Amazon AWS Cloud components discovery using patterns
-
- UpdatedJan 30, 2025
- 23 minutes to read
- Yokohama
- Service Mapping
Discovery and Service Mapping Patterns uses patterns to discover components of the Amazon AWS Cloud deployment during horizontal discovery. Discovering some of these resources requires updating the Discovery and Service Mapping Patterns application from the ServiceNow Store.
Request apps on the Store
Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Prerequisites
- Verify that the applications are up to date:
-
- Discovery and Service Mapping Patterns
- CMDB CI Class Models
- Visibility Content
- Update the method used for pointed discovery for the AWS CFT stack
- If you use Cloud Provisioning and Governance, you must update the getOperationGR(type) method. This update ensures pointed discovery lists the resources correctly for the AWS CloudFormation Template (CFT) stack after provisioning. For further information about the steps required to update this method, see the Knowledge Base article KB0858437.
- Service account on the AWS Management Console
-
An AWS organization is a collection of AWS accounts under a single account. Cloud Discovery refers to AWS organizations in the wizard as management accounts. The member accounts that belong to a management account are called sub-accounts.
The advantages of using management accounts are:- Easy population of sub-accounts
- After you configure the management account and supply the necessary credentials, you can test the connection to the account. If the test succeeds, Discovery returns a list of the member accounts in that management account. From this list, you can choose one or more sub-accounts to include in the Discovery of the management account.
- (Optional for discovering the entire AWS organization) Discovery of sub-account resources using dynamically acquired credentials
-
When you run Discovery on your cloud resources, you don’t need separate credentials for each sub-account. The Cloud Discovery process handles credentials automatically by acquiring a temporary credential for each sub-account via an AWS API. You can elect to use the default configuration or customize the MID Server to assume other roles for additional controls and security.
- IAM user policy on the AWS Management Console
- To use the IAM user policy instead of credentials during discovery, configure the MID Server for AWS IAM roles. For more information, see configure the MID Server for AWS IAM roles.Typically, you create the IAM user policy for provisioning AWS resources in Cloud Provisioning and Governance, as described in Control AWS access and permissions using policies. Ensure that the IAM user policy covers the following AWS resources:
- Configure access to the AWS resources
-
To discover a single account, create an IAM account in the AWS Management Console, and ensure that it has the "ReadOnlyAccess" policy applied. To discover several member or child accounts, configure the credentials as described in Access setup for AWS service accounts.
- Activate the cloud-related CI relationships
- To include discovered components into service instances, enable CI relationships used in tag-based discovery by Service Mapping. These CI relationships are available from the 1.0.68 release on the ServiceNow Store. For operational steps, see Tag-based discovery configuration.
- Configure a discovery schedule
- Create a discovery schedule in Cloud Discovery Workspace.
Verify the REST API Permissions
Download the Cloud Discovery patterns spreadsheet so you can grant user permissions required for running the Discovery patterns. In addition to permissions, the spreadsheet also includes useful information such as pattern names, types, CI Classes, and links to vendor documentation. New patterns are available quarterly, so check periodically to be sure you have the latest version of the spreadsheet.
Support for AWS services in the China region
The latest version of Discovery and Service Mapping Patterns supports discovering AWS services in the China region. You can discover these services on the ServiceNow AI Platform, starting from Xanadu Patch 3 and Washington DC Patch 9 instances.
Discovering AWS services in the China region requires using a datacenter URL when setting up an AWS service account. For example: https://organizations.cn-northwest-1.amazonaws.com.cn.
- To learn more about AWS master account and sub-account support in the China region, see KB1704526.
- To identify AWS patterns supported in the China region, refer to the Cloud Discovery patterns spreadsheet. The AWS China Region Support column has a Yes value for supported patterns.
