Policy list for scanning cloud accounts

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Policy list for scanning cloud accounts

    This document outlines the default policies provided by ServiceNow for scanning cloud accounts across AWS, Azure, and GCP environments. These policies are designed to help you maintain security, accountability, and compliance by regularly verifying key configurations and certification statuses of your cloud accounts. Implementing these policies supports proactive risk management and streamlines incident response within your cloud infrastructure.

    Show full answer Show less

    Key Features

    • Discovery Schedule Checks: Ensures that AWS, Azure, and GCP accounts have active discovery schedules. Regular discovery facilitates up-to-date visibility into cloud resources and helps identify potential security risks promptly.
    • Account Owner Tag Verification: Confirms each cloud account has a designated owner tag. This promotes accountability, improves communication, and supports efficient incident management.
    • Account Alias and Password Policy Checks (AWS specific): Validates unique AWS account aliases for clarity and confirms the presence of custom and strong password policies. These measures reduce errors and strengthen security by enforcing robust authentication standards. Note that appropriate API permissions (such as iam:ListAccountAliases and iam:GetAccountPasswordPolicy) are required to perform these checks.
    • Certification Status Monitoring: Reviews AWS, Azure, and GCP account certifications for failed or pending states. Detecting failed or pending certifications is critical to minimize windows of vulnerability caused by compromised or unverified credentials.

    What You Can Expect

    By leveraging these default scan policies, ServiceNow customers can achieve:

    • Enhanced security posture through continuous validation of critical account configurations and compliance states.
    • Improved resource management and clarity with enforced account owner identification and unique aliases.
    • Increased operational efficiency by automating the detection of security weaknesses such as weak passwords or stale certifications.
    • Better risk mitigation by enabling timely remediation of pending or failed certifications that could otherwise expose your cloud environments to threats.

    These policies form a foundational part of your cloud security governance within ServiceNow and integrate with the broader scan configuration and data visualization processes.

    A list of default policies provided for scanning the cloud accounts.

    Default policies for scan accounts

    Policy Name Description
    Check AWS Discovery Schedule Verifies whether an AWS account has a discovery schedule attached. Running discovery regularly helps facilitate the identification and management of potential security risks.
    Check AWS Account Alias Verifies an AWS account has a unique alias to improve account management, reduce errors, and promote clarity and traceability within your AWS infrastructure.
    Note:
    Make sure you have API permission for iam: ListAccountAliases.
    Check AWS Account Owner Tag Verifies whether an AWS account has a designated owner to enhance accountability, streamline incident response, and facilitate communication within your AWS environment.
    Check AWS Custom Password Policy Verifies whether a custom password policy is set for every AWS account. A robust password requirement for all IAM users significantly increases the difficulty for attackers to crack passwords through brute-force attacks or credential theft attempts, ultimately enhancing the overall security of your AWS infrastructure.
    Note:
    Make sure you have API permission for iam: GetAccountPasswordPolicy.
    Check AWS Failed Certification Verifies the AWS account certification status. Failed certifications indicate potential security vulnerabilities because compromised credentials might not be deactivated promptly and provide a window of opportunity for attackers to exploit these weaknesses.
    Check AWS Pending Certification Verifies whether an AWS account certification is in a pending state to enable the prompt resolution of pending certifications and avoid potential security vulnerabilities.
    Check AWS Strong Password Policy Verifies whether an AWS account adheres to a strong password policy to promote security. This policy mandates robust password complexity requirements, significantly bolstering your AWS environment's defense against unauthorized access.
    Note:
    Make sure you have API permission for iam: GetAccountPasswordPolicy.
    Check Azure Discovery Schedule Verifies whether Azure account has a discovery schedule attached. This policy helps secure and up-to-date resource landscape to facilitate the identification and management of potential security risks.
    Check Azure Account Owner Tag Verifies if Azure account has a designated owner tag to enhance accountability and facilitate communication within your Azure environment. This policy readily identifies the responsible party for each account, promoting a culture of ownership and streamlined incident response.
    Check Azure Failed Certification Verifies Azure account certification status for failure to promote strong access control by proactively monitoring for any service account with a failed certification status. Failed certifications indicate potential security vulnerabilities, as compromised credentials might not be deactivated promptly. This policy minimizes the window of opportunity for attackers to exploit these weaknesses.
    Check Azure Pending Certification Verifies if Azure service account certification is in a pending state. This monitoring enables prompt resolution of pending certification and avoids potential security vulnerabilities.
    Check GCP Discovery Schedule Verifies whether GCP account has a discovery schedule attached. This policy helps secure and up-to-date resource landscape to facilitate the identification and management of potential security risks.
    Check GCP Account Owner Tag Verifies if GCP account has a designated owner tag to enhance accountability and facilitate communication within your GCP environment. This policy readily identifies the responsible party for each account, promoting a culture of ownership and streamlined incident response.
    Check GCP Failed Certification Verifies GCP account certification status for failure to promote strong access control by proactively monitoring for any service account with a failed certification status. Failed certifications indicate potential security vulnerabilities, as compromised credentials might not be deactivated promptly. This policy minimizes the window of opportunity for attackers to exploit these weaknesses.
    Check GCP Pending Certification Verifies if GCP account certification is in a pending state. This monitoring enables prompt resolution of pending certification and avoids potential security vulnerabilities.

    To return to the procedure, see Set up scan configuration for data visualization.