Home Orlando IT Operations Management IT Operations Management ITOM Visibility Discovery Cloud Discovery Amazon AWS Cloud Discovery

Amazon AWS Cloud Discovery

Use Cloud Discovery to discover virtual resources in your AWS organizations (master accounts) and sub-accounts.

AWS master accounts for AWS Organizations

An AWS organization is a collection of AWS accounts under a single account. Cloud Discovery refers to AWS Organizations in the wizard as master accounts. The member accounts that belong to a master account are called sub-accounts.

Note: Cloud Discovery for AWS Organizations is not fully supported in a GovCloud isolated region.

The advantages of using master accounts are:

Easy population of sub-accounts: After you configure the master account and supply the necessary credentials, you can test the connection to the account. If the test succeeds, Discovery returns a list of the member accounts in that master account. From this list, you can choose one or more sub-accounts to include in the Discovery of the master account.
Discovery of sub-account resources using dynamically acquired credentials: When you run Discovery on your cloud resources, you do not need separate credentials for each sub-account. The Cloud Discovery process handles credentials automatically by acquiring a temporary credential for each sub-account via an AWS API. You can elect to use the default configuration or customize the MID Server to assume other roles for additional controls and security.

AWS Credentials

To discover a single account, create an IAM account in AWS console, and ensure it has "ReadOnlyAccess" policy applied. If you would like to discover a number of member/child accounts you do not need to configure separate credentials for accounts that are member accounts. You can configure IAM roles in an IAM Instance Profile to receive temporary credentials to your master account without requiring credentials in the instance. To receive temporary AWS credentials for one or more member accounts, you can assume an AWS member role. If a service account is a member account, the Discovery process automatically generates a temporary credential for the account through AWS.

Note: To discover AWS resources, ensure that the configured credential in the AWS console, has the "ReadOnlyAccess" policy applied.

Table 1. AWS Credentials form
Field	Input value
Name	A unique and descriptive name for the AWS credentials.
Active	Option to use the credential.
Access Key ID	The Access Key ID that you generated on the AWS Management Console. For example, `APIAIOSFODNN7EXAMPLE`.
Secret Access Key	The Secret Access key that you generated on the AWS Management Console, for example, `wPalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`.

How Discovery finds AWS resources

Discovery uses the Cloud API (CAPI) and patterns to find cloud resources.

Table 2. Default patterns
Pattern	Description
Amazon AWS Elastic Load Balancer Service	Retrieves AWS load balancers and populates the Load Balancer Services [cmdb_ci_lb_service] table. Application load balancers, network load balancers, and classic load balancers are supported.
Amazon AWS Relational Database Service	Retrieves RDS instances and populates the Cloud Database [cmdb_ci_cloud_database] table.
Amazon AWS Route53 HD	Resolves DNS names and aliases for the AWS cloud.

Note: Amazon Route 53 is supported.

Prerequisites

Amazon AWS LDC discovery

Discovery uses the Amazon AWS Logical Datacenter (LDC) discovery pattern to run horizontal discovery. The pattern requires these prerequisites:

On the Now Platform, configure AWS credentials, using a secret key and an access key.
Create a service account. Set the Account ID to the Amazon account ID to which RDS belongs. Use the Account ID as it appears in the AWS Management Console.
Set read-only permissions for the following REST API:
- https://ec2.amazonaws.com/?Action=DescribeRegions&Version=2016-11-15
For Cloud Discovery, download the Discovery and Service Mapping pattern from the ServiceNow Store.
When installing the MID Server, ensure that the host machine meets or exceeds the MID Server system requirements published on the ServiceNow documentation site.

Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store.

Data collected for AWS Cloud Discovery

Table 3. AWS Datacenter [cmdb_ci_aws_datacenter]
Label	Field Name
Name	name
Region	region
Object ID	object_id

Table 4. Availability Zone [cmdb_ci_availability_zone]
Label	Field Name
Name	name

Table 5. Virtual Machine Instance [cmdb_ci_vm_instance]
Label	Field Name
Name	name
State	state
Object ID	object_id
CPUs	cpus
Disks	disks
Disks size (GB)	disks_size
Memory	memory
Network adapters	nics
VM Instance ID	vm_inst_id

Table 6. Compute Security Groups [cmdb_ci_compute_security_group]
Label	Field Name
Name	name
Object ID	object_id
State	state

Table 7. Images [cmdb_ci_os_template]
Label	Field Name
Name	name
Object ID	object_id
Guest OS	guest_os
Root device type	root_device_type
Image source	image_source
Image type	image_type

Table 8. Hardware Type [cmdb_ci_compute_template]
Label	Field Name
Name	name
vCPUs	vcpus
Memory MB	memory_mb
Local Storage GB	local_storage_gb

Table 9. Storage Volume [cmdb_ci_storage_volume]
Label	Field Name
Name	name
State	state
Object ID	object_id
Storage type	storage_type
Size	size

Table 10. Cloud Networks [cmdb_ci_network] and VMware vCenter Network [cmdb_ci_vcenter_network]
Label	Field Name
Name	name
State*	state
CIDR*	cidr

*Not found on VMware vCenter networks.

