Introduction – Rethinking Discovery for the modern AWS cloud
In the ever-evolving world of cloud computing, visibility is paramount. As enterprises increasingly adopt multi-account, multi-region AWS architectures, gaining a unified view of assets becomes both a necessity and a challenge. To meet this demand head-on, we’re excited to announce a powerful new capability in ServiceNow Discovery: Native support for AWS Systems Manager (SSM) to discover AWS EC2 instances—without requiring SSH or agent-based credentials.
Why is this a Big Deal..?
Traditionally, cloud discovery has relied on either:
1.Credentials-based access (such as key pairs and SSH connections) or
2.Deploying agents for deep-level inventory collection.
While effective, these methods can pose hurdles—credential management, network configuration, and endpoint security being just a few. Enter AWS Systems Manager, a secure, scalable way to interact with EC2 instances without direct connectivity.
With ServiceNow Discovery’s new integration with AWS SSM, you can now:
- Discover EC2 instances across your AWS environments more securely
- Eliminate the need to open ports or manage SSH keys
- Reduce operational overhead while maintaining compliance and visibility
- Expand Discovery into previously hard-to-reach environments like private subnets or restricted VPCs
How it works..?
AWS Systems Manager (SSM) is a unified management service by AWS that helps you securely manage and operate your infrastructure at scale. It provides a suite of tools for automation, patching, configuration management, and remote command execution—without needing direct access to your instances.
One of its key features, SSM Run Command, allows you to execute scripts and commands on your EC2 instances securely over the AWS control plane, eliminating the need for SSH access or open inbound ports.
This new capability leverages AWS SSM’s Run Command and Inventory features to collect configuration data from EC2 instances where the SSM agent is installed and running.
The Discovery process:
1.Authenticates to your AWS account using IAM roles or access keys
2.Identifies SSM-managed instances across regions and accounts
3.Executes remote commands securely using AWS SSM to gather:
- Hostnames with EC2 Serial ID
- OS and patch levels
- Installed software and Running processes
- Network configurations including IPv6
4.Maps the data directly into the ServiceNow CMDB, enriching your cloud infrastructure visibility
The beauty of using AWS SSM is that no inbound access is required. The interaction is fully managed over the AWS control plane, making it ideal for cloud-native security-conscious organizations.
Better yet, this works seamlessly across multiple AWS accounts using AWS Organizations and cross-account IAM roles—aligning perfectly with modern enterprise architecture.
Use Cases
This capability unlocks a range of impactful use cases:
1.Zero-trust environments where direct access to VMs is restricted
2.Highly regulated industries needing compliant, non-invasive discovery
3.Cloud-native deployments using EC2 Auto Scaling groups, ephemeral instances, and immutable infrastructure
4.Multi-account/multi-region operations managed via AWS Organizations
Getting Started
- Ready to try it out? Here’s how to get started:
- Ensure your EC2 instances have the SSM agent installed and configured
- Set up the necessary IAM permissions/policies for ServiceNow to invoke SSM commands
- Enable the Instance side and MID side configuration properties
- Schedule or run an on-demand discovery for your AWS accounts
For full configuration details, check out the ServiceNow product documentation or contact your ServiceNow administrator.
Use Cases
This capability unlocks a range of impactful use cases:
- Zero-trust environments where direct access to VMs is restricted
- Highly regulated industries needing compliant, non-invasive discovery
- Cloud-native deployments using EC2 Auto Scaling groups, ephemeral instances, and immutable infrastructure
- Multi-account/multi-region operations managed via AWS Organizations
Key Benefits
Following are the key benefits with this new capability,
- Deeper OS-Level Visibility
- Enriched CMDB Accuracy and Completeness
- Enhanced Service Mapping and Application Visibility
- Improved Security and Compliance Posture
- Operational Efficiency and Automation
- Scalability and Consistency Across Hybrid/Multi-Cloud
Conclusion: A Smarter, Safer, and Scalable Path to AWS Discovery
As enterprises accelerate their move to the cloud, visibility and control over dynamic AWS environments have never been more critical—or more challenging. The new AWS SSM-based Discovery capability in ServiceNow transforms how organizations approach cloud asset discovery:
- Secure by design, removing the need for inbound access, SSH keys, or agents
- Simplified and scalable, enabling cross-VPC and multi-region coverage with fewer MID Servers
- Deep and dynamic, delivering real-time insights into what’s running inside EC2 instances
This is more than just an enhancement—it’s a leap forward in cloud-native IT operations. It aligns with modern security models, reduces operational overhead, and gives you the confidence that your CMDB reflects the live state of your cloud infrastructure.
By embracing this capability, you’re not only modernizing your ServiceNow Discovery strategy—you’re future-proofing it.
