Baseline Permissions - AWS Service Catalog

Baseline Permissions

This section provides instructions on how to set up baseline AWS users and permissions for the AWS Service Management Connector for ServiceNow.

Available template for baseline permissions

To use an AWS CloudFormation template to set up the AWS configurations of the Connector for ServiceNow, see the AWS configurations for Connector for ServiceNow v3.0.5 - AWS Commercial Regions and AWS GovCloud Regions.

Note

If you use the Connector for ServiceNow v3.0.5_AWS Configuration template, skip to Configuring AWS Service Catalog.

For each AWS account, the Connector for ServiceNow requires two IAM users and one role:

  • AWS Sync User: An IAM user to sync AWS resources to ServiceNow.

  • AWS End User role: An IAM user able to perform end user functionality to provision and execute requests exposed through ServiceNow, including assuming any roles required to perform the provisioning and execution.

  • SCConnect Launch role: IAM role used to place baseline AWS service permissions into the AWS Service Catalog launch constraints. Configuring this role enables segregation of duty through provisioning product resources on behalf of the ServiceNow end user. The SCConnectLaunch role baseline contains permissions to Amazon EC2 and Amazon S3 services. If your products contain more AWS services, you must either include those services in the SCConnectLaunch role or create new launch roles.

Creating AWS Sync User

The following section describes how to create the AWS Sync user and associate the appropriate IAM permission. To perform this task, you need IAM permissions to create new users.

To create AWS Service Catalog sync user

  1. Go to Creating an IAM user in your AWS account. Following the instructions there, create a sync user (that is, SMSyncUser). The user needs programmatic and AWS Management Console access to follow the Connector for ServiceNow installation instructions.

  2. Set permissions for your sync user (SMSyncUser). Choose Attach existing policies directly and select:

    • AWSServiceCatalogAdminReadOnlyAccess (AWS managed policy)

    • AmazonSSMReadOnlyAccess (AWS managed policy)

    • AWSConfigUserAccess (AWS managed policy)

  3. Add a policy allowing budgets:ViewBudget on all resources (*).

  4. Review and choose Create User.

  5. Note the access and secret access information. Download the .csv file that contains the user credential information.

Creating AWS Service Catalog End User

The following section describes how to create the AWS Service Catalog end user and associate the appropriate IAM permission. To perform this task, you need IAM permissions to create new users.

To create AWS Service Catalog end user

  1. Go to Creating an IAM user in your AWS account. Follow the instructions and create a user (that is, SMEndUser). The user needs programmatic and AWS Management Console access to follow the Connector for ServiceNow installation instructions.

    For products using AWS CloudFormation StackSets, you need to create a StackSet inline policy. With AWS CloudFormation StackSets, you are able to create products that are deployed across multiple accounts and regions.

    Using an administrator account, you define and manage an AWS Service Catalog product, and use it as the basis for provisioning stacks into selected target accounts across specified regions. You need to have the necessary permissions defined in your AWS accounts.

    To set up the necessary permissions, go to Granting Permissions for Stack Set Operations. Following the instructions there, create an AWSCloudFormationStackSetAdministrationRole and an AWSCloudFormationStackSetExecutionRole.

    Create the StackSet inline policy to enable provisioning a product across multiple regions within one account.

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::123456789123:role/AWSCloudFormationStackSetExecutionRole" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:PassRole" ], "Resource": "arn:aws:iam::123456789123:role/AWSCloudFormationStackSetAdministrationRole" } ] }
    Note

    Replace 123456789123 with your account information. The Connector for ServiceNow AWS Configuration - Commercial Regions and Connector for ServiceNow AWS Configuration - GovCloud Regions files include the stack set permissions.

  2. Add the following permissions (policies) to the user:

    • AWSServiceCatalogEndUserFullAccess (AWS managed policy)

    • StackSet (inline policy) - For AWS Service Catalog products with stack sets, you need to modify the SMEndUser to include the Read Only permissions for the services you want to provision. For example, to provision an Amazon S3 bucket, include the AmazonS3ReadOnlyAccess policy to the SMEndUser.

    • AmazonEC2ReadOnlyAccess (AWS managed policy)

    • AmazonS3ReadOnlyAccess (AWS managed policy)

Creating SCConnectLaunch Role

The following section describes how to create the SCConnectLaunch role. This role places baseline AWS service permissions into the AWS Service Catalog launch constraints. For more information, see AWS Service Catalog Launch Constraints.

To create SCConnectLaunch role

  1. Create the AWSCloudFormationFullAccess policy. Choose create policy and then paste the following in the JSON editor:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:List*", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DescribeChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:DeleteChangeSet", "s3:GetObject" ], "Resource": "*" } ] }
    Note

    AWSCloudFormationFullAccess includes additional permissions for ChangeSets.

  2. Create a policy called ServiceCatalogSSMActionsBaseline. Follow the instructions on Creating IAM Policies, and paste the following into the JSON editor:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1536341175150", "Action": [ "servicecatalog:ListServiceActionsForProvisioningArtifact", "servicecatalog:ExecuteprovisionedProductServiceAction", "ssm:DescribeDocument", "ssm:GetAutomationExecution", "ssm:StartAutomationExecution", "ssm:StopAutomationExecution", "cloudformation:ListStackResources", "ec2:DescribeInstanceStatus", "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "*" } ] }
  3. Create the SCConnectLaunch role. Assign the trust relationship to AWS Service Catalog.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "servicecatalog.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  4. Attach the relevant policies to the SCConnectLaunch role. Attach the following baseline IAM policies:

    • AmazonEC2FullAccess (AWS managed policy)

    • AmazonS3FullAccess (AWS managed policy)

    • AWSCloudFormationFullAccess (custom managed policy)

    • ServiceCatalogSSMActionsBaseline (custom managed policy)