AWS Integration for Security Exposure Management

  • Release version: Zurich
  • Updated April 2, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of AWS Integration for Security Exposure Management

    The AWS Integration for Security Exposure Management connects your AWS environment with the ServiceNow AI Platform®, allowing you to import and manage security findings from AWS Inspector and AWS Security Hub. This integration streamlines vulnerability and misconfiguration management for your AWS assets by importing relevant security data directly into ServiceNow.

    Show full answer Show less

    Supported Integrations

    • AWS Inspector: An automated service scanning EC2 instances, ECR container images, and Lambda functions for vulnerabilities (CVEs) and unintended network exposure. ServiceNow uses this data to prioritize and remediate vulnerabilities.
    • AWS Security Hub: Centralizes security alerts and compliance status across AWS accounts, integrating findings related to host and container vulnerabilities, as well as asset misconfigurations.

    Key Features

    • Supports multi-regional data ingestion from multiple AWS regions.
    • Uses delta imports to retrieve only updated findings since the last run, optimizing performance.
    • Maps AWS Security Hub and Inspector findings to ServiceNow Vulnerable Items (VITs), Container Vulnerable Items (CVITs), and Configuration Compliance test results.
    • Enables Configuration Item (CI) mapping and asset correlation within ServiceNow.
    • Enforces uniqueness to prevent duplicate records.
    • Supports domain separation and split detection for host findings.

    Integration Schedules and Available Integrations

    All integrations run on a daily schedule by default. Available integrations include:

    • AWS Inspector Host Vulnerability Integration: Imports host vulnerabilities for EC2 instances and Lambda functions, creating VITs, discovered items, and detections.
    • AWS Inspector Container Vulnerability Integration: Imports container vulnerabilities for ECR images, creating CVITs and findings.
    • AWS Security Hub Host Vulnerability Integration: Imports host vulnerabilities from Security Hub, creating VITs, discovered items, and detections.
    • AWS Security Hub Container Vulnerability Integration: Imports container vulnerabilities from Security Hub, creating CVITs and findings.
    • AWS Security Hub Test Results Integration: Imports asset misconfigurations, creating tests and test results in Configuration Compliance.

    Authentication

    The integration uses AWS IAM credentials and AWS Signature Version 4 (SigV4) for secure authentication. When a Role ARN is configured for cross-account access, the integration obtains temporary security credentials via AWS STS AssumeRole with a validity of 3,600 seconds.

    Credential fields required include:

    • Access Key: AWS access key ID for the IAM user.
    • Secret Key: AWS secret access key (stored encrypted).
    • Role ARN: ARN of the IAM role for STS AssumeRole, necessary for cross-account access.
    • Region: One or more AWS regions to retrieve findings from.

    AWS Integration for Security Exposure Management connects your AWS environment to your ServiceNow AI Platform®, enabling you to import security findings from AWS Inspector and AWS Security Hub.

    Supported integrations

    The AWS Integration for Security Exposure Management supports integrations with the following AWS services:

    AWS Inspector
    AWS Inspector is an automated vulnerability management service that continuously scans EC2 instances, ECR container images, and Lambda functions for software vulnerabilities (CVEs) and unintended network exposure. The Vulnerability Response integration with AWS Inspector uses data imported from AWS Inspector to help you prioritize and remediate vulnerabilities for your assets.
    AWS Security Hub
    AWS Security Hub is a security service that is used to centralize and update security checks across AWS accounts. It provides a unified view of security alerts and compliance status by integrating with various AWS services. The Vulnerability Response integration with AWS Security Hub imports Host, Container vulnerabilities, and misconfigurations from AWS Security Hub.

    Key features

    AWS Integration for Security Exposure Management includes the following key features:

    • Multi-regional data ingestion from multiple configured AWS regions.
    • Delta imports for all integrations, retrieving only updated findings since the last integration run.
    • Mapping of AWS Security Hub and Inspector host findings to vulnerable Items (VIT)s and detections, container findings to Container Vulnerable Items (CVIT)s, and test results in Configuration Compliance.
    • Configuration item (CI) mapping and asset correlation.
    • Uniqueness enforcement to help avoid duplicate records.
    • Domain separation.
    • Split detection support for host findings.

    Integration schedules

    All integrations run on a daily schedule by default. The following integrations are available:

    Table 1. Available AWS Inspector integrations
    Integration Description
    AWS Inspector Host Vulnerability Integration Retrieves host vulnerability findings for EC2 instances and Lambda functions. Creates Vulnerable Items (VIT)s, discovered items, and detections.
    AWS Inspector Container Vulnerability Integration Retrieves container vulnerability findings for ECR container images. Creates Container Vulnerable Items (CVIT)s, discovered container images, and Findings.
    Table 2. Available AWS Security Hub integrations
    Integration Description
    AWS Security Hub Host Vulnerability Integration Retrieves host vulnerability findings (EC2 Instances, Lambda Functions) from AWS Security Hub. Creates vulnerable items (VIT)s, discovered items, and detections.
    AWS Container Vulnerability Integration Retrieves container vulnerability findings (ECR Container Images) from AWS Security Hub. Creates Container Vulnerable Items (CVIT)s, discovered container images, and Findings.
    AWS Test Results Integration Retrieves misconfigurations of various assets from AWS Security Hub. Creates tests and test results in Configuration Compliance.

    Authentication

    The integration authenticates with AWS using IAM credentials and AWS Signature Version 4 (SigV4) request signing. When you configure a Role ARN, the integration calls AWS STS AssumeRole to obtain temporary security credentials, which are valid for 3,600 seconds.

    Table 3. AWS credential fields
    Field Description
    Access Key AWS access key ID for the IAM user.
    Secret Key AWS secret access key (stored encrypted).
    Role ARN ARN of the IAM role for STS AssumeRole (required for cross-account access).
    Region One or more AWS regions from which to retrieve findings.