Amazon AWS Cloud components discovery using patterns

  • Release version: Xanadu
  • Updated August 1, 2024
  • 27 minutes to read

    • Discovery and Service Mapping Patterns uses patterns to discover components of the Amazon AWS Cloud deployment during horizontal discovery. Discovering some of these resources may require updating to the latest version of the Discovery and Service Mapping Patterns application from the ServiceNow Store.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Prerequisites

    Verify that the applications are up to date:
    • Discovery and Service Mapping Patterns
    • CMDB CI Class Models
    • Visibility Content
    Update the method used for pointed discovery for the AWS CloudFormation Template (CFT) stack
    If you use Cloud Provisioning and Governance, you must update the getOperationGR(type) method. This update enables the pointed discovery to list the resources correctly for the AWS CFT stack after provisioning. For further information about the steps required to update this method, see the Knowledge Base article KB0858437.
    Service account on the AWS Management Console

    An AWS organization is a collection of AWS accounts under a single account. Cloud Discovery refers to AWS organizations in the wizard as management accounts. The member accounts that belong to a management account are called sub-accounts.

    Note:
    Cloud Discovery for AWS Organizations isn’t fully supported in a GovCloud isolated region.
    The advantages of using management accounts are:
    Easy population of sub-accounts
    After you configure the management account and supply the necessary credentials, you can test the connection to the account. If the test succeeds, Discovery returns a list of the member accounts in that management account. From this list, you can choose one or more sub-accounts to include in the Discovery of the management account.
    (Optional for discovering the entire AWS organization) Discovery of sub-account resources using dynamically acquired credentials

    When you run Discovery on your cloud resources, you don’t need separate credentials for each sub-account. The Cloud Discovery process handles credentials automatically by acquiring a temporary credential for each sub-account via an AWS API. You can elect to use the default configuration or customize the MID Server to assume other roles for additional controls and security.

    IAM user policy on the AWS Management Console
    To use the IAM user policy instead of credentials during discovery, configure the MID Server for AWS IAM roles. For more information, see configure the MID Server for AWS IAM roles.
    Typically, you create the IAM user policy for provisioning AWS resources in Cloud Provisioning and Governance, as described in Control AWS access and permissions using policies. Ensure that the IAM user policy covers the following AWS resources:
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
        "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeLoadBalancerPolicies",
        "elasticloadbalancing:DescribeInstanceHealth",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeLoadBalancerAttributes",
        "account:ListRegions",
        "elasticloadbalancing:Describe*",
        "ec2:Describe*",
        "ec2:DescribeNetworkInterfaceAttribute",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeCustomerGateways",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeHosts",
        "ec2:DescribeImages",
        "ec2:DescribeVpcs",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeInstanceCreditSpecifications",
       
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
    Configure access to the AWS resources

    To discover a single account, create an IAM account in the AWS Management Console, and ensure that it has the "ReadOnlyAccess" policy applied. To discover several member or child accounts, configure the credentials as described in Access setup for AWS service accounts.

    Activate the cloud-related CI relationships
    To include discovered components into application services, enable CI relationships used in tag-based discovery by Service Mapping. These CI relationships are available from the 1.0.68 release on the ServiceNow Store. For operational steps, see Tag-based discovery configuration.
    Configure a discovery schedule
    Create a discovery schedule in Cloud Discovery Workspace.
    (optional) Optimize discovery by including only datacenters with resources
    Starting with Discovery and Service Mapping Patterns version 1.29.0, you can optimize discovery by limiting it to only AWS datacenters with resources. For more information, see the AWS resources discovery by datacenters section.
    • Verify your service account has the following role permissions to access Config API:
      • config:GetDiscoveredResourceCounts
      • config:DescribeConfigurationRecorderStatus
    • Verify AWS Config recorder is enabled and configured to record the all resource types.

      For instructions on configuring AWS Config recorder, go to the AWS Documentation and search for the "Recording resources in the AWS Config console" article.

    • Enable discovery of only datacenters with resources by setting the mid.cloud.discovery.sonar.discover_all_aws_datacenters MID Server property to false. For more information, see Limit AWS discovery to datacenters with resources.

    Verify the REST API Permissions

    Download the Cloud Discovery patterns spreadsheet so you can grant user permissions required for running the Discovery patterns. In addition to permissions, the spreadsheet also includes useful information such as pattern names, types, CI Classes, and links to vendor documentation. New patterns are available quarterly, so check periodically to be sure you have the latest version of the spreadsheet.

    Note:
    You can test the AWS REST APIs using Postman API platform. For more information, see the How to test AWS REST API using POSTMAN [KB0782183] article in the Now Support Knowledge Base.

    Support for AWS services in the China region

    The latest version of Discovery and Service Mapping Patterns supports discovering AWS services in the China region. You can discover these services on the ServiceNow AI Platform, starting from Xanadu Patch 3 and Washington DC Patch 9 instances.

    Discovering AWS services in the China region requires using a datacenter URL when setting up an AWS service account. For example: https://organizations.cn-northwest-1.amazonaws.com.cn.

