Hi All,

I have a question regarding credentials-less discovery in AWS using ServiceNow.

Let’s assume the following AWS setup:

• 1 Management Account
• 5 Member Accounts

Here’s what has been configured so far:

1. First Member Account:

• Created a new IAM role: SN_MID_SERVER_EC2_ROLE.
• Added a trust policy to allow the EC2 service.
• Attached read-only IAM policies.
• Created an inline policy allowing sts:AssumeRole, and restricted access by specifying the ARN of the management account’s role: SN_MGMT_ACCOUNT_ROLE.
• This role was then attached to an EC2 instance (MID Server).
• The EC2 instance is running with the IAM role SN_MID_SERVER_EC2_ROLE.

1. Management Account:

• Created IAM role: SN_MGMT_ACCOUNT_ROLE.
• Added a custom trust policy with principal ARN of SN_MID_SERVER_EC2_ROLE.
• Attached read-only and AWS Organizations read-only policies.
• Created an inline policy allowing sts:AssumeRole to the member account role: SN_MEMBER_ACCOUNT_ROLE.

1. Second Member Account:

• Created IAM role: SN_MEMBER_ACCOUNT_ROLE.
• Added a trust relationship with principal: SN_MGMT_ACCOUNT_ROLE.
• Attached a read-only access policy.

1. ServiceNow MID Server:

• Configured with the parameter: mid.aws.instance_profile_name = SN_MID_SERVER_EC2_ROLE.

The Issue:

In ServiceNow, I’ve configured a discovery schedule and added aws org assume role using following Assume Role:

arn:aws:iam::*:role/SN_MEMBER_ACCOUNT_ROLE

I have not configured any IAM roles or permissions for the 3rd and 4th member accounts in AWS. However, during discovery, these accounts are still being discovered and listed in ServiceNow.

My question is: Why are the 3rd and 4th member accounts appearing in ServiceNow discovery results even though no roles have been configured for them?

As per my understanding, without the required IAM roles and trust relationships in place, these accounts shouldn’t be accessible or discoverable.

Appreciate any insights or suggestions.

Best regards,
Ravish