AWS Gov cloud is comprised of two geographical regions that are distinct from AWS public cloud region. AWS Gov cloud provides a smaller subset of functionality of the public cloud, albeit, syntactically and semantically identical. The primary difference between gov and public cloud is the access endpoints.
ServiceNow Cloud Management and Cloud Discovery introduced support for AWS Gov Cloud in London release (focusing on IaaS resources), refer to the documentation for details.
AWS Organization support for AWS Gov Cloud
In April 2019, AWS announced support for AWS Organization for the Gov Cloud. This article covers the details of setting up AWS Organizations for AWS Gov Cloud as AWS documentation in this area is a bit unclear. I am hoping this blog post would help ServiceNow community readers.
An AWS Gov Cloud account is always paired 1:1 with an AWS commercial account. One can request an AWS Gov Cloud account from a commercial account. Refer to AWS documentation for details.
In order to create an AWS Organization for Gov cloud and bringing / adding new accounts under it, follow the steps below:
1. Establish an initial Gov Cloud account (lets call it GovDemo1) from an AWS Commercial account (CommAcct1). Make sure you have the right administrative IAM role to request a Gov Cloud acct. This can be done using AWS Console -> My Account.
2. Additional Gov Cloud accounts can be created using AWS CLI. E.g:
$ aws organizations create-gov-cloud-account --email govclouddemo2@gmail.com --account-name "GovDemo2"
Make sure to use credentials for the initial commercial account (CommAcct1). The above operation will create one Gov cloud account (GovDemo2) and a corresponding Commercial cloud account (CommAcct2).
In order to check the status of the account creation, use the following CLI command. The request-id is the ID returned after the create-gov-cloud-account call. For example:
$ aws organizations describe-create-account-status --create-account-request-id car-ad170010cebc11e883fd21a0c8417226
Response: {
"CreateAccountStatus": {
“GovCloudAccountId": "345438173776",
"AccountName": "GovDemo2",
"State": "SUCCEEDED",
"RequestedTimestamp": 1567564537.206,
"CompletedTimestamp": 1567564665.876,
"Id": "car-ad170010cebc11e883fd21a0c8417226",
"AccountId": "087479796752"
}
}
In case you don’t get the GovCloudAccountId in the response, login to the commercial account (CommAcct2) using AWS Console, go to My Account and try requesting a new Gov Cloud account. Since the paired Gov cloud account already exists for that commercial account, the system will show you the account number.
The Gov Cloud (GovDemo2) will end up in the root organization where the CommAcct1 and CommAcct2 are.
ServiceNow integration with AWS Organization on AWS Gov Cloud
First things first – make sure Discovery plugin is active.
In order to fully support AWS Organization, you will need to first import the following Discovery pattern by following the steps below:
1. In the left-navigation, search for Discovery Patterns.
2. Click on the Name field title in the table and import the XML file
3. This will import a new version of Amazon AWS Organizations.
4. Be sure and Publish this new Discovery Pattern.
That’s it! We are ready to start discovering Gov Cloud accounts in AWS Organizations.
Integration with AWS Gov cloud is quite straightforward.
Follow the steps outlined in the ServiceNow documentation for setting up Credentials and Service Account for AWS Gov. Important to note the Datacenter URL field must contain URL pointing to EC2 service in AWS Gov cloud (as mentioned in the documentation).
When using AWS Organization with Gov Cloud, make sure you provide the master account creds, select “Master Account” (as described in the docs here) and invoke the UI action Refresh Member Accounts.
Note: You can only obtain AWS GovCloud (US) accounts if you are an individual or entity that qualifies as a U.S. Citizen under applicable regulations. In addition to the AWS Customer Agreement or other agreement between you and AWS governing your use of the Service Offerings, you must agree to the AWS GovCloud (US) Terms and Conditions.
1 Comment