    • To learn more about AWS master account and sub-account support in the China region, see KB1704526.
    • To identify AWS patterns supported in the China region, refer to the Cloud Discovery patterns spreadsheet. The AWS China Region Support column has a Yes value for supported patterns.

    AWS resources discovery by datacenters

    Starting with version 1.29.0, Discovery and Service Mapping Patterns introduces a new AWS datacenter discovery model. The previous model discovered all datacenters, regardless of whether they contained relevant resources. The new model improves the AWS discovery performance by focusing on only datacenters that contain resources.

    AWS has multiple datacenters around the world, but resources like load balancers and virtual machines are typically deployed in only some of them. The Amazon AWS Datacenter Discovery pattern runs before all other AWS patterns to identify datacenters with resources related to your service account ("active") and those without ("passive"). A datacenter can also be classified as "empty" due to API call errors, AWS Config service not being enabled, or permission issues. You can check the discovery log for the exact cause of the error. For more information, see Logs for horizontal discovery.

    After identifying "active", "passive", or "empty" datacenters, the discovery schedule continues to execute all AWS patterns only for "active" or "empty" datacenters, to discover your AWS cloud resources. "Passive" datacenters are ignored during the schedule. The Refresh Datacenters flow continues to display all regions, not just active ones. You don’t need to create another schedule when a resource is added or a datacenter switches from passive to active.

    You might notice differences in the AWS discovery log, in discovery time and in the CMDB, depending on the service account and MID Server property settings.

    Datacenters that have already been discovered before upgrading to Discovery and Service Mapping Patterns version 1.29.0 remain in the Amazon AWS Datacenters table. The mid.cloud.discovery.sonar.discover_all_aws_datacenters MID Server property is set to true by default, which discovers all datacenters. To limit discovery to the "active" or "empty" datacenters, set this property to false. For information on setting up active datacenter discovery, see the (optional) Optimize discovery by including only datacenters with resources prerequisite.

    Table 1. Differences in datacenter discovery by mid.cloud.discovery.sonar.discover_all_aws_datacenters MID Server property setting
    MID Server property setting Flow Discovered/displayed datacenters
    False New schedule All datacenters except passive
    False Refresh Datacenters All datacenters
    True (default) New schedule All datacenters
    True (default) Refresh Datacenters All datacenters
    Figure 1. AWS datacenter model flow by mid.cloud.discovery.sonar.discover_all_aws_datacenters MID Server property setting
    Comparing MID Server property settings and discovered datacenters in schedule and refresh datacenter flows

    Data collected by Discovery during horizontal discovery

    Resources discovered using the Amazon AWS - ACL (LP) pattern
    Table 2. Network ACL [cmdb_ci_network_acl]
    Field Description
    Name [name] Name of the network access control list (ACL).
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    Table 3. ACL Endpoint [cmdb_ci_endpoint_acl]
    Field Description
    Name [name] Name of the endpoint.
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    Resources discovered using the Amazon AWS - Application and Network LB (LP) pattern
    Table 4. Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
    Field Description
    Name [name] Name of the load balancer.
    Fully Qualified Domain Name [fqdn] IP address of the fully qualified domain name of the load balancer.
    Object ID [object_id] The Amazon Resource Name (ARN) of the load balancer.
    DNS Name [dns_name] The public DNS name of the load balancer.
    Canonical Hosted Zone Name [canonical_hosted_zone_name] The name of the Amazon Route 53 hosted zone associated with the load balancer.
    Canonical Hosted Zone ID [canonical_hosted_zone_id] The ID of the Amazon Route 53 hosted zone associated with the load balancer.
    State [state] The state of the load balancer.
    Short Description [short_description] A concatenation of the series of attributes for the load balancers like LB ARN, VPC ID, Type, and Zone.
    Comments [comments] Identifier for internal usage (deletion strategy).
    Table 5. DNS Name [cmdb_ci_dns_name]
    Field Description
    Name [name] Name of the Domain Name System (DNS).
    Object ID [object_id] Name of the DNS.
    IP Address [ip_address] IP address of the DNS.
    Comments [comments] Identifier for internal usage (deletion strategy).
    Resources discovered using the Amazon AWS - Availability Zone (LP) pattern
    Table 6. Availability Zone [cmdb_ci_availability_zone]
    Field Description
    Name [name] Name of the Availability Zone.
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    State [state] The state of the Availability Zone. The possible values are: available, information, impaired, and unavailable.
    Resources discovered using the Amazon AWS - Classic LB (LP) pattern
    Table 7. Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
    Field Description
    Name [name] The name of the load balancer.
    Fully Qualified Domain Name [fqdn] The DNS name of the load balancer.
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    DNS Name [dns_name] The DNS name of the load balancer.
    Canonical Hosted Zone Name [canonical_hosted_zone_name] The DNS name of the load balancer.
    Canonical Hosted Zone ID [canonical_hosted_zone_id] The ID of the Amazon Route 53 hosted zone for the load balancer.
    Table 8. Cloud LB IPAddress [cmdb_ci_cloud_lb_ipaddress]
    Field Description
    Name [name] IP address of the Load Balancer.
    Object ID [object_id] IP address of the Load Balancer.
    IP Address [ip_address] IP address of the Load Balancer.
    Comments [comments] Comments related to the Configuration Item (CI).
    Table 9. DNS Name [cmdb_ci_dns_name]
    Field Description
    Name [name] Name of the Domain Name System (DNS).
    IP Address [ip_address] IP address of the DNS.
    Comments [comments] Comments related to the CI.
    Table 10. Load Balancer Pool [cmdb_ci_lb_pool]
    Field Description
    Name [name] The name of the load balancer pool.
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    Comments [comments] Comments related to the CI.
    Table 11. Load Balancer Pool Member [cmdb_ci_lb_pool_member]
    Field Description
    Name [name] The name of the load balancer pool member (known in AWS as a target).
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    Table 12. Load Balancer Service [cmdb_ci_lb_service]
    Field Description
    Name [name] Name of the load balancer service.
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    Port [port] The port on which the load balancer is listening.
    Service Port [service_port] The port on which the instance is listening.
    Server Protocol [service_protocol] The protocol to use for routing traffic to instances: HTTP, HTTPS, TCP, or SSL.
    Listener Protocol [service_protocol] The load balancer transport protocol to use for routing: HTTP, HTTPS, TCP, or SSL.
    Comments [comments] Comments related to the CI.
    Resources discovered using the Amazon AWS - LB Pool Member(LP) pattern
    Table 13. Load Balancer Pool Member [cmdb_ci_lb_pool_member]
    Field Description
    Name [name] Target ID, depending on the target type.

