Discovery and Service Mapping Patterns uses patterns to discover components of the Amazon AWS Cloud deployment during horizontal discovery. Discovering some of these resources requires updating the Discovery and Service Mapping Patterns application from the ServiceNow Store.

Request apps on the Store

Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

Prerequisites

Verify that the applications are up to date:
  • Discovery and Service Mapping Patterns
  • CMDB CI Class Models
  • Visibility Content
Update the method used for pointed discovery for the AWS CFT stack
If you use Cloud Provisioning and Governance, you must update the getOperationGR(type) method. This update ensures pointed discovery lists the resources correctly for the AWS CloudFormation Template (CFT) stack after provisioning. For further information about the steps required to update this method, see the Knowledge Base article KB0858437.
Service account on the AWS Management Console

An AWS organization is a collection of AWS accounts under a single account. Cloud Discovery refers to AWS organizations in the wizard as management accounts. The member accounts that belong to a management account are called sub-accounts.

Note: Cloud Discovery for AWS Organizations isn’t fully supported in a GovCloud isolated region.
The advantages of using management accounts are:
Easy population of sub-accounts
After you configure the management account and supply the necessary credentials, you can test the connection to the account. If the test succeeds, Discovery returns a list of the member accounts in that management account. From this list, you can choose one or more sub-accounts to include in the Discovery of the management account.
(Optional for discovering the entire AWS organization) Discovery of sub-account resources using dynamically acquired credentials

When you run Discovery on your cloud resources, you don’t need separate credentials for each sub-account. The Cloud Discovery process handles credentials automatically by acquiring a temporary credential for each sub-account via an AWS API. You can elect to use the default configuration or customize the MID Server to assume other roles for additional controls and security.

IAM user policy on the AWS Management Console
To use the IAM user policy instead of credentials during discovery, configure the MID Server for AWS IAM roles. For more information, see configure the MID Server for AWS IAM roles.
Typically, you create the IAM user policy for provisioning AWS resources in Cloud Provisioning and Governance, as described in Control AWS access and permissions using policies. Ensure that the IAM user policy covers the following AWS resources:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
        "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeLoadBalancerPolicies",
        "elasticloadbalancing:DescribeInstanceHealth",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeLoadBalancerAttributes",
        "account:ListRegions",
        "elasticloadbalancing:Describe*",
        "ec2:Describe*",
        "ec2:DescribeNetworkInterfaceAttribute",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeCustomerGateways",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeHosts",
        "ec2:DescribeImages",
        "ec2:DescribeVpcs",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeInstanceCreditSpecifications",
       
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
Configure access to the AWS resources

To discover a single account, create an IAM account in the AWS Management Console, and ensure that it has the "ReadOnlyAccess" policy applied. To discover several member or child accounts, configure the credentials as described in Access setup for AWS service accounts.

Activate the cloud-related CI relationships
To include discovered components into service instances, enable CI relationships used in tag-based discovery by Service Mapping. These CI relationships are available from the 1.0.68 release on the ServiceNow Store. For operational steps, see Tag-based discovery configuration.
Configure a discovery schedule
Create a discovery schedule in Cloud Discovery Workspace.

Verify the REST API Permissions

Download the Cloud Discovery patterns spreadsheet so you can grant user permissions required for running the Discovery patterns. In addition to permissions, the spreadsheet also includes useful information such as pattern names, types, CI Classes, and links to vendor documentation. New patterns are available quarterly, so check periodically to be sure you have the latest version of the spreadsheet.

Note: You can test the AWS REST APIs using Postman API platform. For more information, see the How to test AWS REST API using POSTMAN [KB0782183] article in the Now Support Knowledge Base.

Support for AWS services in the China region

The latest version of Discovery and Service Mapping Patterns supports discovering AWS services in the China region. You can discover these services on the ServiceNow AI Platform, starting from Xanadu Patch 3 and Washington DC Patch 9 instances.

