AWS Cloud Discovery - Scanning the Decommissioned Service Accounts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago - last edited 3 weeks ago
Hello,
We are facing an issue where our AWS Discovery schedule is scanning the retired service accounts. Cloud team has shared the logs where the ServiceNow IAM user trying to assume roles for Retired service accounts. They have confirmed that the accounts have been removed from AWS. Tried setting this property to true "glide.discovery.retire_stale_accounts" but no use. Have you come across this issue? any suggestion?
Thank you,
Rashmika
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Do the service accounts show in cmdb_ci_cloud_service_account as retired? Are they still listed in cmp_discovery_ldc_config?
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1297505
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Yes, the status is showing Retired and they exist in the cmp_discovery_ldc_config.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
They should have been removed from cmp_discovery_ldc_config as per the documentation I linked - try manually removing and re-running discovery. If they re-populate then that is a different issue. But this might be a data sync issue on the platform