    For example: Instance ID, IP address, Lambda ARN, or Application Load Balancer ARN.
    Service port [service_port] The port on which the target is listening, if available.
    Object ID [object_id] Possible values are:
    • Target ID
    • Target ID and target port, if available, in the following format: <target ID>#<target port>.

      For example: i-0123456789abcdef0#8080
    Comments [comments] Comments related to the CI.
    Operational status [operational_status] Operational status of the target.

    Possible values are Operational or Non-Operational.
    Install Status [install_status] Installation status of the target.

    Possible values are Installed or Retired.
    Pool [pool] References the Load Balancer Pool [cmdb_ci_lb_pool] table.
    Note:
    By default, the Amazon AWS - LB Pool Member(LP) pattern doesn't execute discovery. To enable the discovery of AWS Application Load Balancer targets, set the sn_itom_pattern.discover_aws_app_pool_members MID Server property to true. For more information, see Enable AWS Application Load Balancer target discovery.
    Resources discovered using the Amazon AWS - Customer Gateway (LP) pattern
    Table 14. Customer Gateway [cmdb_ci_customer_gateway]
    Field Description
    Name [name] Name or ID if no Name is specified of the customer gateway.
    Object ID [object_id] ID of the customer gateway.
    Connection Type [connection_type] Type of VPN connection the customer gateway supports.
    Table 15. Customer Gateway Endpoint [cmdb_ci_endpoint_cust_gateway]
    Field Description
    Name [name] Name or ID if no Name is specified of the customer gateway.
    Object ID [object_id] ID of the customer gateway.
    Resources discovered using the Amazon AWS - discover Organization pattern
    Table 16. Cloud Organizations [cmdb_ci_cloud_org]
    Field Description
    Name [name] The unique identifier (ID) of the management account of an organization.
    Object ID [object_id] The unique identifier (ID) of the management account of an organization.
    Root ID [root_id] The unique identifier (ID) of an organization.
    Master Email [master_email] The email address associated with the AWS account that is designated as the management account for the organization.
    Install Status [install_status] The install status of the Organization based on the AvailablePolicyTypes status.
    Operational status [operational_status] The operational status of the Organization based on the AvailablePolicyTypes status.
    Resources discovered the using the Amazon AWS - Host (LP) pattern
    Table 17. Cloud Host [cmdb_ci_cloud_host]
    Field Description
    Name [name] Name of this host.
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    CPU Core Count [cpu_core_count] The number of host cores.
    State [state] The current state of the host.
    Host Type [host_type] The host type (instanceFamily).
    Cloud Vendor [cloud_vendor] The cloud vendor: AWS.
    Virtual [virtual] Virtual host: False.
    Resources discovered using the Amazon AWS - Internet Gateway (LP) pattern
    Table 18. Internet Gateway [cmdb_ci_internet_gateway]
    Field Description
    Name [name] Name or ID if no Name is specified for the internet gateway.
    Object ID [object_id] ID of the internet gateway.
    Table 19. Internet Gateway Endpoint [cmdb_ci_endpoint_intgateway]
    Field Description
    Name [name] Name or ID if no Name is specified for the internet gateway.
    Object ID [object_id] ID of the internet gateway.
    Resources discovered using the Amazon AWS - IP Address (LP) pattern
    Table 20. IP Address [cmdb_ci_cloud_ip_address]
    Field Description
    Name [name] The name or ID if no Name is specified for the Network Interface.
    IP Address [ip_address] If available, the address of the Elastic IP address bound to the network interface. If not available, the Private IP.
    Object ID [object_id] The ID of the Network Interface.
    Public DNS [public_dns] The public DNS name if available.
    Private IP Address [private_ip] The IPv4 address of the network interface within the subnet.
    Instance ID [instance_id] The ID of the instance.
    Resources discovered the using the Amazon AWS - Key Pair (LP) pattern
    Table 21. Cloud Key Pair [cmdb_ci_cloud_key_pair]
    Field Description
    Name [name] The name of the key pair.
    Object ID [object_id] The ID of the key pair.
    Finger Print [finger_print] If you used CreateKeyPair to create the key pair, this value is the SHA-1 digest of the DER encoded private key. If you used ImportKeyPair to provide AWS the public key, this value is the MD5 public key fingerprint as specified in section 4 of RFC 4716.
    Resources discovered using the Amazon AWS - LB Pool (LP) pattern
    Table 22. Load Balancer Pool [cmdb_ci_lb_pool]
    Field Description
    Name [name] The name of the load balancer pool.
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    Comments [comments] Comments related to the CI.
    Resources discovered using the Amazon AWS - LB Service (LP) pattern
    Table 23. Load Balancer Service [cmdb_ci_lb_service]
    Field Description
    Name [name] Name of the load balancer service.
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    Port [port] The port on which the load balancer is listening.
    Service Port [service_port] The port on which the instance is listening.
    Server Protocol [service_protocol] The protocol to use for routing traffic to instances: HTTP, HTTPS, TCP, or SSL.
    Listener Protocol [service_protocol] The load balancer transport protocol to use for routing: HTTP, HTTPS, TCP, or SSL.
    Comments [comments] Comments related to the CI.
    Resources discovered using the Amazon AWS - NAT Gateway (LP) pattern
    Table 24. NAT Gateway [cmdb_ci_nat_gateway]
    Field Description
    Name [name] Name of the NAT gateway.
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    Install Status [install_status] Provisioning status of the NAT gateway.
    Table 25. NAT Endpoint [cmdb_ci_endpoint_nat]
    Field Description
    Name [name] The name of the NAT endpoint.
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    Resources discovered using the Amazon AWS - Network (LP) pattern
    Table 26. Cloud Network [cmdb_ci_network]
    Field Description
    Name [name] Name of the Virtual Private Cloud (VPC) network.
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    State [state] The current state of the VPC: pending or available.
    CIDR [cidr] CIDR representation of the subnet. For example, 10.0.0.0/24.
    Install Status [install_status] Resource provisioning status.
    Resources discovered using the Amazon AWS - NIC (LP) pattern
    Table 27. Cloud Mgmt Network Interface [cmdb_ci_nic]
    Field Description
    Name [name] The Name or ID if no Name is specified for the Network Interface.
    Object ID [object_id] The ID of the network interface.
    State [state] The status of the network interface. The valid values are as follows: available, associated, attaching, in-use, or detaching.
    Private IP [private_ip] The IPv4 address of the network interface within the subnet.
    IP Address [ip_address] If available, the address of the Elastic IP address bound to the network interface. If not available, the Private IP.
    Public IP [public_ip] The address of the Elastic IP address bound to the network interface.
    Table 28. Cloud LB IPAddress [cmdb_ci_cloud_lb_ipaddress]
    Field Description
    Name [name] IP address of the Load Balancer.
    Object ID [object_id] If available, the address of the Elastic IP address bound to the network. If not available, the Private IP.
    IP Address [ip_address] If available, the address of the Elastic IP address bound to the network interface. If not available, the Private IP.
    Comments [comments] Comments related to the CI.
    Table 29. VNIC Endpoint [cmdb_ci_endpoint_vnic]
    Field Description
    Name [name] The name of the virtual network machine interface (VNIC) endpoint.
    Object ID [object_id] Unique identifier, allocated by Amazon AWS Cloud for this resource.
    IP Address [ip_address] If available, the address of the Elastic IP address bound to the network interface. If not available, the Private IP.
    Host [host] The ID of the instance.
    Resources discovered using the Amazon AWS - Organizational Units (LP) pattern
    Table 30. AWS Organizational Unit [cmdb_ci_aws_org_unit]
    Field Description
    Name [name] The user-friendly name of the Organizational Unit (OU).
    Object ID [object_id] The unique identifier (ID) associated with this OU. The ID is unique to the organization.
    Organizational ID [aws_org_id] The unique identifier (ID) associated with this OU. The ID is unique to the organization.
    Org Unit Parent ID [org_unit_parent_id] The ID of the root or the immediate parent OU.
    Resources discovered using the Amazon AWS - Public IP Address (LP) pattern
    Table 31. Cloud Public IP Address [cmdb_ci_cloud_public_ipaddress]
    Field Description
    Name [name] The name or allocation ID, if no name is specified for the public IP address.
    Object ID [object_id] The ID representing the allocation of the address for the use with EC2-VPC.
    Public ID Address [public_ip] The elastic IP address.
    Resources discovered using the Amazon AWS - Route Table (LP) pattern
    Table 32. Route Table [cmdb_ci_route_table]
    Field Description
    Name [name] The ID of the route table.
    State [state] If the route table is discoverable, the value is available.
    Object ID [object_id] The name or ID, if no name is specified for the route table.
    Table 33. Route Table Endpoint [cmdb_ci_endpoint_route_table]
    Field Description
    Name [name] The name or ID, if no name is specified for the route table.
    Object ID [object_id] The ID of the route table.
    Resources discovered using the Amazon AWS - Security Group (LP) pattern
    Table 34. Compute Security Group [cmdb_ci_compute_security_group]
    Field Description
    Name [name] The name of the security group.
    Object ID [object_id] The ID of the security group.
    Resources discovered using the Amazon AWS - SSM Cloud Agents (LP) pattern
    Table 35. Cloud System Management Agent [cmdb_ci_cloud_system_management_agent]
    Field Description
    Cloud Agent Type [cloud_agent_type] Type of cloud agent: AWS SSM.
    Install Status [install_status] Install status of the AWS Systems Manager (SSM) agent:
    • Installed: The agent is currently running.
    • Absent: The agent is not currently running.
    IP Address [ip_address] Address of the VM instance.
    Name [name] Name of the VM instance that the SSM agent is running on.
    Object ID [object_id] ID of the VM instance.
    Operational status [operational_status] Operational status of the agent service.

