Configure AWS Config integration

Integrate AWS Config with a ServiceNow instance to receive near real-time Simple Notification Service (SNS) notifications from AWS. To process AWS events, you must configure AWS Config and SNS on the Amazon console.

Before you begin

Role required: aws_integration

Configure AWS Config on the Amazon console:

For AWS Config procedures, go to AWS Documentation and navigate to Management Tools > AWS Config > Developer Guide > Getting Started > Set Up AWS Config Using the Console.

Note: AWS Config is region-specific, therefore you must create one SNS topic per region of interest.

About this task

SNS notifications for all supported AWS resource types are processed. For supported AWS resource types, go to AWS Documentation and navigate to Management Tools > AWS Config > Developer Guide > What Is AWS Config > Supported Resources, Configuration Items, and Relationships.

The ServiceNow instance parses the SNS notification and updates the CMDB.

SNS notification behavior:
  • If the SNS notification is changeType: CREATE, a new record is created in the CMDB for that resource, if it is not already discovered.
  • If the SNS notification is changeType: UPDATE for a particular resource, the corresponding resource gets updated with the changes, OR if that resource is not present or is not discovered, a new record is created to reflect the changes.
  • If the SNS notification is changeType: DELETE for a particular resource, the corresponding resource is not deleted from the CMDB, instead the state of that resource is marked Terminated.

Procedure

  1. Once an SNS Topic is created on the AWS console, create a new subscription for it.
    1. Select the Topic ARN from the topic that you created.
      The Amazon Resource Name (ARN) is necessary for binding an AWS Config SNS to the CI.
    2. Set the Protocol to https.
    3. Set the Endpoint to: https://<user_id>:<password>@<instance.domain>/aws_evt_mgmt_proc.do.
      Where user_id and password are the user ID and password of the user with the aws_integration role, and instance.domain is the domain of the ServiceNow instance.
  2. Wait until the subscription goes from Pending to Confirmed and the subscription ARN is populated.
  3. A user with the admin role can add the applicable property for the desired feature to the sys_properties table of the ServiceNow instance.
    The AWS Config processor processes three types of messages:
    • ConfigurationItemChangeNotification
    • ConfigurationHistoryDeliveryCompleted: You can enable this property by setting itom.aws.processConfigHistory to true.
    • ConfigurationSnapshotDeliveryConpleted: You can enable this property by setting itom.aws.processConfigSnapshot to true.
    Property Description
    itom.aws.logEvent When this property is enabled, SNS responses sent by AWS can be viewed in the aws_sns_event table.

    Default is off.

    itom.aws.processConfigHistory When this property is enabled, the ServiceNow instance processes the AWS SNS messages sent for history: ConfigurationHistoryDeliveryCompleted.

    Default is off.

    itom.aws.processConfigSnapshot When this property is enabled, the ServiceNow instance processes the AWS SNS messages sent for snapshot: ConfigurationSnapshotDeliveryCompleted.

    Default is off.