Table 11. Cloud Subnets [cmdb_ci_cloud_subnet]
Label	Field Name
Name	name
Status	status
CIDR	cidr

Table 12. Cloud Management Network Interfaces [cmdb_ci_nic]
Label	Field Name
Name	name
Netmask	netmask
MAC Address	mac_address
MAC Manufacturer	mac_manufacturer
Status	install_status

Table 13. Cloud Load Balancers [cmdb_ci_cloud_load_balancer]
Label	Field Name
Name	name
Object ID	object_id
State	state

Table 14. Resource Groups [cmdb_ci_resource_group]
Label	Field Name
Name	name
Object ID	object_id
State	state

Table 15. Public IP Addresses [cmdb_ci_cloud_public_ipaddress]
Label	Field Name
Name	name
Object ID	object_id
Public IP address	public_ip_address
Public DNS	public_dns

Table 16. Storage Accounts [cmdb_ci_cloud_storage_account]
Label	Field Name
Name	name
Object ID	object_id
Sku Name	sku_name
State	state

Table 17. DNS Alias [cmdb_ci_dns_alias] and DNS name [cmdb_ci_dns_name]
Label	Field name
DNS Alias [cmdb_ci_dns_alias]
Name	name
Category	category
Status	status
DNS name [cmdb_ci_dns_name]
Name	name
IP address	ip_address

Table 18. Cloud Databases [cmdb_ci_cloud_database]
Label	Field Name	Description
Name	name	The name of the database that you created in AWS.
Object ID	object_id	This is also the name of the database.
Type	Type	The type of database you created.
Fully qualified domain name	fqdn	The FQDN that AWS assigned to your database. An example format for AWS is as follows: `database-name.{random-number}.{datacenter}.rds.amazonaws.com`
State	state	The state of the database: whether it is Available or Terminated.
TCP port(s)	tcp_port	The TCP port that the database communicates through.
Category	category	The instance class of the database, for example: db.t2.micro.

Table 19. Cloud WebServer [cmdb_ci_cloud_webserver]
Label	Field Name
Name	name
Install status	install_status
Vendor	vendor
Fully qualified domain name	fqdn
Operational status	operational_status
State	state

Relationships between virtual machines, datacenters, and other CIs


Class	Relationship	Class
Virtual Machine Instance [cmdb_ci_vm_instance]	Hosted on	AWS Datacenter [cmdb_ci_aws_datacenter] vCenter Datacenter [cmdb_ci_vcenter_datacenter] Note: These tables extend Logical Datacenter [cmdb_ci_logical_datacenter]. The relationship between the VM and the specific type of datacenter is through the Logical Datacenter table.
Virtual Machine Instance [cmdb_ci_vm_instance]	Virtualizes	Computer [cmdb_ci_computer] Note: This is a virtual machine. The Is virtual field is true.
Logical Datacenter [cmdb_ci_logical_datacenter]	Contains	Resource Group [cmdb_ci_resource_group]
	Hosts	Public IP Address [cmdb_ci_cloud_public_ip_address]
	Hosted on	Cloud Service Account [cmdb_ci_cloud_service_account]
	Hosts	Storage Account [cmdb_ci_cloud_storage_account]
	Contains	Availability Zone [cmdb_ci_availability_zone]
	Contains	Host Cluster [cmdb_ci_host_cluster]
	Hosts	OS Template [cmdb_ci_os_template]
	Hosts	Compute Template [cmdb_ci_compute_template]
	Hosted on	Cloud Management Network Interfaces [cmdb_ci_nic]
Cloud DataBase [cmdb_ci_cloud_database]	Owns	IP Address [cmdb_ci_ip_address]
	Hosted on	AWS Datacenter [cmdb_ci_aws_datacenter]
	Hosted on	Cloud Service Account [cmdb_ci_cloud_service_account]

AWS Config service

If you configured the AWS Config service, the instance can receive notifications when changes to cloud resources occur. Discovery can then take action and make updates.

The instance can detect an AWS config notification with message type ConfigurationItemChangeNotification for these resource types:

AWS::EC2::Instance
AWS::EC2::VPC
AWS::EC2::Subnet
AWS::EC2::Volume

Discovery can then make updates to records in the Response Mappings [sn_cmp_response_mapping] table that have Cloud Event in the Datasource field.