Discovering AWS services in the China region requires using a datacenter URL when setting up an AWS service account. For example: https://organizations.cn-northwest-1.amazonaws.com.cn.

  • To learn more about AWS master account and sub-account support in the China region, see KB1704526.
  • To identify AWS patterns supported in the China region, refer to the Cloud Discovery patterns spreadsheet. The AWS China Region Support column has a Yes value for supported patterns.

Data collected by Discovery during horizontal discovery

Resources discovered using the Amazon AWS - ACL (LP) pattern
Table 1. Network ACL [cmdb_ci_network_acl]
Field Description
Name [name] Name of the network access control list (ACL).
Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
Table 2. ACL Endpoint [cmdb_ci_endpoint_acl]
Field Description
Name [name] Name of the endpoint.
Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
Resources discovered using the Amazon AWS - Application and Network LB (LP) pattern
Resources discovered using the Amazon AWS - Availability Zone (LP) pattern
Table 5. Availability Zone [cmdb_ci_availability_zone]
Field Description
Name [name] Name of the Availability Zone.
Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
State [state] The state of the Availability Zone. The possible values are: available, information, impaired, and unavailable.
Resources discovered using the Amazon AWS - Classic LB (LP) pattern
Table 8. DNS Name [cmdb_ci_dns_name]
Field Description
Name [name] Name of the Domain Name System (DNS).
IP Address [ip_address] IP address of the DNS.
Comments [comments] Comments related to the CI.
Table 9. Load Balancer Pool [cmdb_ci_lb_pool]
Field Description
Name [name] The name of the load balancer pool.
Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
Comments [comments] Comments related to the CI.
Table 10. Load Balancer Pool Member [cmdb_ci_lb_pool_member]
Field Description
Name [name] The name of the load balancer pool member (known in AWS as a target).
Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
Resources discovered using the Amazon AWS - LB Pool Member(LP) pattern
Note: By default, the Amazon AWS - LB Pool Member(LP) pattern doesn't execute discovery. To enable the discovery of AWS Application Load Balancer targets, set the sn_itom_pattern.discover_aws_app_pool_members MID Server property to true. For more information, see Enable AWS Application Load Balancer target discovery.
Resources discovered using the Amazon AWS - Customer Gateway (LP) pattern
Table 13. Customer Gateway [cmdb_ci_customer_gateway]
Field Description
Name [name] Name or ID if no Name is specified of the customer gateway.
Object ID [object_id] ID of the customer gateway.
Connection Type [connection_type] Type of VPN connection the customer gateway supports.
Table 14. Customer Gateway Endpoint [cmdb_ci_endpoint_cust_gateway]
Field Description
Name [name] Name or ID if no Name is specified of the customer gateway.
Object ID [object_id] ID of the customer gateway.
Resources discovered using the Amazon AWS - discover Organization pattern
Resources discovered using the Amazon AWS - Executable Template (LP) pattern
Note: When using the Image [cmdb_ci_os_template] table to store Cloud OS Images, you may notice an unusually large number of records. To avoid this issue, you can store the discovered OS images in the Cloud Image [cmdb_ci_cloud_os_image] table. For more information, see Enable Cloud OS Image discovery.
The pattern extension section discovers Bring Your Own License (BYOL) or the included licenses for Windows virtual machines (VMs) and RHEL VMs.
Resources discovered the using the Amazon AWS - Hardware Type (LP) pattern
Note: Under certain circumstances, you may notice an unusually large number of records in the Hardware Type [cmdb_ci_compute_template] table. In such cases, you can store the discovered hardware types in the Cloud Hardware Type [cmdb_ci_cloud_hardware_type] table. For more information, see Enable the Cloud Hardware Type class extension.
Resources discovered the using the Amazon AWS - Host (LP) pattern
Resources discovered using the Amazon AWS - Internet Gateway (LP) pattern
Table 20. Internet Gateway [cmdb_ci_internet_gateway]
Field Description
Name [name] Name or ID if no Name is specified for the internet gateway.
Object ID [object_id] ID of the internet gateway.
Table 21. Internet Gateway Endpoint [cmdb_ci_endpoint_intgateway]
