I am a Partner Solution Architect with AWS covering ServiceNow as an AWS Partner.

I have a customer looking to use ITOM Discovery across their AWS Organization with approximately 600+ member accounts.

They have built processes to manage the on/off boarding of new organization member accounts through their federated A/D services at corporate level. Currently per ServiceNow docs, the Discovery MID server running on an EC2 instance needs complete R/O permissions to the AWS Organization management account. The MID server then queries the Org mgmt. account for the list of Org member accounts. The MID server then iterates over the list of Org member accounts either using hard-coded credentials/iam role per member account, or the OrganizationAccountAccessRole.

To adhere to their InfoSec rules, the customer cannot give any access to the AWS Org Management account. They are asking if it’s possible to provide the MID server with a list of Org Member accounts via their external system it can then iterate over preferably by having the MID server make an API call to their federated access systems or less ideally having the MID server iterate over a SN table containing the list of known Org member accounts. The latter is less preferable as there would then need to be a way to keep that table updated.

They have completely automated the creation/deletion of AWS Org member accounts driven by process checks through their federated access system, so they always have the list of member accounts that can be returned.