Data collected by Discovery during horizontal discovery
- Resources discovered using the Amazon AWS - ACL (LP) pattern
Table 1. Network ACL [cmdb_ci_network_acl] Field Description Name [name] Name of the network access control list (ACL). Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource. Table 2. ACL Endpoint [cmdb_ci_endpoint_acl] Field Description Name [name] Name of the endpoint. Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource. - Resources discovered using the Amazon AWS - Application and Network LB (LP) pattern
- Resources discovered using the Amazon AWS - Availability Zone (LP) pattern
-
Table 5. Availability Zone [cmdb_ci_availability_zone] Field Description Name [name] Name of the Availability Zone. Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource. State [state] The state of the Availability Zone. The possible values are: available, information, impaired, and unavailable. - Resources discovered using the Amazon AWS - Classic LB (LP) pattern
-
Table 8. DNS Name [cmdb_ci_dns_name] Field Description Name [name] Name of the Domain Name System (DNS). IP Address [ip_address] IP address of the DNS. Comments [comments] Comments related to the CI. Table 9. Load Balancer Pool [cmdb_ci_lb_pool] Field Description Name [name] The name of the load balancer pool. Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource. Comments [comments] Comments related to the CI. Table 10. Load Balancer Pool Member [cmdb_ci_lb_pool_member] Field Description Name [name] The name of the load balancer pool member (known in AWS as a target). Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource. - Resources discovered using the Amazon AWS - LB Pool Member(LP) pattern
-
Note: By default, the Amazon AWS - LB Pool Member(LP) pattern doesn't execute discovery. To enable the discovery of AWS Application Load Balancer targets, set the sn_itom_pattern.discover_aws_app_pool_members MID Server property to true. For more information, see Enable AWS Application Load Balancer target discovery.
- Resources discovered using the Amazon AWS - Customer Gateway (LP) pattern
Table 13. Customer Gateway [cmdb_ci_customer_gateway] Field Description Name [name] Name or ID if no Name is specified of the customer gateway. Object ID [object_id] ID of the customer gateway. Connection Type [connection_type] Type of VPN connection the customer gateway supports. Table 14. Customer Gateway Endpoint [cmdb_ci_endpoint_cust_gateway] Field Description Name [name] Name or ID if no Name is specified of the customer gateway. Object ID [object_id] ID of the customer gateway. - Resources discovered using the Amazon AWS - discover Organization pattern
-
- Resources discovered using the Amazon AWS - Executable Template (LP) pattern
- Note: When using the Image [cmdb_ci_os_template] table to store Cloud OS Images, you may notice an unusually large number of records. To avoid this issue, you can store the discovered OS images in the Cloud Image [cmdb_ci_cloud_os_image] table. For more information, see Enable Cloud OS Image discovery.
- Resources discovered the using the Amazon AWS - Hardware Type (LP) pattern
-
Note: Under certain circumstances, you may notice an unusually large number of records in the Hardware Type [cmdb_ci_compute_template] table. In such cases, you can store the discovered hardware types in the Cloud Hardware Type [cmdb_ci_cloud_hardware_type] table. For more information, see Enable the Cloud Hardware Type class extension.
- Resources discovered the using the Amazon AWS - Host (LP) pattern
- Resources discovered using the Amazon AWS - Internet Gateway (LP) pattern
Table 20. Internet Gateway [cmdb_ci_internet_gateway] Field Description Name [name] Name or ID if no Name is specified for the internet gateway. Object ID [object_id] ID of the internet gateway. Table 21. Internet Gateway Endpoint [cmdb_ci_endpoint_intgateway] Field Description Name [name] Name or ID if no Name is specified for the internet gateway. Object ID [object_id] ID of the internet gateway. - Resources discovered using the Amazon AWS - IP Address (LP) pattern
- Resources discovered the using the Amazon AWS - Key Pair (LP) pattern
Table 23. Cloud Key Pair [cmdb_ci_cloud_key_pair] Field Description Name [name] The name of the key pair. Object ID [object_id] The ID of the key pair. Finger Print [finger_print] If you used CreateKeyPair to create the key pair, this value is the SHA-1 digest of the DER encoded private key. If you used ImportKeyPair to provide AWS the public key, this value is the MD5 public key fingerprint as specified in section 4 of RFC 4716. - Resources discovered using the Amazon AWS - LB Pool (LP) pattern
Table 24. Load Balancer Pool [cmdb_ci_lb_pool] Field Description Name [name] The name of the load balancer pool. Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource. Comments [comments] Comments related to the CI. - Resources discovered using the Amazon AWS - LB Service (LP) pattern
- Resources discovered using the Amazon AWS - NAT Gateway (LP) pattern
Table 26. NAT Gateway [cmdb_ci_nat_gateway] Field Description Name [name] Name of the NAT gateway. Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource. Install Status [install_status] Provisioning status of the NAT gateway. Table 27. NAT Endpoint [cmdb_ci_endpoint_nat] Field Description Name [name] The name of the NAT endpoint. Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource. - Resources discovered using the Amazon AWS - Network (LP) pattern
- Resources discovered using the Amazon AWS - NIC (LP) pattern
- Resources discovered using the Amazon AWS - Organizational Units (LP) pattern
-
- Resources discovered using the Amazon AWS - Owned Template (LP) pattern
- Note: When using the Image [cmdb_ci_os_template] table to store Cloud OS Images, you may notice an unusually large number of records. To avoid this issue, you can store the discovered OS images in the Cloud Image [cmdb_ci_cloud_os_image] table. For more information, see Enable Cloud OS Image discovery.
