Why are the Others AWS member accounts appearing in ServiceNow discovery even no role configured

ravish2k
Tera Contributor

Hi All,

I have a question regarding credentials-less discovery in AWS using ServiceNow.

Let’s assume the following AWS setup:

  • 1 Management Account
  • 5 Member Accounts

Here’s what has been configured so far:

  1. First Member Account:
  • Created a new IAM role: SN_MID_SERVER_EC2_ROLE.
  • Added a trust policy to allow the EC2 service.
  • Attached read-only IAM policies.
  • Created an inline policy allowing sts:AssumeRole, and restricted access by specifying the ARN of the management account’s role: SN_MGMT_ACCOUNT_ROLE.
  • This role was then attached to an EC2 instance (MID Server).
  • The EC2 instance is running with the IAM role SN_MID_SERVER_EC2_ROLE.
  1. Management Account:
  • Created IAM role: SN_MGMT_ACCOUNT_ROLE.
  • Added a custom trust policy with principal ARN of SN_MID_SERVER_EC2_ROLE.
  • Attached read-only and AWS Organizations read-only policies.
  • Created an inline policy allowing sts:AssumeRole to the member account role: SN_MEMBER_ACCOUNT_ROLE.
  1. Second Member Account:
  • Created IAM role: SN_MEMBER_ACCOUNT_ROLE.
  • Added a trust relationship with principal: SN_MGMT_ACCOUNT_ROLE.
  • Attached a read-only access policy.
  1. ServiceNow MID Server:
  • Configured with the parameter: mid.aws.instance_profile_name = SN_MID_SERVER_EC2_ROLE.

The Issue:

In ServiceNow, I’ve configured a discovery schedule and added aws org assume role using following Assume Role:

arn:aws:iam::*:role/SN_MEMBER_ACCOUNT_ROLE

I have not configured any IAM roles or permissions for the 3rd and 4th member accounts in AWS. However, during discovery, these accounts are still being discovered and listed in ServiceNow.

 

My question is: Why are the 3rd and 4th member accounts appearing in ServiceNow discovery results even though no roles have been configured for them?

 

As per my understanding, without the required IAM roles and trust relationships in place, these accounts shouldn’t be accessible or discoverable.

 

Appreciate any insights or suggestions.

 

Best regards,
Ravish

 

 

3 REPLIES 3

Kieran Anson
Kilo Patron

The read-only roles you've attached likely has 'organizations:ListAccounts' which grants the user visibility of the organization, it however likely won't have access inside those accounts. 

Thanks, Kieran. However, I'm seeing internal details of other members' accounts as well. Do you know how we can fix this? Not sure if the issue is coming from AWS or if it's something on the ServiceNow side.

It would need to be fixed within AWS, likely a nested role is providing extensive access inside the AWS Read Only policy