How to Remove/Add New/Old Cloud Service Account in AWS Cloud Discovery Job

Go to solution
balaji_prusty1
Giga Guru

‎03-14-2024 01:32 AM

Hi All,

 

We have configured AWS Cloud Discovery in our organisation and it is working fine. Now I need to remove some Old Cloud Service Accounts which have already been added to the current Cloud discovery job to discover. Like Other discovery jobs (CI Based) we are removed from the Discovery Range but for the cloud, I am not finding any option to remove the configured Service Account.  Only I can see the Cloud Service Account (cmdb_ci_cloud_service_account) where we define the master and child.

 

Can someone please help with this?

 

Thanks

Balaji

 

0 Helpfuls
  • 1,556 Views
1 ACCEPTED SOLUTION

Go to solution
Ram Devanathan1
ServiceNow Employee
ServiceNow Employee
In response to balaji_prusty1

‎03-15-2024 10:56 PM

ok makes sense and that's the solution forward for now. you have to remember to set up regular checks to add accounts as needed - it won't be immediate. you can keep that as part of the account creation/termination request workflow also if there's one.

View solution in original post

0 Helpfuls
25 REPLIES 25

Go to solution
Ram Devanathan1
ServiceNow Employee
ServiceNow Employee
In response to balaji_prusty1

‎03-14-2024 11:13 AM

you can set up deny rules for these accounts in your IAM permissions - that way the service account will not pick it up. there's no filter or so today.

0 Helpfuls

Go to solution
balaji_prusty1
Giga Guru
In response to Ram Devanathan1

‎03-14-2024 11:40 AM - edited ‎03-14-2024 11:41 AM

Thanks, Ram for the Quick and prompt response. 

 

Still, I doubt, why ServiceNow is providing the option to select which region/account needs to be discovered while creating the AWS Cloud Discovery job if it will pull all the AC from the AWS console. 

 

Thanks

Balaji Prusty

 

0 Helpfuls

Go to solution
Ram Devanathan1
ServiceNow Employee
ServiceNow Employee
In response to balaji_prusty1

‎03-14-2024 07:54 PM

Hi Balaji, I am the Product Manager for the product - the feature is well known to me.

sure you can do this too.

the reason i didn't suggest it is - next time on if another account needs to be filtered out or becomes non-operational, you will have to come back to this configuration and manually update it.

 

RamDevanathan1_1-1710471231388.png

 

 

 

 

 

0 Helpfuls

Go to solution
balaji_prusty1
Giga Guru
In response to Ram Devanathan1

‎03-14-2024 10:36 PM

Hi Ram,

 

Thanks for helping me with this, Yes Sir I know you and met last time in the Bangalore office during the ITOM seminar last month.

 

Instead of denying the policy, we have removed/deleted the IAM roles for that AC which is not needed from the AWS console but still it is fetching/updating in ServiceNow.

 

Also as I mentioned in my previous conversion, I already tried to remove from Discovery Job as below. But no luck. Need to fix this issue today due to the license cost issue. If you have any document related to removing from the ServiceNow Discovery job please provide it. Meantime I am going to raise a vendor ticket for the same.

 

balaji_prusty1_0-1710480787831.png

 

Thanks

Balaji Prusty

 

0 Helpfuls

Go to solution
Ram Devanathan1
ServiceNow Employee
ServiceNow Employee
In response to balaji_prusty1

‎03-15-2024 07:00 PM

The account is not charged as a CI. only resources like VM, Database etc present in each account is charged. You have setup trust from child account to the parent account so the master is allowed to assume role to the child - here for these specific member accounts you can set deny rules maybe for these accounts so the 'assume-role' does not happen, then discovery also won't be done for these. try that.

in any case, please share case ID with me once you log it.

 

Ram

0 Helpfuls