    Possible values are Operational or Non-Operational.
    Operating System Platform [operating_system_platform] Operating system type of the VM instance.
    Resource Type [resource_type] Type of resource managed by SSM.

    Possible values are EC2Instance or ManagedInstance.
    Version [version] Version of the SSM agent.
    Resources discovered using the Amazon AWS - Storage (LP) pattern
    Table 36. Storage Volume [cmdb_ci_storage_volume]
    Field Description
    State [state] The volume state. The following values are valid: creating, available, in-use, deleting, deleted, or error.
    Storage Type [storage_type] For example, hard-coded value: block.
    Volume ID [volume_id] The volume type. For example, gp2 for General Purpose SSD, io1 for Provisioned IOPS SSD, st1 for Throughput Optimized HDD, sc1 for Cold HDD, or standard for Magnetic volumes.
    Name [name] The name or ID, if no name is specified for the volume.
    Size Bytes [size_bytes] The size of the volume, in bytes.
    Object ID [object_id] The ID of the volume.
    Table 37. Block Endpoint [cmdb_ci_endpoint_block]
    Field Description
    Name [name] The name or ID, if no name is specified for the volume.
    Object ID [object_id] The ID of the volume.
    Resources discovered using the Amazon AWS - Sub Account (LP) pattern
    Table 38. Cloud Service Account [cmdb_ci_cloud_service_account]
    Field Description
    Account ID [account_id] Unique identifier (ID) of the account.
    Object ID [object_id] Unique identifier (ID) of the account.
    Datacenter Type [datacenter_type] Hard-coded value: cmdb_ci_aws_datacenter.
    Name [name] User-friendly name of the account.
    Is Master Account [is_master_account] Boolean attribute indicating if this account is the management account or not.
    Account Email [account_email] Email address of the AWS service account.
    Resources discovered using the Amazon AWS - Subnet (LP) pattern
    Table 39. Cloud Subnet [cmdb_ci_cloud_subnet]
    Field Description
    Name [name] The name or ID, if no name is specified for the subnet.
    Object ID [object_id] The ID of the subnet.
    CIDR [cidr] The IPv4 CIDR block assigned to the subnet.
    Available IP Count [available_ip_count] The number of unused private IPv4 addresses in the subnet. The IPv4 addresses for any stopped instances are considered unavailable.
    State [state] The current state of the subnet. The following values are valid: pending or available.
    Resources discovered using the Amazon AWS - VPN Connections (LP) pattern
    Table 40. VPN Connection [cmdb_ci_vpn_connection]
    Field Description
    Name [name] Name of the project that is used for the discovery.
    Object ID [object_id] The name or ID, if no name is specified for the VPN connection.
    State [state] The current state of the VPN connection. The following values are valid: pending, available, deleting, or deleted.
    Resources discovered using the Amazon AWS - VPN Gateway (LP) pattern
    Table 41. Virtual Private Gateway [cmdb_ci_virtual_pvt_gateway]
    Field Description
    Name [name] The name or ID, if no name is specified for the VPN Gateway.
    Object ID [object_id] The ID of the virtual private gateway.
    Connection Type [connection_type] The type of VPN connection the virtual private gateway supports.
    Table 42. Virtual Private Gateway Endpoint [cmdb_ci_endpoint_vpg]
    Field Description
    Name [name] The name or ID, if no name is specified for the VPN Gateway.
    Object ID [object_id] The ID of the virtual private gateway.
    Connection Type [connection_type] The type of VPN connection the virtual private gateway supports.
    Resources discovered using the Amazon AWS - Web ACL (LP) pattern
    Table 43. Web ACL [cmdb_ci_web_acl]
    Field Description
    Name [name] Name of the web access control list (web ACL).
    Object ID [object_id] Unique ID for the web ACL from AWS.
    Default Action [defaul_action] Default action when no rules in the web ACL match.

