AWS Integration for Security Exposure Management integrations

  • Release version: Zurich
  • Updated April 2, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of AWS Integration for Security Exposure Management integrations

    This AWS Integration for Security Exposure Management enables ServiceNow customers to connect with AWS services such as AWS Inspector and AWS Security Hub to retrieve and manage vulnerability and security exposure data. The integration automates the synchronization of host and container vulnerability findings, test results, and misconfiguration data into ServiceNow applications, supporting vulnerability response and configuration compliance workflows.

    Show full answer Show less

    Required Roles and Dependencies

    • Roles:
      • snvulaws.configureintegration: Allows configuration of AWS authentication credentials.
      • snvulaws.readintegration: Provides read access to AWS integration data and tables.
    • Dependencies:
      • Vulnerability Response: Core application required for vulnerability management.
      • Container Vulnerability Response (optional): Needed for AWS Inspector Container and AWS Security Hub Container integrations.
      • Configuration Compliance (optional): Required for AWS Security Hub Test Results integration.

    AWS Inspector Integrations

    The integration supports retrieval of vulnerability findings from AWS Inspector:

    • Host Vulnerability Integration: Retrieves EC2 and Lambda host vulnerabilities daily, creating vulnerable items, discovered items, and detections.
    • Container Vulnerability Integration: Retrieves container image vulnerabilities from ECR daily, creating container vulnerable items, discovered container images, and findings.

    These integrations use the POST /findings/list API with support for pagination and delta synchronization based on update timestamps.

    AWS Security Hub Integrations

    The integration retrieves vulnerability and misconfiguration findings from AWS Security Hub with daily synchronization:

    • Host Vulnerability Integration: Retrieves EC2 and Lambda host vulnerabilities, creating vulnerable items, discovered items, and detections.
    • Container Vulnerability Integration: Retrieves container vulnerabilities from ECR, creating container vulnerable items, discovered container images, and findings.
    • Test Results Integration: Retrieves misconfiguration test results and creates tests and results within Configuration Compliance.

    These use the POST /findingsv2 API with pagination support and delta synchronization using the modified time field.

    REST Messages and API Details

    • AWS Inspector APIs:
      • POST /findings/list: Retrieves vulnerability findings with pagination.
      • POST /sts/AssumeRole: Obtains temporary credentials via AWS STS AssumeRole.
    • AWS Security Hub APIs:
      • POST /findingsv2: Retrieves findings with pagination; uses PascalCase NextToken for pagination tokens.
      • POST /sts/AssumeRole: Shared with Inspector for temporary credential retrieval.

    Note: The integration automatically handles the difference in pagination token casing (nextToken vs NextToken) between AWS Inspector and Security Hub APIs.

    Integrations, roles, dependencies, and REST messages used for the AWS Integration for Security Exposure Management.

    Required roles

    Users who configure and use the integration must be assigned the appropriate ServiceNow roles.

    sn_vul_aws.configure_integration
    Allows you to configure authentication credentials for the AWS plugin.
    sn_vul_aws.read_integration
    Provides read access to AWS integrations and AWS tables.

    Dependencies

    AWS Integration for Security Exposure Management requires the following ServiceNow® applications:

    • Vulnerability Response (required) — Core application for vulnerability management.
    • Container Vulnerability Response (optional) — Required for the AWS Inspector Container and AWS Security Hub Container integrations.
    • Configuration Compliance (optional) — Required for the AWS Security Hub Test Results integration.

    AWS Inspector Integrations

    Table 1. AWS Inspector integration details
    Integration Description Run sequence and frequency
    AWS Inspector Host Vulnerability Integration
    • Retrieves all host vulnerability findings from AWS Inspector for EC2 Instances and Lambda Functions.
    • Uses API: POST /findings/list.
    • Supports delta synchronization using 'updatedAt' filter
    • Uses 'nextToken' and 'maxResults' for pagination.
    • Creates vulnerable items (VIT)s, discovered items, and Detections.
    		 First, Daily.
    AWS Inspector Container Vulnerability Integration
    • Retrieves all container vulnerability findings from AWS Inspector for ECR Container Images.
    • Uses API: POST /findings/list.
    • Supports delta synchronization using 'updatedAt' filter
    • Uses 'nextToken' and 'maxResults' for pagination.
    • Creates container vulnerable items (CVIT)s, discovered container images, and Findings.
    		 Second, Daily.

    AWS Security Hub Integrations

    Table 2. Supported integration details
    Integration Description Run sequence and frequency
    AWS Security Hub Host Vulnerability Integration
    • Retrieves host vulnerability findings (EC2 Instances, Lambda Functions) from AWS Security Hub.
    • Uses API: POST /findingsv2.
    • Supports delta synchronization using 'finding_info.modified_time_dt'.
    • Uses 'maxResults' and 'nextToken' for pagination.
    • Creates vulnerable items (VIT)s, discovered items, and detections.
    		 First, Daily.
    AWS Security Hub Container Vulnerability Integration
    • Retrieves container vulnerability findings (ECR Container Images) from AWS Security Hub.
    • Uses API: POST /findingsv2.
    • Supports delta synchronization using 'finding_info.modified_time_dt'
    • Creates container vulnerable items (CVIT)s, discovered container images, and Findings.
    		 Second, Daily.
    AWS Security Hub Test Results Integration
    • Retrieves misconfigurations of various assets types from AWS Security Hub.
    • Uses API: POST /findingsv2.
    • Supports delta synchronization using 'finding_info.modified_time_dt'
    • Creates tests and test results in Configuration Compliance.
    		 Third, Daily

    AWS Inspector REST messages

    Name Endpoint HTTP method Description
    List Findings https://inspector2.${region}.amazonaws.com/findings/list POST Retrieves findings from AWS Inspector. Uses nextToken and maxResults for pagination.
    STS AssumeRole https://sts.${region}.amazonaws.com/ POST Retrieves temporary security credentials via AWS STS AssumeRole.

    AWS Security Hub REST messages

    Name Endpoint HTTP method Description
    Get Findings https://securityhub.${region}.amazonaws.com/findingsv2 POST Retrieves findings from AWS Security Hub. Uses NextToken (PascalCase) for pagination.
    STS AssumeRole https://sts.${region}.amazonaws.com/ POST Shared with Inspector. Retrieves temporary security credentials.
    Note:

    The nextToken field uses PascalCase (NextToken) in Security Hub responses, unlike Inspector which uses camelCase (nextToken). The integration handles this difference automatically.