Amazon Simple Storage Service (Amazon S3) discovery with Patterns

  • Release version: Yokohama
  • Updated February 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Amazon Simple Storage Service (Amazon S3) discovery with Patterns

    The ServiceNow Discovery application leverages the Amazon AWS S3 pattern to identify both public and private Amazon S3 storage buckets using REST API calls. This capability supports discovery across standard AWS regions and the AWS GovCloud (US) region, though some features like outgoing connection discovery in GovCloud will be available in future releases. The pattern can be triggered via scheduled discovery or event-driven discovery initiated by AWS Config service events.

    Show full answer Show less

    This feature requires the latest Discovery and Service Mapping Patterns application, available from the ServiceNow Store, and is compatible with ServiceNow platform versions Jakarta Patch 10, Kingston Patch 8, or London Patch 1.

    Prerequisites and Configuration

    • Configure AWS Identity and Access Management (IAM) with appropriate user policies, specifically ensuring AmazonS3ReadOnlyAccess permissions.
    • Set up AWS service account credentials (access and secret keys) and create discovery schedules for the relevant AWS accounts.
    • Enable alert-based discovery by configuring AWS event services to send events to ServiceNow.
    • Download and install the Discovery and Service Mapping Patterns from the ServiceNow Store.
    • Deploy and configure a MID Server that meets ServiceNow's system requirements to facilitate communication.
    • Verify and grant necessary REST API permissions using the Cloud Discovery patterns spreadsheet, which provides detailed permission requirements and pattern information.

    Data Collected During Discovery

    Discovery populates the Cloud Object Storage [cmdbcicloudobjectstorage] table with essential details about each S3 bucket, including:

    • Bucket Name: Identifier of the S3 bucket.
    • Creation Date: Timestamp when the bucket was created.
    • Cloud Provider: Set to Amazon AWS.
    • Object ID: The ARN of the bucket in the format arn:aws:s3:::<bucket name>.
    • Service Name: Defaulted to S3.
    • Owner: AWS Account ID owning the bucket.
    • Encryption Type: Encryption used (None, AES-256, AWS-KMS).
    • Access Control Types: ACL and policy access types indicating public or non-public status.
    • Replication Destination: ARN of any bucket configured as a replication target.

    Discovered buckets and their replication relationships appear in Dependency Views, helping visualize bucket interdependencies.

    CI Relationships and Service Mapping

    Discovery creates relationships such as:

    • Replicates to / Replicated By between S3 buckets.
    • Hosted on / Hosts between S3 buckets and Logical Datacenters.

    Service Mapping extends discovery by identifying outgoing connections from S3 buckets to other AWS resources like Lambda functions, enriching application service maps.

    Troubleshooting

    • REST timeout errors during discovery: May occur if many configuration items (CIs) respond simultaneously, causing MID Server timeouts. Remedy by increasing the mid.sa.cloud.requesttimeout parameter (default 30000 ms) on the MID Server.
    • Timeout errors during Pattern Designer debug sessions: Occur due to limited debug timeout (default 240 seconds). Increase the sa.debugger.maxtimeout parameter on the MID Server to allow longer debugging time.

    This discovery pattern streamlines the identification and mapping of Amazon S3 resources within your cloud environment, enabling better visibility and management of storage assets and their relationships.

    The ServiceNow Discovery application uses the Amazon AWS S3 pattern to find public and non-public storage buckets of Amazon Simple Storage Service. The pattern uses a set of REST API calls to find these resources. Discovering some of these resources may require updating to the latest version of the Discovery and Service Mapping Patterns application from the ServiceNow Store.

    In addition to the discovery schedule, the ServiceNow instance triggers the Amazon AWS S3 pattern when AWS Config sends an event to the ServiceNow instance. Config is a service that continuously monitors AWS resources and sends events to the ServiceNow every time it senses that a resource configuration has changed.

    Amazon AWS S3 pattern can also discover AWS S3 buckets located in the AWS GovCloud (US) region. For AWS S3 located in the AWS GovCloud (SU), the pattern cannot discover AWS S3 outgoing connections to other cloud resources like Lambda function. Discovery of outgoing connections for AWS S3 will be supported in future releases.