Previous topic

Next topic

Release version

Amazon AWS Cloud Discovery

Use Cloud Discovery to discover virtual resources in your AWS organizations (master accounts) and sub-accounts.

AWS master accounts for AWS Organizations

Note: Cloud Discovery for AWS Organizations is not fully supported in a GovCloud isolated region.

The advantages of using master accounts are:

Easy population of sub-accounts: After you configure the master account and supply the necessary credentials, you can test the connection to the account. If the test succeeds, Discovery returns a list of the member accounts in that master account. From this list, you can choose one or more sub-accounts to include in the Discovery of the master account.
Discovery of sub-account resources using dynamically acquired credentials: When you run Discovery on your cloud resources, you do not need separate credentials for each sub-account. The Cloud Discovery process handles credentials automatically by acquiring a temporary credential for each sub-account via an AWS API. You can elect to use the default configuration or customize the MID Server to assume other roles for additional controls and security.

AWS Credentials

Note: To discover AWS resources, ensure that the configured credential in the AWS console, has the "ReadOnlyAccess" policy applied.

Table 1. AWS Credentials form
Field	Input value
Name	A unique and descriptive name for the AWS credentials.
Active	Option to use the credential.
Access Key ID	The Access Key ID that you generated on the AWS Management Console. For example, `APIAIOSFODNN7EXAMPLE`.
Secret Access Key	The Secret Access key that you generated on the AWS Management Console, for example, `wPalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`.

How Discovery finds AWS resources

Discovery uses the Cloud API (CAPI) and patterns to find cloud resources.

Table 2. Default patterns
Pattern	Description
Amazon AWS Elastic Load Balancer Service	Retrieves AWS load balancers and populates the Load Balancer Services [cmdb_ci_lb_service] table. Application load balancers, network load balancers, and classic load balancers are supported.
Amazon AWS Relational Database Service	Retrieves RDS instances and populates the Cloud Database [cmdb_ci_cloud_database] table.
Amazon AWS Route53 HD	Resolves DNS names and aliases for the AWS cloud.

Note: Amazon Route 53 is supported.

Prerequisites

Amazon AWS LDC discovery

Discovery uses the Amazon AWS Logical Datacenter (LDC) discovery pattern to run horizontal discovery. The pattern requires these prerequisites:

On the Now Platform, configure AWS credentials, using a secret key and an access key.
Create a service account. Set the Account ID to the Amazon account ID to which RDS belongs. Use the Account ID as it appears in the AWS Management Console.
Set read-only permissions for the following REST API:
- https://ec2.amazonaws.com/?Action=DescribeRegions&Version=2016-11-15
For Cloud Discovery, download the Discovery and Service Mapping pattern from the ServiceNow Store.
When installing the MID Server, ensure that the host machine meets or exceeds the MID Server system requirements published on the ServiceNow documentation site.

Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store.

Data collected for AWS Cloud Discovery

Table 3. AWS Datacenter [cmdb_ci_aws_datacenter]
Label	Field Name
Name	name
Region	region
Object ID	object_id

Table 4. Availability Zone [cmdb_ci_availability_zone]
Label	Field Name
Name	name

Table 5. Virtual Machine Instance [cmdb_ci_vm_instance]
Label	Field Name
Name	name
State	state
Object ID	object_id
CPUs	cpus
Disks	disks
Disks size (GB)	disks_size
Memory	memory
Network adapters	nics
VM Instance ID	vm_inst_id

Table 6. Compute Security Groups [cmdb_ci_compute_security_group]
Label	Field Name
Name	name
Object ID	object_id
State	state

Table 7. Images [cmdb_ci_os_template]
Label	Field Name
Name	name
Object ID	object_id
Guest OS	guest_os
Root device type	root_device_type
Image source	image_source
Image type	image_type

Table 8. Hardware Type [cmdb_ci_compute_template]
Label	Field Name
Name	name
vCPUs	vcpus
Memory MB	memory_mb
Local Storage GB	local_storage_gb

Table 9. Storage Volume [cmdb_ci_storage_volume]
Label	Field Name
Name	name
State	state
Object ID	object_id
Storage type	storage_type
Size	size

Table 10. Cloud Networks [cmdb_ci_network] and VMware vCenter Network [cmdb_ci_vcenter_network]
Label	Field Name
Name	name
State*	state
CIDR*	cidr

*Not found on VMware vCenter networks.