- Resources discovered using the Amazon AWS - Public IP Address (LP) pattern
Table 35. Cloud Public IP Address [cmdb_ci_cloud_public_ipaddress] Field Description Name [name] The name or allocation ID, if no name is specified for the public IP address. Object ID [object_id] The ID representing the allocation of the address for the use with EC2-VPC. Public ID Address [public_ip] The elastic IP address. - Resources discovered using the Amazon AWS - Route Table (LP) pattern
Table 36. Route Table [cmdb_ci_route_table] Field Description Name [name] The ID of the route table. State [state] If the route table is discoverable, the value is available. Object ID [object_id] The name or ID, if no name is specified for the route table. Table 37. Route Table Endpoint [cmdb_ci_endpoint_route_table] Field Description Name [name] The name or ID, if no name is specified for the route table. Object ID [object_id] The ID of the route table. - Resources discovered using the Amazon AWS - Security Group (LP) pattern
Table 38. Compute Security Group [cmdb_ci_compute_security_group] Field Description Name [name] The name of the security group. Object ID [object_id] The ID of the security group. - Resources discovered using the Amazon AWS - SSM Cloud Agents (LP) pattern
-
- Resources discovered using the Amazon AWS - Storage (LP) pattern
Table 41. Block Endpoint [cmdb_ci_endpoint_block] Field Description Name [name] The name or ID, if no name is specified for the volume. Object ID [object_id] The ID of the volume. - Resources discovered using the Amazon AWS - Sub Account (LP) pattern
- Resources discovered using the Amazon AWS - Subnet (LP) pattern
- Resources discovered using the Amazon AWS - Virtual Server (LP) pattern
- Note:
If you have reactivated a retired VM and want its active state to be accurately reflected in the Operational status and Install Status fields in the Virtual Machine Instance [cmdb_ci_vm_instance] table, set the sn_itom_pattern.discover_aws_instance_statuses MID Server property to true. Note that this setting involves additional API calls—one for each page of the pattern execution—which may impact performance if you're managing a large number of VMs.
Table 45. DNS Name [cmdb_ci_dns_name] Field Description Name [name] Name of the Domain Name System (DNS). IP Address [ip_address] IP address of the DNS. Comments [comments] Comments related to the CI. Table 46. Subnet Endpoint [cmdb_ci_endpoint_subnet] Field Description Name [name] The name of the subnet endpoint. Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource. Note: When using the Image [cmdb_ci_os_template] table to store Cloud OS Images, you may notice an unusually large number of records. To avoid this issue, you can store the discovered OS images in the Cloud Image [cmdb_ci_cloud_os_image] table. For more information, see Enable Cloud OS Image discovery. - Resources discovered using the Amazon AWS - VPN Connections (LP) pattern
Table 49. VPN Connection [cmdb_ci_vpn_connection] Field Description Name [name] Name of the project that is used for the discovery. Object ID [object_id] The name or ID, if no name is specified for the VPN connection. State [state] The current state of the VPN connection. The following values are valid: pending, available, deleting, or deleted. - Resources discovered using the Amazon AWS - VPN Gateway (LP) pattern
Table 50. Virtual Private Gateway [cmdb_ci_virtual_pvt_gateway] Field Description Name [name] The name or ID, if no name is specified for the VPN Gateway. Object ID [object_id] The ID of the virtual private gateway. Connection Type [connection_type] The type of VPN connection the virtual private gateway supports. Table 51. Virtual Private Gateway Endpoint [cmdb_ci_endpoint_vpg] Field Description Name [name] The name or ID, if no name is specified for the VPN Gateway. Object ID [object_id] The ID of the virtual private gateway. Connection Type [connection_type] The type of VPN connection the virtual private gateway supports. - Resources discovered using the Amazon AWS - Web ACL (LP) pattern
-
Note: Security Operations users can leverage the integration with Discovery to import web ACL rules and load balancers with attached web ACLs. For more information on setting ACL rules and using the Mitigation Controls Monitoring app, see Configure the AWS WAF integration for mitigation controls monitoring.
Events discovered by Discovery during horizontal discovery
Discovery uses patterns to find events created for Amazon AWS Cloud components. If there are events that indicate the change of state in one of the Amazon AWS Cloud components, it triggers discovery of Amazon AWS Cloud components using the patterns.
