SGC - AWS - Missing AWS Workspace Instance in CMDB
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2026 11:00 PM
We are running SGC‑AWS(without SSM deep discovery) successfully for standard AWS resources - EC2, VPC, ENI, ELB, RDS, S3, DynamoDB, EKS, etc. However it appears that we are missing the Instances for AWS Workspaces.
I understand that it is possible to populate these AWS Workspace Instance via SGC-AWS as well. May I know what is missing? Could it be the extra IAM policy that need to be added from the AWS ? If yes, may I know what is the recommended IAM policy to include AWS Workspace to be discovered and populates to CMDB?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2026 08:11 PM
Yes — there’s an issue with the permission name.
workspaces:ListTagsForResource isn’t a valid IAM action, which is why it can’t be found. It’s not a ServiceNow or CI issue — it’s just the wrong AWS permission.
For Amazon WorkSpaces, AWS uses a different action to read tags:
workspaces:DescribeTags
That’s the correct permission to allow tag visibility on WorkSpaces resources.
This is confusing because many other AWS services do use ListTagsForResource, but WorkSpaces is an exception.
So the fix is simply to replace workspaces:ListTagsForResource with workspaces:DescribeTags.
@User697706 - Please mark Accepted Solution and Thumbs Up if you find Helpful
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11 hours ago
Hello @User697706 were you able to get these pulled in successfully? We are running into a similar issue where we don't have these accounted for and determining where they are put by the SGC and if anything more needs to be done on the SGC side to account for it