Field Description
Name [name] Name or ID if no Name is specified for the internet gateway.
Object ID [object_id] ID of the internet gateway.
Resources discovered using the Amazon AWS - IP Address (LP) pattern
Resources discovered the using the Amazon AWS - Key Pair (LP) pattern
Table 23. Cloud Key Pair [cmdb_ci_cloud_key_pair]
Field Description
Name [name] The name of the key pair.
Object ID [object_id] The ID of the key pair.
Finger Print [finger_print] If you used CreateKeyPair to create the key pair, this value is the SHA-1 digest of the DER encoded private key. If you used ImportKeyPair to provide AWS the public key, this value is the MD5 public key fingerprint as specified in section 4 of RFC 4716.
Resources discovered using the Amazon AWS - LB Pool (LP) pattern
Table 24. Load Balancer Pool [cmdb_ci_lb_pool]
Field Description
Name [name] The name of the load balancer pool.
Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
Comments [comments] Comments related to the CI.
Resources discovered using the Amazon AWS - LB Service (LP) pattern
Resources discovered using the Amazon AWS - NAT Gateway (LP) pattern
Table 26. NAT Gateway [cmdb_ci_nat_gateway]
Field Description
Name [name] Name of the NAT gateway.
Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
Install Status [install_status] Provisioning status of the NAT gateway.
Table 27. NAT Endpoint [cmdb_ci_endpoint_nat]
Field Description
Name [name] The name of the NAT endpoint.
Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
Resources discovered using the Amazon AWS - Network (LP) pattern
Resources discovered using the Amazon AWS - NIC (LP) pattern
Resources discovered using the Amazon AWS - Organizational Units (LP) pattern
Resources discovered using the Amazon AWS - Owned Template (LP) pattern
Note: When using the Image [cmdb_ci_os_template] table to store Cloud OS Images, you may notice an unusually large number of records. To avoid this issue, you can store the discovered OS images in the Cloud Image [cmdb_ci_cloud_os_image] table. For more information, see Enable Cloud OS Image discovery.
The pattern extension section discovers Bring Your Own License (BYOL) or the included licenses for Windows VMs and RHEL VMs.
Resources discovered using the Amazon AWS - Public IP Address (LP) pattern
Table 35. Cloud Public IP Address [cmdb_ci_cloud_public_ipaddress]
Field Description
Name [name] The name or allocation ID, if no name is specified for the public IP address.
Object ID [object_id] The ID representing the allocation of the address for the use with EC2-VPC.
Public ID Address [public_ip] The elastic IP address.
Resources discovered using the Amazon AWS - Route Table (LP) pattern
Table 36. Route Table [cmdb_ci_route_table]
Field Description
Name [name] The ID of the route table.
State [state] If the route table is discoverable, the value is available.
Object ID [object_id] The name or ID, if no name is specified for the route table.
Table 37. Route Table Endpoint [cmdb_ci_endpoint_route_table]
Field Description
Name [name] The name or ID, if no name is specified for the route table.
Object ID [object_id] The ID of the route table.
Resources discovered using the Amazon AWS - Security Group (LP) pattern
Table 38. Compute Security Group [cmdb_ci_compute_security_group]
Field Description
Name [name] The name of the security group.
Object ID [object_id] The ID of the security group.
Resources discovered using the Amazon AWS - SSM Cloud Agents (LP) pattern
Resources discovered using the Amazon AWS - Storage (LP) pattern
Table 41. Block Endpoint [cmdb_ci_endpoint_block]
Field Description
Name [name] The name or ID, if no name is specified for the volume.
Object ID [object_id] The ID of the volume.
Resources discovered using the Amazon AWS - Sub Account (LP) pattern
Resources discovered using the Amazon AWS - Subnet (LP) pattern
Resources discovered using the Amazon AWS - Virtual Server (LP) pattern
Note:

If you have reactivated a retired VM and want its active state to be accurately reflected in the Operational status and Install Status fields in the Virtual Machine Instance [cmdb_ci_vm_instance] table, set the sn_itom_pattern.discover_aws_instance_statuses MID Server property to true. Note that this setting involves additional API calls—one for each page of the pattern execution—which may impact performance if you're managing a large number of VMs.

