS Config, AWS Systems Manager, AWS Security Hub CSPM) synchronization to ServiceNow into separate, distinct scheduled jobs. + Renames 'Sync all Accounts' scheduled job to 'Synchronize changes to all AWS accounts' based on synchronization enhancements. + Supports the latest ServiceNow platform releases for Rome (R), Quebec (Q - Patch 5 going forward), Paris (P) and Orlando (O). **AWS Service Catalog ** + Views AppRegistry applications, attribute groups and linked resources in the ServiceNow CMDB. + Enables support for ServiceNow order guides for AWS Service Catalog products and AWS Systems Manager automation documents. + Supports NoEcho parameters when viewing AWS Service Catalog Provisioned Products parameters through ServiceNow Requested Item. **AWS Config** + Adds a configurable ServiceNow system property for AWS Config integration to automatically copy the AWS Resource Id (Object ID in ServiceNow) into ServiceNow's Name field to make AWS resources visible as configuration items. + Updates ELB resource mapping from cmdb\$1ci\$1lb\$1service table to cmdb\$1ci\$1cloud\$1load\$1balancer table. + Updates relationships visible in the ServiceNow CMDB for AWS resources such as Cloud Subnet, DynamoDB, EC2, ELB, RDS, Storage volume, Security groups, and VPC. **AWS Security Hub CSPM** + Synchronizes UserDefinedFields JSON blob for Security Hub Findings. # Reference: AWS API calls for the AWS Service Management Connector Reference: AWS API calls The following provides the reference AWS API calls for AWS Service Management Connector. + `AWSBudgets.describeBudget` + `AWSCloudFormation.registerType` + `AWSCloudFormation.deregisterType ` + `AWSCloudFormation.describeTypeRegistration ` + `AmazonConfig.describeConfigurationRecorders ` + `AmazonConfig.getResourceConfigHistory ` + `AmazonConfig.listDiscoveredResources ` + `AmazonConfig.putResourceConfig ` + `AmazonConfig.selectResourceConfig ` + `AmazonConfig.selectAggregateResourceConfig ` + `AWSSecurityHub.batchUpdateFindings ` + `AWSSecurityTokenService.getCallerIdentity ` + `AWSServiceCatalog.createProvisionedProductPlan` + `AWSServiceCatalog.deleteProvisionedProductPlan ` + `AWSServiceCatalog.describePortfolio ` + `AWSServiceCatalog.describeProduct ` + `AWSServiceCatalog.describeProductAsAdmin ` + `AWSServiceCatalog.describeProductView ` + `AWSServiceCatalog.describeProvisionedProduct ` + `AWSServiceCatalog.describeProvisionedProductPlan` + `AWSServiceCatalog.describeProvisioningParameters` + `AWSServiceCatalog.describeRecord` + `AWSServiceCatalog.executeProvisionedProductPlan` + `AWSServiceCatalog.executeProvisionedProductServiceAction` + `AWSServiceCatalog.listBudgetsForResource` + `AWSServiceCatalog.listLaunchPaths` + `AWSServiceCatalog.listPortfolioAccess` + `AWSServiceCatalog.listPortfolios` + `AWSServiceCatalog.listProvisionedProductPlans` + `AWSServiceCatalog.listServiceActionsForProvisioningArtifact` + `AWSServiceCatalog.listStackInstancesForProvisionedProduct` + `AWSServiceCatalog.provisionProduct` + `AWSServiceCatalog.searchProducts` + `AWSServiceCatalog.searchProductsAsAdmin` + `AWSServiceCatalog.terminateProvisionedProduct` + `AWSServiceCatalog.updateProvisionedProduct` + `AWSSimpleQueueService.DeleteMessage` + `AWSSimpleQueueService.DeleteMessageBatch` + `AWSSimpleQueueService.ReceiveMessage` + `AWSSimpleSystemsManagement.describeAutomationExecutions` + `AWSSimpleSystemsManagement.describeDocument` + `AWSSimpleSystemsManagement.getAutomationExecution` + `AWSSimpleSystemsManagement.getDocument` + `AWSSimpleSystemsManagement.listDocuments` + `AWSSimpleSystemsManagement.startAutomationExecution` + `AWSSimpleSystemsManagement.describeOpsItems` + `AWSSimpleSystemsManagement.getOpsItem` + `AWSSimpleSystemsManagement.updateOpsItem` + `AWSServiceCatalogAppRegistry.ListAttributeGroups` + `AWSServiceCatalogAppRegistry.GetAttributeGroup` + `AWSServiceCatalogAppRegistry.ListApplications` + `AWSServiceCatalogAppRegistry.GetApplication` + `AWSServiceCatalogAppRegistry.ListAssociatedAttributeGroups` + `AWSServiceCatalogAppRegistry.ListAssociatedResources` + `Support:DescribeAttachment` + `Support:DescribeCommunications` + `Support:AddAttachmentsToSet` + `Support:AddCommunicationToCase` + `Support:CreateCase` + `Support:ResolveCase` + `Support:DescribeCases` + `Support:DescribeServices` + `Cloudtrail:DescribeQuery` + `Cloudtrail:ListEventDataStores` + `Cloudtrail:StartQuery` + `Cloudtrail:GetQueryResults` + `AWSSimpleSystemsManagementIncident:ListIncidentRecords` + `AWSSimpleSystemsManagementIncident:GetIncidentRecord` + `AWSSimpleSystemsManagementIncident:UpdateRelatedItems` + `AWSSimpleSystemsManagementIncident:ListTimelineEvents` + `AWSSimpleSystemsManagementIncident:GetTimelineEvent` + `AWSSimpleSystemsManagementIncident:UpdateIncidentRecord` + `AWSSimpleSystemsManagement:ListOpsItemRelatedItems` # Updated