    Possible values are Allow or Deny.
    Description [short_description] Description of web ACL provided by AWS.
    Operational status [operational_status] Whether the web ACL is enabled or disabled.

    Possible values are Operational or Retired.
    Note:
    Security Operations users can leverage the integration with Discovery to import web ACL rules and load balancers with attached web ACLs. For more information on setting ACL rules and using the Mitigation Controls Monitoring app, see Configure the AWS WAF integration for mitigation controls monitoring.

    Events discovered by Discovery during horizontal discovery

    Discovery uses patterns to find events created for Amazon AWS Cloud components. If there are events that indicate the change of state in one of the Amazon AWS Cloud components, it triggers discovery of Amazon AWS Cloud components using the patterns.

    Table 44. Patterns used for event discovery
    Pattern CI
    Amazon AWS Virtual Server Events Virtual Machine Instance [cmdb_ci_vm_instance]
    Amazon AWS Security Group Events Compute Security Group [cmdb_ci_compute_security_group]
    Amazon AWS Subnet Events Cloud Subnet [cmdb_ci_cloud_subnet]
    Amazon AWS Storage Events Storage Volume [cmdb_ci_storage_volume]
    Amazon AWS Network Events Cloud Network [cmdb_ci_network]
    Amazon AWS Classic LB Events Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
    Amazon AWS Application and Network LBs Events Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
    Figure 2. Dependency Views displaying the cloud load balancer and connected components

    Dependency Views displaying the cloud load balancer and connected components.
    Figure 3. Dependency Views displaying components connected to the cloud network in the AWS environment

    Dependency Views displaying components connected to the cloud network in the AWS environment.
    Figure 4. Dependency Views showing Virtual Machine and connected components in the AWS environment

    Dependency Views showing Virtual Machine and connected components in the AWS environment.