Table 45. DNS Name [cmdb_ci_dns_name]
Field Description
Name [name] Name of the Domain Name System (DNS).
IP Address [ip_address] IP address of the DNS.
Comments [comments] Comments related to the CI.
Table 46. Subnet Endpoint [cmdb_ci_endpoint_subnet]
Field Description
Name [name] The name of the subnet endpoint.
Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
Note: When using the Image [cmdb_ci_os_template] table to store Cloud OS Images, you may notice an unusually large number of records. To avoid this issue, you can store the discovered OS images in the Cloud Image [cmdb_ci_cloud_os_image] table. For more information, see Enable Cloud OS Image discovery.
Resources discovered using the Amazon AWS - VPN Connections (LP) pattern
Table 49. VPN Connection [cmdb_ci_vpn_connection]
Field Description
Name [name] Name of the project that is used for the discovery.
Object ID [object_id] The name or ID, if no name is specified for the VPN connection.
State [state] The current state of the VPN connection. The following values are valid: pending, available, deleting, or deleted.
Resources discovered using the Amazon AWS - VPN Gateway (LP) pattern
Table 50. Virtual Private Gateway [cmdb_ci_virtual_pvt_gateway]
Field Description
Name [name] The name or ID, if no name is specified for the VPN Gateway.
Object ID [object_id] The ID of the virtual private gateway.
Connection Type [connection_type] The type of VPN connection the virtual private gateway supports.
Table 51. Virtual Private Gateway Endpoint [cmdb_ci_endpoint_vpg]
Field Description
Name [name] The name or ID, if no name is specified for the VPN Gateway.
Object ID [object_id] The ID of the virtual private gateway.
Connection Type [connection_type] The type of VPN connection the virtual private gateway supports.
Resources discovered using the Amazon AWS - Web ACL (LP) pattern
Note: Security Operations users can leverage the integration with Discovery to import web ACL rules and load balancers with attached web ACLs. For more information on setting ACL rules and using the Mitigation Controls Monitoring app, see Configure the AWS WAF integration for mitigation controls monitoring.

Events discovered by Discovery during horizontal discovery

Discovery uses patterns to find events created for Amazon AWS Cloud components. If there are events that indicate the change of state in one of the Amazon AWS Cloud components, it triggers discovery of Amazon AWS Cloud components using the patterns.

