Set up Cloud Configuration Governance for AWS

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 4 minutes de lecture

    • Set up access to the Amazon Web Services (AWS) cloud accounts in Cloud Configuration Governance to enable interaction between the application and the cloud. The application requires access to the cloud accounts to scan the cloud resources for non-compliant configurations and remediate them.

    Avant de commencer

    Role required: sn_itom_ccg.scheduling_admin

    Pourquoi et quand exécuter cette tâche

    For the purposes of configuring access for AWS accounts, the following terms are used:
    Trusting accounts
    The trusting accounts don't have permanent AWS credentials. You configure the trust relationship for IAM roles in these accounts to rely on other accounts for access.
    Trusted accounts
    The trusted accounts are used by the trusting accounts for access. The ServiceNow UI refers to the trusted accounts as accessor accounts.
    Use any one of the following methods to configure access to the AWS accounts:
    • Configure the permanent credentials in the ServiceNow AI Platform to connect with the standalone AWS accounts (discreet accounts). The Cloud Service Account [cmdb_ci_cloud_service-account] table contains information on the service account type, such as management or member account and access credentials.
    • Configure the member accounts to rely on the management account for access. In this case, configure the permanent credentials of the management account in the ServiceNow AI Platform.
    • Configure the accounts to rely on a trusted account for access (lateral access within the same AWS organization or across different AWS organizations). In this case, configure the permanent credentials of the trusted account in the ServiceNow AI Platform.
    Remarque :
    Cloud Configuration Governance doesn't use a MID Server-based assume role setup to access the trusting accounts.

    Procédure

    1. Create credentials for the AWS service accounts.
      1. Navigate to Connection & Credentials > Credentials.
      2. Select New, and then select AWS Credentials.
      3. On the form, fill in the fields.
        Tableau 1. AWS Credentials form
        Field Description
        Name Unique and descriptive name for the AWS credentials.
        Active Option to use the credential.
        Access Key ID The access key ID that you generated on the AWS management console.
        Secret Access Key The secret access key that you generated on the AWS management console.
      4. Select Save.
    2. Select the sn_itom_cal.Aws_Creds_Alias credential alias or create a credential alias.
      1. Unlock the credential alias.
      2. Search for a credential alias.
      3. Select New.
      4. On the form, fill in the fields.
        Tableau 2. Connection & Credential Alias form
        Field Description
        Name Unique name of the alias.
        Type Credential alias type.

        Select Credential from the Type drop-down list.
      5. Select Submit.
    3. Set the Authentication Algorithm field to AWS Authenticator.
    4. Select Submit.
    5. Set up an AWS service account.
      1. Navigate to Cloud Provisioning and Governance > Service accounts.
      2. Select New.
      3. On the form, fill in the fields.
        Tableau 3. Cloud Service Account form
        Field Description
        Name Unique name of the service account.
        Account ID 12-digit user account number. Expand the list under the account name on the AWS Management Console to view the number.
        Important :
        In the Account ID field, remove the hyphen characters (-) from the number.
        Discovery credentials The credentials needed for ServiceNow applications to access the cloud account. You can configure the discovery credentials at a later stage, while configuring access to the AWS accounts.
        • If you are setting up an independent service account or a management account, select its AWS credential.
        • To use other AWS accounts to access this account, leave the field empty.

          For example, you don't have to specify the AWS credentials for accounts assuming Identity and Access Management (IAM) roles or member accounts using their management account for access.
        Datacenter URL URL of the datacenter.

        Leave this field empty.

        Remarque :
        For GovCloud, use the URL https://ec2.us-gov-west-1.amazonaws.com.
        Datacenter type Type of the datacenter where the account is hosted.

        Select AWS Datacenter.
        Datacenter discovery status Auto-generated value: Status and timestamp of the last execution of Discovery on the datacenter.
        Parent account Name of the management account that represents the AWS organization to which this member account belongs.

        This field appears when you select AWS Datacenter. If the account doesn't belong to any AWS organization, leave this field empty.
        Is master account Management account flag.

        This check box appears when you select AWS Datacenter from the Datacenter Type drop-down. Select the check box to associate the AWS service account with the management account. Select this check box only for accounts that you have previously configured as management accounts with some member accounts belonging to them. For more information on AWS Organization, see AWS documentation.
        Accessor account Name of the trusted account.

        Configure this field only for accounts that don't use permanent AWS credentials and rely on IAM roles for access.
      4. Select Submit.
    6. Do any one of the following actions.
      OptionDescription
      Create an assume role configuration for the management account

      If you want to use a management account to scan the member accounts of the AWS organization, create an assume role configuration for the management account.

      1. If you don't want to use the OrganizationAccountAccessRole to access the member account, configure the trusting account for Cloud Configuration Governance.

        For more information, see Configure the trusting account for Cloud Configuration Governance and Cloud Action Library.

      2. Repeat step 6.a for all the member accounts that must be scanned through the management account without using the OrganizationAccountAccessRole.

      3. If you want to use the OrganizationAccountAccessRole to access the member account, create an assume role configuration for the management account.

        For more information, see Create an assume role configuration.
      Configure the trusting account for Cloud Configuration Governance

      If you want to use a trusted account to scan the trusting account, configure the trusting account for Cloud Configuration Governance.

      1. Configure the trusting account for Cloud Configuration Governance.

        For more information, see Configure the trusting account for Cloud Configuration Governance and Cloud Action Library.

      2. Repeat step 6.a for all the trusting accounts that must be scanned through the trusted account.
    7. Install and configure the MID Servers.
      For more information, see Install and configure MID Servers.
    8. Run datacenter discovery to identify the datacenters associated with the service accounts.
      For more information, see Run datacenter discovery.