    CI relationships

    Relationships discovered using the Amazon AWS - ACL (LP) pattern
    CI Relationship CI
    Network [cmdb_ci_network] Contains::Contained by Network ACL [cmdb_ci_network_acl]
    Network ACL [cmdb_ci_network_acl] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Network ACL [cmdb_ci_network_acl] Implement End Point To::Implement End Point From Network ACL [cmdb_ci_endpoint_acl]
    Cloud Subnet [cmdb_ci_cloud_subnet] Use End Point To::Use End Point From Network ACL [cmdb_ci_endpoint_acl]
    Relationships discovered using the Amazon AWS - Application and Network (LP) pattern
    CI Relationship CI
    Cloud Subnet [cmdb_ci_cloud_subnet] Contains::Contained by Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
    Availability Zone [cmdb_ci_availability_zone] Contains::Contained by Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
    Cloud Load Balancer [cmdb_ci_cloud_load_balancer] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Cloud Load Balancer [cmdb_ci_cloud_load_balancer] Contains::Contained by DNS Name [cmdb_ci_dns_name]
    Cloud Load Balancer [cmdb_ci_cloud_load_balancer] Contains::Contained by Compute Security Group [cmdb_ci_compute_security_group]
    Relationships discovered using the Amazon AWS - Availability Zone (LP) pattern
    CI Relationship CI
    AWS Datacenter [cmdb_ci_aws_datacenter] Contains::Contained by Availability Zone [cmdb_ci_availability_zone]
    Relationships discovered using the Amazon AWS - Classic LB (LP) pattern
    CI Relationship CI
    Load Balancer Service [cmdb_ci_lb_service] Hosted on::Hosts Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
    Cloud Subnet [cmdb_ci_cloud_subnet] Contains::Contained by Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
    Availability Zone [cmdb_ci_availability_zone] Contains::Contained by Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
    Load Balancer Pool [cmdb_ci_lb_pool] Hosted on::Hosts Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
    Load Balancer Pool [cmdb_ci_lb_pool] Owns::Owned by Load Balancer Pool Member [cmdb_ci_lb_pool_member]
    Cloud Load Balancer [cmdb_ci_cloud_load_balancer] Contains::Contained by DNS Name [cmdb_ci_dns_name]
    Cloud Load Balancer [cmdb_ci_cloud_load_balancer] Owns::Owned by Cloud LB IPAddress [cmdb_ci_cloud_lb_ipaddress]
    Cloud Load Balancer [cmdb_ci_cloud_load_balancer] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Cloud Load Balancer [cmdb_ci_cloud_load_balancer] Contains::Contained by Compute Security Group [cmdb_ci_compute_security_group]
    Relationships discovered using the Amazon AWS - LB Pool Member(LP) pattern
    CI Relationship CI
    Load Balancer Pool [cmdb_ci_lb_pool] Owns::Owned by Load Balancer Pool Member [cmdb_ci_lb_pool_member]
    Load Balancer Pool Member [cmdb_ci_lb_pool_member] References Load Balancer Pool [cmdb_ci_lb_pool]
    Note:
    By default, the Amazon AWS - LB Pool Member(LP) pattern doesn't execute discovery. To enable the discovery of AWS Application Load Balancer targets, set the sn_itom_pattern.discover_aws_app_pool_members MID Server property to true. For more information, see Enable AWS Application Load Balancer target discovery.
    Relationships discovered using the Amazon AWS - Customer Gateway (LP) pattern
    CI Relationship CI
    Customer Gateway [cmdb_ci_customer_gateway] Hosted on::Hosts Virtual Machine Instance [cmdb_ci_instance]
    Customer Gateway [cmdb_ci_customer_gateway] Implement End Point To::Implement End Point From Customer Gateway [cmdb_ci_endpoint_cust_gateway]
    Relationships discovered using the Amazon AWS - Host (LP) pattern
    CI Relationship CI
    Host [cmdb_ci_cloud_host] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Virtual Machine Instance [cmdb_ci_vm_instance] Runs on::Runs Host [cmdb_ci_cloud_host]
    Relationships discovered using the Amazon AWS - Internet Gateway (LP) pattern
    CI Relationship CI
    Internet Gateway [cmdb_ci_internet_gateway] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Internet Gateway [cmdb_ci_internet_gateway] Implement End Point To::Implement End Point From Internet Gateway EP [cmdb_ci_endpoint_intgateway]
    Cloud Network [cmdb_ci_network] Use End Point To::Use End Point From Internet Gateway EP [cmdb_ci_endpoint_intgateway]
    Relationships discovered using the Amazon AWS - IP Address (LP) pattern
    CI Relationship CI
    Cloud Key Pair [cmdb_ci_cloud_key_pair] Contains::Contained by IP Address [cmdb_ci_cloud_ip_address]
    Relationships discovered using the Amazon AWS - Key Pair (LP) pattern
    CI Relationship CI
    Servers [cmdb_ci_server] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Relationships discovered using the Amazon AWS - LB Pool (LP) pattern
    CI Relationship CI
    Load Balancer Pool [cmdb_ci_lb_pool] Hosted on::Hosts Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
    Relationships discovered using the Amazon AWS - LB Service (LP) pattern
    CI Relationship CI
    Load Balancer Service [cmdb_ci_lb_service] Hosted on::Hosts Cloud Load Balancer [cmdb_ci_cloud_load_balancer]
    Relationships discovered using the Amazon AWS - NAT Gateway (LP) pattern
    CI Relationship CI