CI relationships
- Relationships discovered using the Amazon AWS - ACL (LP) pattern
- Relationships discovered using the Amazon AWS - Application and Network (LP) pattern
- Relationships discovered using the Amazon AWS - Availability Zone (LP) pattern
-
CI Relationship CI AWS Datacenter [cmdb_ci_aws_datacenter] Contains::Contained by Availability Zone [cmdb_ci_availability_zone] - Relationships discovered using the Amazon AWS - Classic LB (LP) pattern
- Relationships discovered using the Amazon AWS - LB Pool Member(LP) pattern
-
CI Relationship CI Load Balancer Pool [cmdb_ci_lb_pool] Owns::Owned by Load Balancer Pool Member [cmdb_ci_lb_pool_member] Load Balancer Pool Member [cmdb_ci_lb_pool_member] References Load Balancer Pool [cmdb_ci_lb_pool] Note: By default, the Amazon AWS - LB Pool Member(LP) pattern doesn't execute discovery. To enable the discovery of AWS Application Load Balancer targets, set the sn_itom_pattern.discover_aws_app_pool_members MID Server property to true. For more information, see Enable AWS Application Load Balancer target discovery. - Relationships discovered using the Amazon AWS - Customer Gateway (LP) pattern
CI Relationship CI Customer Gateway [cmdb_ci_customer_gateway] Hosted on::Hosts Virtual Machine Instance [cmdb_ci_instance] Customer Gateway [cmdb_ci_customer_gateway] Implement End Point To::Implement End Point From Customer Gateway [cmdb_ci_endpoint_cust_gateway] - Relationships discovered using the Amazon AWS - Executable Template (LP) pattern
CI Relationship CI Image [cmdb_ci_os_template] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter] - Relationships discovered using the Amazon AWS - Hardware Type (LP) pattern
CI Relationship CI Hardware Type [cmdb_ci_compute_template] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter] - Relationships discovered using the Amazon AWS - Host (LP) pattern
CI Relationship CI Host [cmdb_ci_cloud_host] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter] Virtual Machine Instance [cmdb_ci_vm_instance] Runs on::Runs Host [cmdb_ci_cloud_host] - Relationships discovered using the Amazon AWS - Internet Gateway (LP) pattern
CI Relationship CI Internet Gateway [cmdb_ci_internet_gateway] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter] Internet Gateway [cmdb_ci_internet_gateway] Implement End Point To::Implement End Point From Internet Gateway EP [cmdb_ci_endpoint_intgateway] Cloud Network [cmdb_ci_network] Use End Point To::Use End Point From Internet Gateway EP [cmdb_ci_endpoint_intgateway] - Relationships discovered using the Amazon AWS - IP Address (LP) pattern
CI Relationship CI Cloud Key Pair [cmdb_ci_cloud_key_pair] Contains::Contained by IP Address [cmdb_ci_cloud_ip_address] - Relationships discovered using the Amazon AWS - Key Pair (LP) pattern
CI Relationship CI Servers [cmdb_ci_server] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter] - Relationships discovered using the Amazon AWS - LB Pool (LP) pattern
CI Relationship CI Load Balancer Pool [cmdb_ci_lb_pool] Hosted on::Hosts Cloud Load Balancer [cmdb_ci_cloud_load_balancer] - Relationships discovered using the Amazon AWS - LB Service (LP) pattern
CI Relationship CI Load Balancer Service [cmdb_ci_lb_service] Hosted on::Hosts Cloud Load Balancer [cmdb_ci_cloud_load_balancer] - Relationships discovered using the Amazon AWS - NAT Gateway (LP) pattern
CI Relationship CI NAT Gateway [cmdb_ci_nat_gateway] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter] NAT Gateway [cmdb_ci_nat_gateway] Implement End Point To::Implement End Point From NAT EP [cmdb_ci_endpoint_nat] Network [cmdb_ci_network] Use End Point To::Use End Point From NAT EP [cmdb_ci_endpoint_nat] - Relationships discovered using the Amazon AWS - Network (LP) pattern
CI Relationship CI Network [cmdb_ci_network] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter] - Relationships discovered using the Amazon AWS - NIC (LP) pattern
Figure 1. Dependency Views displaying the cloud load balancer and connected components
- Relationships discovered using the Amazon AWS - Organizational Units (LP) pattern
-
CI Relationship CI Cloud Organization [cmdb_ci_cloud_org] Contains::Contained by AWS Organizational Unit [cmdb_ci_aws_org_unit] AWS Organizational Unit [cmdb_ci_aws_org_unit] Contains::Contained by Cloud Service Account [cmdb_ci_cloud_service_account] Key Value [cmdb_key_value] Reference only AWS Organizational Unit [cmdb_ci_aws_org_unit] - Relationships discovered using the Amazon AWS - Owned Template (LP) pattern
