AWS Integration for Security Exposure Management integrations

Release version: Yokohama

Updated April 2, 2026

2 minutes to read

Integrations, roles, dependencies, and REST messages used for the AWS Integration for Security Exposure Management.

Required roles

Users who configure and use the integration must be assigned the appropriate ServiceNow roles.

sn_vul_aws.configure_integration: Allows you to configure authentication credentials for the AWS plugin.
sn_vul_aws.read_integration: Provides read access to AWS integrations and AWS tables.

Dependencies

AWS Integration for Security Exposure Management requires the following ServiceNow® applications:

Vulnerability Response (required) — Core application for vulnerability management.
Container Vulnerability Response (optional) — Required for the AWS Inspector Container and AWS Security Hub Container integrations.
Configuration Compliance (optional) — Required for the AWS Security Hub Test Results integration.

AWS Inspector Integrations

Table 1. AWS Inspector integration details
Integration	Description	Run sequence and frequency
AWS Inspector Host Vulnerability Integration	Retrieves all host vulnerability findings from AWS Inspector for EC2 Instances and Lambda Functions. Uses API: POST /findings/list. Supports delta synchronization using 'updatedAt' filter Uses 'nextToken' and 'maxResults' for pagination. Creates vulnerable items (VIT)s, discovered items, and Detections.	First, Daily.
AWS Inspector Container Vulnerability Integration	Retrieves all container vulnerability findings from AWS Inspector for ECR Container Images. Uses API: POST /findings/list. Supports delta synchronization using 'updatedAt' filter Uses 'nextToken' and 'maxResults' for pagination. Creates container vulnerable items (CVIT)s, discovered container images, and Findings.	Second, Daily.

AWS Security Hub Integrations

Table 2. Supported integration details
Integration	Description	Run sequence and frequency
AWS Security Hub Host Vulnerability Integration	Retrieves host vulnerability findings (EC2 Instances, Lambda Functions) from AWS Security Hub. Uses API: POST /findingsv2. Supports delta synchronization using 'finding_info.modified_time_dt'. Uses 'maxResults' and 'nextToken' for pagination. Creates vulnerable items (VIT)s, discovered items, and detections.	First, Daily.
AWS Security Hub Container Vulnerability Integration	Retrieves container vulnerability findings (ECR Container Images) from AWS Security Hub. Uses API: POST /findingsv2. Supports delta synchronization using 'finding_info.modified_time_dt' Creates container vulnerable items (CVIT)s, discovered container images, and Findings.	Second, Daily.
AWS Security Hub Test Results Integration	Retrieves misconfigurations of various assets types from AWS Security Hub. Uses API: POST /findingsv2. Supports delta synchronization using 'finding_info.modified_time_dt' Creates tests and test results in Configuration Compliance.	Third, Daily

AWS Inspector REST messages


Name	Endpoint	HTTP method	Description
List Findings	`https://inspector2.${region}.amazonaws.com/findings/list`	POST	Retrieves findings from AWS Inspector. Uses `nextToken` and `maxResults` for pagination.
STS AssumeRole	`https://sts.${region}.amazonaws.com/`	POST	Retrieves temporary security credentials via AWS STS AssumeRole.

AWS Security Hub REST messages


Name	Endpoint	HTTP method	Description
Get Findings	`https://securityhub.${region}.amazonaws.com/findingsv2`	POST	Retrieves findings from AWS Security Hub. Uses `NextToken` (PascalCase) for pagination.
STS AssumeRole	`https://sts.${region}.amazonaws.com/`	POST	Shared with Inspector. Retrieves temporary security credentials.

Note:

The nextToken field uses PascalCase (NextToken) in Security Hub responses, unlike Inspector which uses camelCase (nextToken). The integration handles this difference automatically.