key synchronization in ServiceNow Updated key synchronization AWS Service Management Connector for ServiceNow allows synchronization of updated keys using any automation or integration through a new REST endpoint. You can send requests to sync updated keys for one or more AWS accounts registered in the AWS Service Management Connector for either the *Sync User* or *End User* role. For instructions and information about synching updated keys syntax, see [Syncing Updated Keys Programmatically in ServiceNow](https://servicecatalogconnector.s3.amazonaws.com/AWS_SMC-keyRotationusingAPI.pdf). # Contacting Service Management Connector specialist team Contacting the Connector specialist team In AWS Service Management Connector, you can now directly contact the AWS SMC Specialist team through an Support case directly from the Connector. **Note** You must have a [Business](https://aws.amazon.com/premiumsupport/plans/business/) or [Enterprise](https://aws.amazon.com/premiumsupport/plans/enterprise/) plan and enable the Support integration while setting up AWS Accounts in the Connector. **To create a support case with Connector team from ServiceNow** 1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view). 1. In the navigator, enter **AWS Service Management**. 1. Choose **Incidents** under **Support** to show a list of all synched support cases. 1. Choose **New** from the list header. 1. Complete the mandatory fields on the form. + **Subject**- Brief summary of the question or issue + **Description** – Detailed account of the question or issue + **AWS Account** – AWS account you selected as the support case + **AWS Service** – AWS Service related to the support case + **AWS Category** – Category of the case under the related service + **Caller **– ServiceNow field that identifies the creator of the support ticket 1. Choose **Submit**. 1. Choose the Incident you created from the list. The **AWS Case Id** and **AWS Case Status** display. **Note** Alternatively, you can create the support case from Support console. In the console, choose **Technical Support**. Complete the required fields on the form: Service – **Service Catalog** Category – **Service Management Connectors** Severity – **General Guidance or System Impaired** (based on your need) Subject – Brief summary of the question or issue; include the name of the Connector you use. Description – Detailed account of the question or issue. In **Contact Options**, choose **Web**. Choose **Submit**. An SMC specialist team member will reach out through the support case. # Upgrading to AWS Service Management Connector from a previous version To upgrade to AWS Service Management Connector from a previous Connector version in a ServiceNow Production instance, you must: + Install the Connector in a ServiceNow sandbox instance. + Follow the Connector installation instructions starting at baseline permissions. **Note** There is a known issue with committing update sets that have a previous version of the Connector installed. Previewing the update set is successful. However, at the conclusion of the committing update, an error appears that states: “Version loading was stopped by DictionaryUpdateLoader….” We consider these errors as false positives. After further testing, we determined there is no impact on the update set. AWS logs a ServiceNow support case and provides a new release if needed. + Compare the two versions to plan how you manage your ServiceNow Development. + Determine how you want to address Service Catalog provisioned products in previous releases. + Create a check list of all your transition action items that include, but are not limited to: + Transition plan + Decision point on Service Catalog provisioned products + Steps to update or install the Connector in ServiceNow development to production environments + ServiceNow platform admin communications + End user communications ## Delete application files (Optional) When you upgrade to the latest connector version, you may have application files that are no longer required. While these files don't pose any risks to the feature set, you can delete them by completing the following steps: 1. Navigate to **System Definition** and then **Fix Scripts**. 1. Open the context (right-click) menu for **Name**, and then choose **Import XML**. 1. Upload the [Fix Script](https://servicecatalogconnector.s3.amazonaws.com/AWSConnector513-RemoveDeletedAppFiles.xml). 1. Select `AWSConnector-RemoveDeletedAppFiles`. 1. Choose **Run Fix Script**.