Table 11. Cloud Subnets [cmdb_ci_cloud_subnet]
Label	Field Name
Name	name
Status	status
CIDR	cidr

Table 12. Cloud Management Network Interfaces [cmdb_ci_nic]
Label	Field Name
Name	name
Netmask	netmask
MAC Address	mac_address
MAC Manufacturer	mac_manufacturer
Status	install_status

Table 13. Cloud Load Balancers [cmdb_ci_cloud_load_balancer]
Label	Field Name
Name	name
Object ID	object_id
State	state

Table 14. Resource Groups [cmdb_ci_resource_group]
Label	Field Name
Name	name
Object ID	object_id
State	state

Table 15. Public IP Addresses [cmdb_ci_cloud_public_ipaddress]
Label	Field Name
Name	name
Object ID	object_id
Public IP address	public_ip_address
Public DNS	public_dns

Table 16. Storage Accounts [cmdb_ci_cloud_storage_account]
Label	Field Name
Name	name
Object ID	object_id
Sku Name	sku_name
State	state

Table 17. DNS Alias [cmdb_ci_dns_alias] and DNS name [cmdb_ci_dns_name]
Label	Field name
DNS Alias [cmdb_ci_dns_alias]
Name	name
Category	category
Status	status
DNS name [cmdb_ci_dns_name]
Name	name
IP address	ip_address

Table 18. Cloud Databases [cmdb_ci_cloud_database]
Label	Field Name	Description
Name	name	The name of the database that you created in AWS.
Object ID	object_id	This is also the name of the database.
Type	Type	The type of database you created.
Fully qualified domain name	fqdn	The FQDN that AWS assigned to your database. An example format for AWS is as follows: `database-name.{random-number}.{datacenter}.rds.amazonaws.com`
State	state	The state of the database: whether it is Available or Terminated.
TCP port(s)	tcp_port	The TCP port that the database communicates through.
Category	category	The instance class of the database, for example: db.t2.micro.

Table 19. Cloud WebServer [cmdb_ci_cloud_webserver]
Label	Field Name
Name	name
Install status	install_status
Vendor	vendor
Fully qualified domain name	fqdn
Operational status	operational_status
State	state

Relationships between virtual machines, datacenters, and other CIs


Class	Relationship	Class
Virtual Machine Instance [cmdb_ci_vm_instance]	Hosted on	AWS Datacenter [cmdb_ci_aws_datacenter] vCenter Datacenter [cmdb_ci_vcenter_datacenter] Note: These tables extend Logical Datacenter [cmdb_ci_logical_datacenter]. The relationship between the VM and the specific type of datacenter is through the Logical Datacenter table.
Virtual Machine Instance [cmdb_ci_vm_instance]	Virtualizes	Computer [cmdb_ci_computer] Note: This is a virtual machine. The Is virtual field is true.
Logical Datacenter [cmdb_ci_logical_datacenter]	Contains	Resource Group [cmdb_ci_resource_group]
	Hosts	Public IP Address [cmdb_ci_cloud_public_ip_address]
	Hosted on	Cloud Service Account [cmdb_ci_cloud_service_account]
	Hosts	Storage Account [cmdb_ci_cloud_storage_account]
	Contains	Availability Zone [cmdb_ci_availability_zone]
	Contains	Host Cluster [cmdb_ci_host_cluster]
	Hosts	OS Template [cmdb_ci_os_template]
	Hosts	Compute Template [cmdb_ci_compute_template]
	Hosted on	Cloud Management Network Interfaces [cmdb_ci_nic]
Cloud DataBase [cmdb_ci_cloud_database]	Owns	IP Address [cmdb_ci_ip_address]
	Hosted on	AWS Datacenter [cmdb_ci_aws_datacenter]
	Hosted on	Cloud Service Account [cmdb_ci_cloud_service_account]

AWS Config service

If you configured the AWS Config service, the instance can receive notifications when changes to cloud resources occur. Discovery can then take action and make updates.

The instance can detect an AWS config notification with message type ConfigurationItemChangeNotification for these resource types:

AWS::EC2::Instance
AWS::EC2::VPC
AWS::EC2::Subnet
AWS::EC2::Volume

Discovery can then make updates to records in the Response Mappings [sn_cmp_response_mapping] table that have Cloud Event in the Datasource field.

How search works:

Topics are ranked in search results by how closely they match your search terms

Amazon AWS Cloud Discovery

Amazon AWS Cloud Discovery

AWS master accounts for AWS Organizations

AWS Credentials

How Discovery finds AWS resources

Prerequisites

Data collected for AWS Cloud Discovery

Relationships between virtual machines, datacenters, and other CIs

AWS Config service

On this page

Amazon AWS Cloud Discovery

Amazon AWS Cloud Discovery

AWS master accounts for AWS Organizations

AWS Credentials

How Discovery finds AWS resources

Prerequisites

Data collected for AWS Cloud Discovery

Relationships between virtual machines, datacenters, and other CIs

AWS Config service

Log in to personalize your search results and subscribe to topics