    You can use this pattern on the ServiceNow platform using Jakarta Patch 10, Kingston Patch 8, or London Patch 1.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Prerequisites

    • If you use Identity and Access Management (IAM) to manage users in Amazon Web Services (AWS) platform, ensure that you created a user policy for the AWS user. For more information, refer to Create an IAM user policy for Cloud Provisioning and Governance in the ServiceNow Cloud Provisioning and Governance documentation.
    • Configure the AWS service account.
    • Configure AWS credentials, using a secret key and an access key.
    • AmazonS3ReadOnlyAccess policy user permissions.
    • Discover Logical Datacenters hosting S3 buckets as described in Run Discovery on an AWS cloud service account in the ServiceNow Cloud Provisioning and Governance documentation.
    • Create a schedule for the relevant AWS service account as described in Schedule Discovery on a service account in the ServiceNow Cloud Provisioning and Governance documentation.
    • To enable alert-based discovery, configure the AWS event service as described in Set up AWS event processing for Discovery and Service Mapping in the ServiceNow Cloud Provisioning and Governance documentation.
    • For Cloud Discovery, download the Discovery and Service Mapping Patterns from the ServiceNow Store.
    • When installing the MID Server, ensure that the host machine meets or exceeds the MID Server system requirements published on the ServiceNow documentation site.

    Verify the REST API Permissions

    Download the Cloud Discovery patterns spreadsheet so you can grant user permissions required for running the Discovery patterns. In addition to permissions, the spreadsheet also includes useful information such as pattern names, types, CI Classes, and links to vendor documentation. New patterns are available quarterly, so check periodically to be sure you have the latest version of the spreadsheet.

    Note:
    You can test the AWS REST APIs using Postman API platform. For more information, see the How to test AWS REST API using POSTMAN [KB0782183] article in the Now Support Knowledge Base.

    Data collected by Discovery during horizontal discovery

    Table and field Description
    Cloud Object Storage [cmdb_ci_cloud_object_storage]
    Bucket name [bucket_name] The name of the AWS S3 bucket. You can discover all buckets hosted on a Logical Datacenter during one discovery process.
    Creation date [creation date] Creation date of the AWS S3 bucket.
    Cloud provider [cloud_provider] Amazon AWS
    Object ID [object_id] The Amazon Resource Name (ARN), expressed in this format: arn:aws:s3:::<bucket name>
    Service name [service_name] Set to S3 by default.
    Owner [owner] Account ID in which the bucket exists.
    Encryption type [encryption_type] Type of encryption for this bucket. The choices are:
    • None
    • AES-256
    • AWS-KMS
    ACL access type [acl_access_type] The choices for access control types are:
    • Public
    • Not Public
    Policy access type [policy_access_type] The choices for policy access types are:
    • Public
    • Not Public
    Replication destination [replication_destination] Bucket ARN of the Replication Destination bucket.
    Note:
    In Discovery and Service Mapping Patterns versions before 1.30.2, the Owner field displays the bucket owner's name.
    On the Dependency Views map you can see all discovered S3 buckets in your organization, including S3 buckets that you configured as replicas. In this example, Cloud Object Storage 1, Cloud Object Storage 2, and Cloud Object Storage 3 replicate Cloud Object Storage 2. In its turn, Cloud Object Storage 2 replicates Cloud Object Storage 1.
    Figure 1. Dependency Views showing AWS S3 components
    Result of horizontal discovery of AWS S3 as appears in Dependency Views

    CI relationships

    These relationships are created to support AWS S3 discovery:
    CI Relationship CI
    cmdb_ci_cloud_object_storage Replicates to::Replicated By cmdb_ci_cloud_object_storage
    cmdb_ci_cloud_object_storage Hosted on::Hosts cmdb_ci_logical_datacenter

    Data discovered by Service Mapping during top-down discovery

    Service Mapping can discover AWS S3 outgoing connections to cloud resources, for example Lambda function.

    Figure 2. Application service map showing an S3 bucket CI

    Service Mapping map showing a service with discovered S3 buckets.

    Troubleshooting

    If the mapping process does not proceed as you expected, follow the following suggestions.
    Symptom Cause Solution
    Discovery fails. The discovery message contains the information about an error caused by the REST timeout. There are many CIs sending the REST call response in the deployment. The MID Server cannot process the REST call response without exceeding the time limit controlled by the mid.sa.cloud.request_timeout parameter. By default, the mid.sa.cloud.request_timeout parameter is set to 30000 milliseconds.
    Increase the value of this parameter on the relevant MID Server and run discovery again.
    Note:
    If the Configuration Parameters related list for the relevant MID Server does not show this parameter, you may need to add it.
    Pattern Designer fails during a debug session. The Pattern Designer message contains information about an error caused by a timeout. The Pattern Designer fails because of a timeout during pattern debugging (and not during discovery). By default, the sa.debugger.max_timeoutparameter is set to 240 seconds.

    Increase the value of this parameter on the relevant MID Server.