CI relationships

Relationships discovered using the Amazon AWS - ACL (LP) pattern
Relationships discovered using the Amazon AWS - Application and Network (LP) pattern
Relationships discovered using the Amazon AWS - Availability Zone (LP) pattern
CI Relationship CI
AWS Datacenter [cmdb_ci_aws_datacenter] Contains::Contained by Availability Zone [cmdb_ci_availability_zone]
Relationships discovered using the Amazon AWS - Classic LB (LP) pattern
Relationships discovered using the Amazon AWS - LB Pool Member(LP) pattern
CI Relationship CI
Load Balancer Pool [cmdb_ci_lb_pool] Owns::Owned by Load Balancer Pool Member [cmdb_ci_lb_pool_member]
Load Balancer Pool Member [cmdb_ci_lb_pool_member] References Load Balancer Pool [cmdb_ci_lb_pool]
Note: By default, the Amazon AWS - LB Pool Member(LP) pattern doesn't execute discovery. To enable the discovery of AWS Application Load Balancer targets, set the sn_itom_pattern.discover_aws_app_pool_members MID Server property to true. For more information, see Enable AWS Application Load Balancer target discovery.
Relationships discovered using the Amazon AWS - Customer Gateway (LP) pattern
CI Relationship CI
Customer Gateway [cmdb_ci_customer_gateway] Hosted on::Hosts Virtual Machine Instance [cmdb_ci_instance]
Customer Gateway [cmdb_ci_customer_gateway] Implement End Point To::Implement End Point From Customer Gateway [cmdb_ci_endpoint_cust_gateway]
Relationships discovered using the Amazon AWS - Executable Template (LP) pattern
CI Relationship CI
Image [cmdb_ci_os_template] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
Relationships discovered using the Amazon AWS - Hardware Type (LP) pattern
CI Relationship CI
Hardware Type [cmdb_ci_compute_template] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
Relationships discovered using the Amazon AWS - Host (LP) pattern
CI Relationship CI
Host [cmdb_ci_cloud_host] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
Virtual Machine Instance [cmdb_ci_vm_instance] Runs on::Runs Host [cmdb_ci_cloud_host]
Relationships discovered using the Amazon AWS - Internet Gateway (LP) pattern
CI Relationship CI
Internet Gateway [cmdb_ci_internet_gateway] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
Internet Gateway [cmdb_ci_internet_gateway] Implement End Point To::Implement End Point From Internet Gateway EP [cmdb_ci_endpoint_intgateway]
Cloud Network [cmdb_ci_network] Use End Point To::Use End Point From Internet Gateway EP [cmdb_ci_endpoint_intgateway]
Relationships discovered using the Amazon AWS - IP Address (LP) pattern
CI Relationship CI
Cloud Key Pair [cmdb_ci_cloud_key_pair] Contains::Contained by IP Address [cmdb_ci_cloud_ip_address]
Relationships discovered using the Amazon AWS - Key Pair (LP) pattern
CI Relationship CI
Servers [cmdb_ci_server] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
Relationships discovered using the Amazon AWS - LB Pool (LP) pattern
CI Relationship CI
Load Balancer Pool [cmdb_ci_lb_pool] Hosted on::Hosts Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
Relationships discovered using the Amazon AWS - LB Service (LP) pattern
CI Relationship CI
Load Balancer Service [cmdb_ci_lb_service] Hosted on::Hosts Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
Relationships discovered using the Amazon AWS - NAT Gateway (LP) pattern
CI Relationship CI
NAT Gateway [cmdb_ci_nat_gateway] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
NAT Gateway [cmdb_ci_nat_gateway] Implement End Point To::Implement End Point From NAT EP [cmdb_ci_endpoint_nat]
Network [cmdb_ci_network] Use End Point To::Use End Point From NAT EP [cmdb_ci_endpoint_nat]
Relationships discovered using the Amazon AWS - Network (LP) pattern
CI Relationship CI
Network [cmdb_ci_network] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
Relationships discovered using the Amazon AWS - NIC (LP) pattern
Figure 1. Dependency Views displaying the cloud load balancer and connected components

