AWS Integration for Security Exposure Management

  • Release version: Yokohama
  • Updated April 2, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of AWS Integration for Security Exposure Management

    The AWS Integration for Security Exposure Management connects your AWS environment with the ServiceNow AI Platform® to import and manage security findings from AWS Inspector and AWS Security Hub. This integration helps ServiceNow customers centralize vulnerability data, prioritize remediation efforts, and maintain compliance by leveraging automated scans and security alerts from AWS services.

    Show full answer Show less

    Supported Integrations

    • AWS Inspector: Automates vulnerability scanning of EC2 instances, ECR container images, and Lambda functions for software vulnerabilities and network exposures. The integration imports this data to help prioritize and remediate asset vulnerabilities.
    • AWS Security Hub: Centralizes security alerts and compliance status from multiple AWS accounts by aggregating findings related to hosts, containers, and misconfigurations. The integration imports host and container vulnerabilities, as well as configuration compliance test results.

    Key Features

    • Supports multi-regional data ingestion from multiple AWS regions configured by the customer.
    • Performs delta imports to retrieve only updated findings since the last run, ensuring efficient data synchronization.
    • Maps AWS Security Hub and Inspector findings to ServiceNow entities such as Vulnerable Items (VITs), Container Vulnerable Items (CVITs), detections, and Configuration Compliance test results.
    • Includes configuration item (CI) mapping and asset correlation to maintain accurate asset vulnerability tracking.
    • Enforces uniqueness to prevent duplicate records and supports domain separation for multi-tenant environments.
    • Supports split detection for host findings, enabling detailed vulnerability management.

    Integration Schedules and Types

    All integrations run daily by default, covering the following:

    • AWS Inspector Integrations:
      • Host Vulnerability Integration: Imports findings for EC2 instances and Lambda functions, creating VITs, discovered items, and detections.
      • Container Vulnerability Integration: Imports ECR container image vulnerabilities, creating CVITs, discovered container images, and findings.
    • AWS Security Hub Integrations:
      • Host Vulnerability Integration: Imports host vulnerabilities, generating VITs and detections.
      • Container Vulnerability Integration: Imports container vulnerabilities, creating CVITs and findings.
      • Test Results Integration: Imports misconfiguration data to create tests and test results within Configuration Compliance.

    Authentication

    The integration uses AWS IAM credentials with AWS Signature Version 4 (SigV4) request signing. When configured with a Role ARN, it employs AWS STS AssumeRole to obtain temporary credentials valid for 3,600 seconds. Key credential fields include Access Key, Secret Key (encrypted), Role ARN for cross-account access, and AWS region(s) for data retrieval.

    AWS Integration for Security Exposure Management connects your AWS environment to your ServiceNow AI Platform®, enabling you to import security findings from AWS Inspector and AWS Security Hub.

    Supported integrations

    The AWS Integration for Security Exposure Management supports integrations with the following AWS services:

    AWS Inspector
    AWS Inspector is an automated vulnerability management service that continuously scans EC2 instances, ECR container images, and Lambda functions for software vulnerabilities (CVEs) and unintended network exposure. The Vulnerability Response integration with AWS Inspector uses data imported from AWS Inspector to help you prioritize and remediate vulnerabilities for your assets.
    AWS Security Hub
    AWS Security Hub is a security service that is used to centralize and update security checks across AWS accounts. It provides a unified view of security alerts and compliance status by integrating with various AWS services. The Vulnerability Response integration with AWS Security Hub imports Host, Container vulnerabilities, and misconfigurations from AWS Security Hub.

    Key features

    AWS Integration for Security Exposure Management includes the following key features:

    • Multi-regional data ingestion from multiple configured AWS regions.
    • Delta imports for all integrations, retrieving only updated findings since the last integration run.
    • Mapping of AWS Security Hub and Inspector host findings to vulnerable Items (VIT)s and detections, container findings to Container Vulnerable Items (CVIT)s, and test results in Configuration Compliance.
    • Configuration item (CI) mapping and asset correlation.
    • Uniqueness enforcement to help avoid duplicate records.
    • Domain separation.
    • Split detection support for host findings.

    Integration schedules

    All integrations run on a daily schedule by default. The following integrations are available:

    Table 1. Available AWS Inspector integrations
    Integration Description
    AWS Inspector Host Vulnerability Integration Retrieves host vulnerability findings for EC2 instances and Lambda functions. Creates Vulnerable Items (VIT)s, discovered items, and detections.
    AWS Inspector Container Vulnerability Integration Retrieves container vulnerability findings for ECR container images. Creates Container Vulnerable Items (CVIT)s, discovered container images, and Findings.
    Table 2. Available AWS Security Hub integrations
    Integration Description
    AWS Security Hub Host Vulnerability Integration Retrieves host vulnerability findings (EC2 Instances, Lambda Functions) from AWS Security Hub. Creates vulnerable items (VIT)s, discovered items, and detections.
    AWS Container Vulnerability Integration Retrieves container vulnerability findings (ECR Container Images) from AWS Security Hub. Creates Container Vulnerable Items (CVIT)s, discovered container images, and Findings.
    AWS Test Results Integration Retrieves misconfigurations of various assets from AWS Security Hub. Creates tests and test results in Configuration Compliance.

    Authentication

    The integration authenticates with AWS using IAM credentials and AWS Signature Version 4 (SigV4) request signing. When you configure a Role ARN, the integration calls AWS STS AssumeRole to obtain temporary security credentials, which are valid for 3,600 seconds.

    Table 3. AWS credential fields
    Field Description
    Access Key AWS access key ID for the IAM user.
    Secret Key AWS secret access key (stored encrypted).
    Role ARN ARN of the IAM role for STS AssumeRole (required for cross-account access).
    Region One or more AWS regions from which to retrieve findings.