AWS Integration for Security Exposure Management

  • Release version: Yokohama
  • Updated April 2, 2026
  • 2 minutes to read

    • AWS Integration for Security Exposure Management connects your AWS environment to your ServiceNow AI Platform®, enabling you to import security findings from AWS Inspector and AWS Security Hub.

    Supported integrations

    The AWS Integration for Security Exposure Management supports integrations with the following AWS services:

    AWS Inspector
    AWS Inspector is an automated vulnerability management service that continuously scans EC2 instances, ECR container images, and Lambda functions for software vulnerabilities (CVEs) and unintended network exposure. The Vulnerability Response integration with AWS Inspector uses data imported from AWS Inspector to help you prioritize and remediate vulnerabilities for your assets.
    AWS Security Hub
    AWS Security Hub is a security service that is used to centralize and update security checks across AWS accounts. It provides a unified view of security alerts and compliance status by integrating with various AWS services. The Vulnerability Response integration with AWS Security Hub imports Host, Container vulnerabilities, and misconfigurations from AWS Security Hub.

    Key features

    AWS Integration for Security Exposure Management includes the following key features:

    • Multi-regional data ingestion from multiple configured AWS regions.
    • Delta imports for all integrations, retrieving only updated findings since the last integration run.
    • Mapping of AWS Security Hub and Inspector host findings to vulnerable Items (VIT)s and detections, container findings to Container Vulnerable Items (CVIT)s, and test results in Configuration Compliance.
    • Configuration item (CI) mapping and asset correlation.
    • Uniqueness enforcement to help avoid duplicate records.
    • Domain separation.
    • Split detection support for host findings.

    Integration schedules

    All integrations run on a daily schedule by default. The following integrations are available:

    Table 1. Available AWS Inspector integrations
    Integration Description
    AWS Inspector Host Vulnerability Integration Retrieves host vulnerability findings for EC2 instances and Lambda functions. Creates Vulnerable Items (VIT)s, discovered items, and detections.
    AWS Inspector Container Vulnerability Integration Retrieves container vulnerability findings for ECR container images. Creates Container Vulnerable Items (CVIT)s, discovered container images, and Findings.
    Table 2. Available AWS Security Hub integrations
    Integration Description
    AWS Security Hub Host Vulnerability Integration Retrieves host vulnerability findings (EC2 Instances, Lambda Functions) from AWS Security Hub. Creates vulnerable items (VIT)s, discovered items, and detections.
    AWS Container Vulnerability Integration Retrieves container vulnerability findings (ECR Container Images) from AWS Security Hub. Creates Container Vulnerable Items (CVIT)s, discovered container images, and Findings.
    AWS Test Results Integration Retrieves misconfigurations of various assets from AWS Security Hub. Creates tests and test results in Configuration Compliance.

    Authentication

    The integration authenticates with AWS using IAM credentials and AWS Signature Version 4 (SigV4) request signing. When you configure a Role ARN, the integration calls AWS STS AssumeRole to obtain temporary security credentials, which are valid for 3,600 seconds.

    Table 3. AWS credential fields
    Field Description
    Access Key AWS access key ID for the IAM user.
    Secret Key AWS secret access key (stored encrypted).
    Role ARN ARN of the IAM role for STS AssumeRole (required for cross-account access).
    Region One or more AWS regions from which to retrieve findings.