Dependency Views displaying the cloud load balancer and connected components.
Relationships discovered using the Amazon AWS - Organizational Units (LP) pattern
CI Relationship CI
Cloud Organization [cmdb_ci_cloud_org] Contains::Contained by AWS Organizational Unit [cmdb_ci_aws_org_unit]
AWS Organizational Unit [cmdb_ci_aws_org_unit] Contains::Contained by Cloud Service Account [cmdb_ci_cloud_service_account]
Key Value [cmdb_key_value] Reference only AWS Organizational Unit [cmdb_ci_aws_org_unit]
Relationships discovered using the Amazon AWS - Owned Template (LP) pattern
CI Relationship CI
Image [cmdb_ci_os_template] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
Relationships discovered using the Amazon AWS - Public IP Address (LP) pattern
CI Relationship CI
Cloud Public IP Address [cmdb_ci_cloud_public_ipaddress] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
Relationships discovered using the Amazon AWS - Route Table (LP) pattern
CI Relationship CI
Network [cmdb_ci_network] Contains::Contained by Route Table [cmdb_ci_route_table]
Cloud Subnet [cmdb_ci_cloud_subnet] Use End Point To::Use End Point From Route Table Endpoint [cmdb_ci_endpoint_route_table]
Route Table [cmdb_ci_route_table] Implement End Point To::Implement End Point From Route Table Endpoint [cmdb_ci_endpoint_route_table]
Relationships discovered using the Amazon AWS - Security Group (LP) pattern
CI Relationship CI
Network [cmdb_ci_network] Contains::Contained by Compute Security Group [cmdb_ci_compute_security_group]
Compute Security Group [cmdb_ci_compute_security_group] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
Relationships discovered using the Amazon AWS - SSM Cloud Agents (LP) pattern
CI Relationship CI
Cloud System Management Agent [cmdb_ci_cloud_system_management_agent] Extends from Virtual Machine Object [cmdb_ci_vm_object]
Cloud System Management Agent [cmdb_ci_cloud_system_management_agent] Runs on::Runs Virtual Machine Instance [cmdb_ci_vm_instance]
Relationships discovered using the Amazon AWS - Storage (LP) pattern
Relationships discovered using the Amazon AWS - Subnet (LP) pattern
CI Relationship CI
Network [cmdb_ci_network] Contains::Contained by Cloud Subnet [cmdb_ci_cloud_subnet]
Availability Zone [cmdb_ci_availability_zone] Contains::Contained by Cloud Subnet [cmdb_ci_cloud_subnet]
Relationships discovered using the Amazon AWS - Virtual Server (LP) pattern
Figure 2. Dependency Views displaying components connected to the cloud network in the AWS environment

Dependency Views displaying components connected to the cloud network in the AWS environment.
Figure 3. Dependency Views showing Virtual Machine and connected components in the AWS environment

Dependency Views showing Virtual Machine and connected components in the AWS environment.
Relationships discovered using the Amazon AWS - VPN Connections (LP) pattern
CI Relationship CI
Customer Gateway [cmdb_ci_customer_gateway] Contains::Contained by VPN Connection [cmdb_ci_vpn_connection]
Virtual Private Gateway [cmdb_ci_virtual_pvt_gateway] Contains::Contained by VPN Connection [cmdb_ci_vpn_connection]
VPN Connection [cmdb_ci_vpn_connection] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
Relationships discovered using the Amazon AWS - VPN Gateway (LP) pattern
CI Relationship CI
Virtual Private Gateway [cmdb_ci_virtual_pvt_gateway] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
Virtual Private Gateway [cmdb_ci_virtual_pvt_gateway] Implement End Point To::Implement End Point From Virtual Private Gateway Endpoint [cmdb_ci_endpoint_vpg]
Network [cmdb_ci_network] Use End Point To::Use End Point From Virtual Private Gateway Endpoint [cmdb_ci_endpoint_vpg]
Relationships discovered using the Amazon AWS - Web ACL (LP) pattern
CI Relationship CI
Web ACL [cmdb_ci_web_acl] Extends from Virtual Machine Object [cmdb_ci_vm_object]
Web ACL [cmdb_ci_web_acl] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
Note: Security Operations users can leverage the integration with Discovery to import web ACL rules and load balancers with attached web ACLs. For more information on setting ACL rules and using the Mitigation Controls Monitoring app, see Configure the AWS WAF integration for mitigation controls monitoring.

Services discovered by patterns

Horizontal discovery finds EC2 and VPC services running on AWS resources.

Data collected by Service Mapping during tag-based discovery

Service Mapping uses tag-based discovery to create service instance maps including the Cloud components. The Service Mapping application comes with the following preconfigured CI relationships used for tag-based discovery. These CI relationships are available from the 1.0.68 release on the ServiceNow Store.
CI Relationship CI
Configuration Item [cmdb_ci] Hosted on::Hosts Logical Datacenter [cmdb_ci_logical_datacenter]
Logical Datacenter [cmdb_ci_logical_datacenter] Hosted on::Hosts Cloud Service Account [cmdb_ci_cloud_service_account]