CI Relationship CI Image [cmdb_ci_os_template] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter] - Relationships discovered using the Amazon AWS - Public IP Address (LP) pattern
CI Relationship CI Cloud Public IP Address [cmdb_ci_cloud_public_ipaddress] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter] - Relationships discovered using the Amazon AWS - Route Table (LP) pattern
CI Relationship CI Network [cmdb_ci_network] Contains::Contained by Route Table [cmdb_ci_route_table] Cloud Subnet [cmdb_ci_cloud_subnet] Use End Point To::Use End Point From Route Table Endpoint [cmdb_ci_endpoint_route_table] Route Table [cmdb_ci_route_table] Implement End Point To::Implement End Point From Route Table Endpoint [cmdb_ci_endpoint_route_table] - Relationships discovered using the Amazon AWS - Security Group (LP) pattern
CI Relationship CI Network [cmdb_ci_network] Contains::Contained by Compute Security Group [cmdb_ci_compute_security_group] Compute Security Group [cmdb_ci_compute_security_group] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter] - Relationships discovered using the Amazon AWS - SSM Cloud Agents (LP) pattern
-
CI Relationship CI Cloud System Management Agent [cmdb_ci_cloud_system_management_agent] Extends from Virtual Machine Object [cmdb_ci_vm_object] Cloud System Management Agent [cmdb_ci_cloud_system_management_agent] Runs on::Runs Virtual Machine Instance [cmdb_ci_vm_instance] - Relationships discovered using the Amazon AWS - Storage (LP) pattern
- Relationships discovered using the Amazon AWS - Subnet (LP) pattern
CI Relationship CI Network [cmdb_ci_network] Contains::Contained by Cloud Subnet [cmdb_ci_cloud_subnet] Availability Zone [cmdb_ci_availability_zone] Contains::Contained by Cloud Subnet [cmdb_ci_cloud_subnet] - Relationships discovered using the Amazon AWS - Virtual Server (LP) pattern
Figure 2. Dependency Views displaying components connected to the cloud network in the AWS environment
Figure 3. Dependency Views showing Virtual Machine and connected components in the AWS environment
- Relationships discovered using the Amazon AWS - VPN Connections (LP) pattern
CI Relationship CI Customer Gateway [cmdb_ci_customer_gateway] Contains::Contained by VPN Connection [cmdb_ci_vpn_connection] Virtual Private Gateway [cmdb_ci_virtual_pvt_gateway] Contains::Contained by VPN Connection [cmdb_ci_vpn_connection] VPN Connection [cmdb_ci_vpn_connection] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter] - Relationships discovered using the Amazon AWS - VPN Gateway (LP) pattern
CI Relationship CI Virtual Private Gateway [cmdb_ci_virtual_pvt_gateway] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter] Virtual Private Gateway [cmdb_ci_virtual_pvt_gateway] Implement End Point To::Implement End Point From Virtual Private Gateway Endpoint [cmdb_ci_endpoint_vpg] Network [cmdb_ci_network] Use End Point To::Use End Point From Virtual Private Gateway Endpoint [cmdb_ci_endpoint_vpg] - Relationships discovered using the Amazon AWS - Web ACL (LP) pattern
-
CI Relationship CI Web ACL [cmdb_ci_web_acl] Extends from Virtual Machine Object [cmdb_ci_vm_object] Web ACL [cmdb_ci_web_acl] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter] Note: Security Operations users can leverage the integration with Discovery to import web ACL rules and load balancers with attached web ACLs. For more information on setting ACL rules and using the Mitigation Controls Monitoring app, see Configure the AWS WAF integration for mitigation controls monitoring.
Services discovered by patterns
Data collected by Service Mapping during tag-based discovery
CI | Relationship | CI |
---|---|---|
Configuration Item [cmdb_ci] | Hosted on::Hosts | Logical Datacenter [cmdb_ci_logical_datacenter] |
Logical Datacenter [cmdb_ci_logical_datacenter] | Hosted on::Hosts | Cloud Service Account [cmdb_ci_cloud_service_account] |
On this page
- Request apps on the Store
- Prerequisites
- Verify the REST API Permissions
- Support for AWS services in the China region
- Data collected by Discovery during horizontal discovery
- Events discovered by Discovery during horizontal discovery
- CI relationships
- Services discovered by patterns
- Data collected by Service Mapping during tag-based discovery