SGC - AWS - Missing AWS Workspace Instance in CMDB

User697706
Tera Contributor

3 weeks ago

We are running SGC‑AWS(without SSM deep discovery) successfully for standard AWS resources - EC2, VPC, ENI, ELB, RDS, S3, DynamoDB, EKS, etc.  However it appears that we are missing the Instances for AWS Workspaces.

I understand that it is possible to populate these AWS Workspace Instance via SGC-AWS as well. May I know what is missing? Could it be the extra IAM policy that need to be added from the AWS ? If yes, may I know what is the recommended IAM policy to include AWS Workspace to be discovered and populates to CMDB?

0 Helpfuls
  • 675 Views
5 REPLIES 5

Matthew_13
Mega Sage
In response to User697706

Thursday

Yes — there’s an issue with the permission name.

workspaces:ListTagsForResource isn’t a valid IAM action, which is why it can’t be found. It’s not a ServiceNow or CI issue — it’s just the wrong AWS permission.

For Amazon WorkSpaces, AWS uses a different action to read tags:

workspaces:DescribeTags

That’s the correct permission to allow tag visibility on WorkSpaces resources.

This is confusing because many other AWS services do use ListTagsForResource, but WorkSpaces is an exception.

So the fix is simply to replace workspaces:ListTagsForResource with workspaces:DescribeTags.

 

@User697706 - Please mark Accepted Solution and Thumbs Up if you find Helpful

0 Helpfuls