    NAT Gateway [cmdb_ci_nat_gateway] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    NAT Gateway [cmdb_ci_nat_gateway] Implement End Point To::Implement End Point From NAT EP [cmdb_ci_endpoint_nat]
    Network [cmdb_ci_network] Use End Point To::Use End Point From NAT EP [cmdb_ci_endpoint_nat]
    Relationships discovered using the Amazon AWS - Network (LP) pattern
    CI Relationship CI
    Network [cmdb_ci_network] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Relationships discovered using the Amazon AWS - NIC (LP) pattern
    CI Relationship CI
    Cloud Load Balancer [cmdb_ci_cloud_load_balancer] Owns::Owned by Cloud LB IPAddress [cmdb_ci_cloud_lb_ipaddress]
    Virtual Machine Instance [cmdb_ci_vm_instance] Use End Point To::Use End Point From VNIC Endpoint [cmdb_ci_endpoint_vnic]
    Cloud Subnet [cmdb_ci_cloud_subnet] Contains::Contained by NIC [cmdb_ci_nic]
    VNIC Endpoint [cmdb_ci_endpoint_vnic] Implement End Point To::Implement End Point From NIC [cmdb_ci_nic]
    NIC [cmdb_ci_nic] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Relationships discovered using the Amazon AWS - Organizational Units (LP) pattern
    CI Relationship CI
    Cloud Organization [cmdb_ci_cloud_org] Contains::Contained by AWS Organizational Unit [cmdb_ci_aws_org_unit]
    AWS Organizational Unit [cmdb_ci_aws_org_unit] Contains::Contained by Cloud Service Account [cmdb_ci_cloud_service_account]
    Key Value [cmdb_key_value] Reference only AWS Organizational Unit [cmdb_ci_aws_org_unit]
    Relationships discovered using the Amazon AWS - Public IP Address (LP) pattern
    CI Relationship CI
    Cloud Public IP Address [cmdb_ci_cloud_public_ipaddress] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Relationships discovered using the Amazon AWS - Route Table (LP) pattern
    CI Relationship CI
    Network [cmdb_ci_network] Contains::Contained by Route Table [cmdb_ci_route_table]
    Cloud Subnet [cmdb_ci_cloud_subnet] Use End Point To::Use End Point From Route Table Endpoint [cmdb_ci_endpoint_route_table]
    Route Table [cmdb_ci_route_table] Implement End Point To::Implement End Point From Route Table Endpoint [cmdb_ci_endpoint_route_table]
    Relationships discovered using the Amazon AWS - Security Group (LP) pattern
    CI Relationship CI
    Network [cmdb_ci_network] Contains::Contained by Compute Security Group [cmdb_ci_compute_security_group]
    Compute Security Group [cmdb_ci_compute_security_group] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Relationships discovered using the Amazon AWS - SSM Cloud Agents (LP) pattern
    CI Relationship CI
    Cloud System Management Agent [cmdb_ci_cloud_system_management_agent] Extends from Virtual Machine Object [cmdb_ci_vm_object]
    Cloud System Management Agent [cmdb_ci_cloud_system_management_agent] Runs on::Runs Virtual Machine Instance [cmdb_ci_vm_instance]
    Relationships discovered using the Amazon AWS - Storage (LP) pattern
    CI Relationship CI
    Virtual Machine Instance [cmdb_ci_instance] Use End Point To::Use End Point From Block Endpoint [cmdb_ci_endpoint_block]
    Block Endpoint [cmdb_ci_endpoint_block] Implement End Point To::Implement End Point From Storage Volume [cmdb_ci_storage_volume]
    Availability Zone [cmdb_ci_availability_zone] Contains::Contained by Storage Volume [cmdb_ci_storage_volume]
    Storage Volume [cmdb_ci_storage_volume] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Relationships discovered using the Amazon AWS - Subnet (LP) pattern
    CI Relationship CI
    Network [cmdb_ci_network] Contains::Contained by Cloud Subnet [cmdb_ci_cloud_subnet]
    Availability Zone [cmdb_ci_availability_zone] Contains::Contained by Cloud Subnet [cmdb_ci_cloud_subnet]
    Relationships discovered using the Amazon AWS - VPN Connections (LP) pattern
    CI Relationship CI
    Customer Gateway [cmdb_ci_customer_gateway] Contains::Contained by VPN Connection [cmdb_ci_vpn_connection]
    Virtual Private Gateway [cmdb_ci_virtual_pvt_gateway] Contains::Contained by VPN Connection [cmdb_ci_vpn_connection]
    VPN Connection [cmdb_ci_vpn_connection] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Relationships discovered using the Amazon AWS - VPN Gateway (LP) pattern
    CI Relationship CI
    Virtual Private Gateway [cmdb_ci_virtual_pvt_gateway] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Virtual Private Gateway [cmdb_ci_virtual_pvt_gateway] Implement End Point To::Implement End Point From Virtual Private Gateway Endpoint [cmdb_ci_endpoint_vpg]
    Network [cmdb_ci_network] Use End Point To::Use End Point From Virtual Private Gateway Endpoint [cmdb_ci_endpoint_vpg]
    Relationships discovered using the Amazon AWS - Web ACL (LP) pattern
    CI Relationship CI
    Web ACL [cmdb_ci_web_acl] Extends from Virtual Machine Object [cmdb_ci_vm_object]
    Web ACL [cmdb_ci_web_acl] Hosted on::Hosts AWS Datacenter [cmdb_ci_aws_datacenter]
    Note:
    Security Operations users can leverage the integration with Discovery to import web ACL rules and load balancers with attached web ACLs. For more information on setting ACL rules and using the Mitigation Controls Monitoring app, see Configure the AWS WAF integration for mitigation controls monitoring.

