AWS resources used by the Service Graph Connector for AWS

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of AWS resources used by the Service Graph Connector for AWS

    The Service Graph Connector for AWS integrates with various AWS services to collect and update configuration and inventory data for your AWS resources in the ServiceNow CMDB. Understanding the key AWS resources involved helps ensure proper setup and optimal connector performance.

    Show full answer Show less

    Key AWS Resources

    • AWS Config Service and Configuration Recorder:

      These are essential for the connector setup. AWS Config monitors and records resource configuration changes, while the configuration recorder captures these changes as configuration items (CIs). The connector includes a script (EnableAWSConfig.yml) to enable this service. Ensure AWS Config is enabled across all relevant accounts and regions.

    • AWS Config Aggregator (Optional):

      The aggregator consolidates AWS Config data from multiple accounts and regions or entire AWS organizations. It simplifies data retrieval by providing a single data source, improving efficiency and reducing the need to query individual accounts and regions. Despite its advantages, the connector still uses the config:ListDiscoveredResources API to detect deleted resources by looping through each account and region, which may affect performance.

    • AWS Systems Manager and AWS Systems Manager Inventory:

      Required for the deep discovery feature, these services collect detailed server data (e.g., host name, serial number, CPU, TCP, process info) and software inventory from EC2 instances. Proper configuration includes installing the SSM Agent on instances, attaching the AmazonSSMForInstancesRole IAM role, and enabling Systems Manager Inventory in each region. These components enable accurate server classification and detailed software data collection.

    Practical Considerations

    • Enable AWS Config service and configuration recorder for all relevant accounts and regions before deploying the connector.
    • Consider using the AWS Config aggregator to streamline data collection when managing multiple accounts or regions.
    • Ensure AWS Systems Manager prerequisites are met on all EC2 instances to leverage deep discovery capabilities.
    • Be aware that certain API calls required for resource discovery may impact connector performance due to multiple calls across accounts and regions.

    Get familiar with the AWS concepts to learn how the Service Graph Connector for AWS is integrated with Amazon Web Services (AWS).

    AWS Config service and configuration recorder

    Important:
    The AWS Config service and AWS configuration recorder are required for setting up the connector.

    The AWS Config service monitors and records changes to your AWS resource configurations.

    The AWS configuration recorder detects changes in resource configurations and captures these changes as configuration items (CIs). The is required for setting up the connector. The configuration recorder enables recording all hardware data in AWS Config. See What Is AWS Config? on the AWS Documentation site.

    The Service Graph Connector for AWS includes the EnableAWSConfig.yml script to enable the AWS Config service that instead enables the configuration recorder. See Executing scripts required for setting up AWS.

    Note:
    Ensure that the AWS Config service is enabled for all applicable AWS accounts and regions.

    AWS Config aggregator

    Important:
    The AWS Config aggregator is optional for setting up the connector.
    The AWS Config aggregator collects the AWS Config configuration and compliance data from the following sources:
    • Multiple accounts and multiple regions
    • Single account and multiple regions
    • An organization in AWS organizations and all the accounts within the organization that have AWS Config enabled.

    The advantages of using an AWS Config aggregator with the Service Graph Connector for AWS are:

    • Gets all the data from a single location.
    • Gets the bootstrap updates (baseline configurations) and the incremental updates (new configurations added after the last update).
    • Doesn't require looping into each account and region.
    • Accelerates pulling data.

    Due to these advantages, consider leveraging the AWS Config aggregator for pulling data from multiple accounts or multiple regions.

    Note:
    For detecting any deleted resources, the connector uses the config:ListDiscoveredResources API to loop through each AWS account and region and update the CMDB CI accordingly. As a date range for selecting resources can't be specified in the ListDiscoveredResources API, the connector might make multiple API calls to gather all the data that might impact the performance of the connector.

    For more information on setting up an AWS Config aggregator, see Multi-Account Multi-Region Data Aggregation and Setting Up an Aggregator Using the Console on the AWS Documentation site.

    AWS Systems Manager and AWS Systems Manager Inventory

    Important:
    AWS Systems Managerand AWS Systems Manager Inventory are required for setting up the deep discovery feature.

    The AWS Systems Manager enables fetching server data, also called as deep discovery data, from EC2 instances across AWS accounts and regions through SSM documents. The deep discovery data includes host name, serial number, CPU data, TCP data, and process information.

    The AWS Systems Manager Inventory imports the software data installed on the EC2 instances. The Inventory resource group in AWS Systems Manager collects information about the EC2 instances and the software applications installed on them.

    Ensure that the following items are configured in all AWS accounts:
    • The AWS Systems Manager Agent (SSM Agent) is installed on all managed EC2 instances.
    • The AmazonSSMForInstancesRole IAM instance profile role is attached as the instance profile on EC2 instances.
    • The AWS Systems Manager Inventory is configured in each AWS region.
    • The AWS Systems Manager has access to the managed EC2 instances.
      Note:
      By default, AWS Systems Manager doesn’t have permission to perform actions on EC2 instances. You can grant access by attaching the AmazonSSMForInstancesRole IAM instance profile role to the EC2 instance. See Setting up AWS Systems Manager on the AWS Documentation site.

    The advantages of using AWS Systems Manager and AWS Systems Manager Inventory are:

    • The AWS Systems Manager enables getting the detailed server data such as host name, serial number, CPU data, TCP data, and process information.
    • The AWS Systems Manager Inventory enables the server classification and getting the software data.