AWS Integration for Security Exposure Management

  • Release version: Australia
  • Updated April 2, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of AWS Integration for Security Exposure Management

    The AWS Integration for Security Exposure Management connects your AWS environment with the ServiceNow AI Platform®, enabling the import of security findings from AWS Inspector and AWS Security Hub. This integration helps you prioritize and remediate vulnerabilities by ingesting detailed security data directly into ServiceNow’s Vulnerability Response and Configuration Compliance modules.

    Show full answer Show less

    Key Features

    • Multi-regional data ingestion: Supports importing findings from multiple AWS regions within a single integration configuration.
    • Delta imports: Retrieves only updated security findings since the last integration run to optimize synchronization.
    • Mapping and correlation: Maps AWS Security Hub and Inspector findings to Vulnerable Items (VITs), Container Vulnerable Items (CVITs), detections, tests, and configuration items (CIs), enabling asset correlation and comprehensive vulnerability tracking.
    • Uniqueness enforcement: Prevents duplicate records, ensuring clean and accurate vulnerability data.
    • Domain separation and split detection support: Supports organizational separation of data and splitting host findings for detailed analysis.

    Supported Integrations and Schedules

    All integrations run daily by default and cover the following:

    • AWS Inspector:
      • Host Vulnerability Integration: Imports vulnerabilities for EC2 instances and Lambda functions.
      • Container Vulnerability Integration: Imports vulnerabilities for ECR container images.
    • AWS Security Hub:
      • Host Vulnerability Integration: Imports host vulnerabilities for EC2 instances and Lambda functions.
      • Container Vulnerability Integration: Imports container vulnerabilities for ECR container images.
      • Test Results Integration: Imports misconfiguration findings as tests and test results in Configuration Compliance.

    Authentication and Configuration

    The integration authenticates with AWS using IAM credentials and AWS Signature Version 4 (SigV4) signing. For cross-account access, you can configure a Role ARN that uses AWS STS AssumeRole to obtain temporary security credentials valid for 3,600 seconds.

    The key credential fields required are:

    • Access Key: AWS IAM user access key ID.
    • Secret Key: AWS IAM user secret access key (encrypted).
    • Role ARN: ARN of the IAM role used for AssumeRole (mandatory for cross-account setups).
    • Region: One or more AWS regions to retrieve security findings from.

    This integration enables ServiceNow customers to seamlessly incorporate AWS security findings into their vulnerability and compliance workflows, enhancing visibility and accelerating remediation efforts across cloud assets.

    AWS Integration for Security Exposure Management connects your AWS environment to your ServiceNow AI Platform®, enabling you to import security findings from AWS Inspector and AWS Security Hub.

    Supported integrations

    The AWS Integration for Security Exposure Management supports integrations with the following AWS services:

    AWS Inspector
    AWS Inspector is an automated vulnerability management service that continuously scans EC2 instances, ECR container images, and Lambda functions for software vulnerabilities (CVEs) and unintended network exposure. The Vulnerability Response integration with AWS Inspector uses data imported from AWS Inspector to help you prioritize and remediate vulnerabilities for your assets.
    AWS Security Hub
    AWS Security Hub is a security service that is used to centralize and update security checks across AWS accounts. It provides a unified view of security alerts and compliance status by integrating with various AWS services. The Vulnerability Response integration with AWS Security Hub imports Host, Container vulnerabilities, and misconfigurations from AWS Security Hub.

    Key features

    AWS Integration for Security Exposure Management includes the following key features:

    • Multi-regional data ingestion from multiple configured AWS regions.
    • Delta imports for all integrations, retrieving only updated findings since the last integration run.
    • Mapping of AWS Security Hub and Inspector host findings to vulnerable Items (VIT)s and detections, container findings to Container Vulnerable Items (CVIT)s, and test results in Configuration Compliance.
    • Configuration item (CI) mapping and asset correlation.
    • Uniqueness enforcement to help avoid duplicate records.
    • Domain separation.
    • Split detection support for host findings.

    Integration schedules

    All integrations run on a daily schedule by default. The following integrations are available:

    Table 1. Available AWS Inspector integrations
    Integration Description
    AWS Inspector Host Vulnerability Integration Retrieves host vulnerability findings for EC2 instances and Lambda functions. Creates Vulnerable Items (VIT)s, discovered items, and detections.
    AWS Inspector Container Vulnerability Integration Retrieves container vulnerability findings for ECR container images. Creates Container Vulnerable Items (CVIT)s, discovered container images, and Findings.
    Table 2. Available AWS Security Hub integrations
    Integration Description
    AWS Security Hub Host Vulnerability Integration Retrieves host vulnerability findings (EC2 Instances, Lambda Functions) from AWS Security Hub. Creates vulnerable items (VIT)s, discovered items, and detections.
    AWS Container Vulnerability Integration Retrieves container vulnerability findings (ECR Container Images) from AWS Security Hub. Creates Container Vulnerable Items (CVIT)s, discovered container images, and Findings.
    AWS Test Results Integration Retrieves misconfigurations of various assets from AWS Security Hub. Creates tests and test results in Configuration Compliance.

    Authentication

    The integration authenticates with AWS using IAM credentials and AWS Signature Version 4 (SigV4) request signing. When you configure a Role ARN, the integration calls AWS STS AssumeRole to obtain temporary security credentials, which are valid for 3,600 seconds.

    Table 3. AWS credential fields
    Field Description
    Access Key AWS access key ID for the IAM user.
    Secret Key AWS secret access key (stored encrypted).
    Role ARN ARN of the IAM role for STS AssumeRole (required for cross-account access).
    Region One or more AWS regions from which to retrieve findings.