    Services discovered by patterns

    Horizontal discovery finds EC2 and VPC services running on AWS resources.
    Table 45. Services discovered by Discovery using patterns
    Service name CI class Pattern
    AWS::EC2::SecurityGroup Compute Security Group [cmdb_ci_compute_security_group] Amazon AWS Security Group Events
    AWS::EC2::Subnet Cloud Subnet [cmdb_ci_cloud_subnet] Amazon AWS Subnet Events
    AWS::EC2::VPC Cloud Network [cmdb_ci_network] Amazon AWS Network Events
    AWS::EC2::Instance Virtual Machine Instance [cmdb_ci_vm_instance] Amazon AWS Virtual Server Events
    EQS::EC2::Volume Storage Volume [cmdb_ci_storage_volume] Amazon AWS Elastic Block Storage
    AWS::ElasticLoadBalancingV2::LoadBalancer Cloud Load Balancer [cmdb_ci_cloud_load_balancer] Amazon AWS Application and Network LBs Events
    AWS::ElasticLoadBalancing::LoadBalancer Cloud Load Balancer [cmdb_ci_cloud_load_balancer] Amazon AWS Classic LBs Events

    Data collected by Service Mapping during tag-based discovery

    Service Mapping uses tag-based discovery to create service instance maps including the Cloud components. The Service Mapping application comes with the following preconfigured CI relationships used for tag-based discovery. These CI relationships are available from the 1.0.68 release on the ServiceNow Store.
    CI Relationship CI
    Configuration Item [cmdb_ci] Hosted on::Hosts Logical Datacenter [cmdb_ci_logical_datacenter]
    Logical Datacenter [cmdb_ci_logical_datacenter] Hosted on::Hosts Cloud Service Account [cmdb_ci_cloud_service_account]