Configuring core ServiceNow components - AWS Service Management Connector

Configuring core ServiceNow components

This section describes how to configure core components in ServiceNow.

Clearing the ServiceNow platform cache

Before installing the AWS Service Management scoped app, we recommend you clear the ServiceNow platform cache. To do so, enter this URL: https://[InsertServiceNowInstanceNameHere]/cache.do.

Note

Ensure that you install the update set in a non-production or sandbox environment. Consult a ServiceNow system administrator if you need approval to clear the ServiceNow platform cache.

Clearing the web browser cache

Clear the web browser cache to remove previously rendered product forms.

Activating ServiceNow plugins

AWS Service Management Connector uses three ServiceNow plugins to provide useful components to the integration features:

  • User Criteria Scoped API

  • Discovery and Service Mapping Patterns (for AWS Config integration)

  • Change Management – Change Model Foundation Data (for AWS Systems Manager Change Manager integration)

To activate the User Criteria Scoped API plugin

  1. In your ServiceNow dashboard, enter plugins into the navigation panel in the upper left.

  2. When the System Plugins page populates, next to the Name dropdown, search for User Criteria.

  3. Choose User Criteria Scoped API and then choose Activate.

To activate the Discovery and Service Mapping Patterns plugin

  1. In your ServiceNow dashboard, enter plugins into the navigation panel in the upper left.

  2. When the System Plugins page populates, next to the Name dropdown, search for Discovery.

  3. Choose Discovery and Service Mapping Patterns and then choose Activate.

Note

This plugin is free and aligns to the CMDB tables outside of ServiceNow’s family release CMDB updates.

To activate the Change Management – Change Model Foundation Data plugin

  1. In your ServiceNow dashboard, enter plugins in the navigation panel in the upper left.

  2. When the System Plugins page populates, next to the Name dropdown, search for Change Management.

  3. Choose Change Management - Change Model Foundation Data and then choose Activate.

Installing ServiceNow Connector scoped application

The AWS Service Management Connector for ServiceNow is a conventional ServiceNow scoped application developed and released through a ServiceNow Update Set. Update sets are code changes to the out-of-the-box platform and enables developers to move code across ServiceNow instances.

The certified version of the AWS Service Management Connector is available to install for no additional cost from the ServiceNow store.

Alternatively, we provide the update set for users who want to install the Connector application on a ServiceNow Personal Developer Instance (PDI) or sandbox environments. You can apply this update set to a San Diego, Rome, or Quebec (patch 5 and forward) platform release of ServiceNow.

Note

For the ServiceNow Quebec release, we only support Quebec Patch 5 going forward due to a deprecated ServiceNow REST API call, getDeprecatedValue(), that inhibited end users’ ability to request AWS Service Catalog products and AWS Systems Manager automation documents in the Connector.

ServiceNow resolved the issue in Quebec Patch 5. As a result we support only Patch 5 and going forward.

If you do not already have a ServiceNow instance, start with the first step below. If you already have a ServiceNow instance, you can either install the Connector from the ServiceNow store or from the update set Connector for ServiceNow version 4.5.0 .

Follow these instructions to install the Connector through the update set.

To obtain a ServiceNow instance

  1. Open Obtaining a Personal Developer Instance.

  2. Create ServiceNow developer program credentials.

  3. Follow the instructions for requesting a ServiceNow instance.

  4. Capture your instance details, including URL, administrative ID, and temporary password credentials.

To install the update set

  1. In your ServiceNow dashboard, enter update sets into the navigation panel in the upper left.

  2. Choose Retrieved Update Sets from the results.

  3. Choose Import Update Set from XML and upload the release XML file.

  4. Choose the AWS Service Management Connector for ServiceNow update set.

  5. Choose Preview Update Set, which makes ServiceNow validate the Connector update set.

  6. Choose Update.

  7. Choose Commit Update Set to apply the update set and create the application. This procedure should complete 100%.

Configuring Connector using Guided Setup

The Connector for ServiceNow 4.5.0 includes a Guided Setup mechanism to enable customers to configure and mark complete ServiceNow installation components for the AWS Service Management Connector.

Guided Setup enables the customers to plan the roll-out of the Connector and perform the basic configurations of the Connector to launch it across ServiceNow staged environments.

The Connector Guided Setup:

  • Provides a direct set of links to the pages in the ServiceNow instance where you can perform the configuration.

  • Tracks completed tasks so you can stop and start again where you left off.

  • Enables less maneuvering between AWS documentation and the ServiceNow instance.

  • Coordinates the deployment and configurationof the Connector for individuals and teams.

Note

Only ServiceNow admin users can access the Guided Setup to configure the Connectors.

To configure Connector using Guided Setup

  1. Log in to your ServiceNow instance as an admin user.

  2. Enter AWS Service Management Connector in the left filter navigator.

  3. Choose Guided Setup.

  4. Review details on the Guided Setup homepage and choose Get Started.

  5. Review details on each section.

  6. To perform a task, select the task and choose Configure.

  7. After completion of the task, choose Mark as Complete.

    To skip sections or tasks that do not apply to you, choose Skip.

Platform system administrator components

To enable the AWS Service Management Connector scoped application named AWS Service Management, the system admin must create a discovery source, and configure specific platform tables, forms, and views.

Create a discovery source AWS Service Management Connector entry

You must create a new discovery data source, AWS Service Management Connector.

To enable AWS to report discovered CIs into your CMDB

  1. Choose System Definition. Then select Choice Lists.

  2. Choose New.

  3. Create a new entry with these details:

    • Table: Configuration Item [cmdb_ci]

    • Element: discovery_source

    • Label: AWS Service Management Connector

    • Value: AWS Service Management Connector

Note

Make sure you are in Global mode in ServiceNow System Settings to modify System Definitions.

Enabling permissions on ServiceNow Platform

For AWS products to display under AWS portfolios as sub-categories in the ServiceNow Service Catalog, you need to modify the Application Access form for Catalog Item Category tables. This action is necessary because a ServiceNow scoped API is not available for the Catalog Item Category table.

To view AWS Service Catalog products (Catalog Item Category)

  1. Enter Tables in the Navigator and choose System Definition, then choose Tables.

  2. In the list of tables, search for a table with label Catalog Item Category (or with the name sc_cat_item_category). The list of tables displays.

    Choose Category to view the form defining the table.

  3. Choose the Application Access tab on the form and choose the Can Create, Can Update, and Can Delete checkboxes on the form. Then choose Update.

ServiceNow permissions for administrators of the Connector scoped app

The AWS Service Management scoped app has two ServiceNow roles that enable access to configure the application. This feature enables system admins to grant one or more user's privileges to administer the application, without having to open full sysadmin access to them. System admins can assign these roles to either individual users or to one administrator user.

To set up Connector application administrator privileges

  1. Enter Users in the navigator and select System Security – Users.

  2. Choose a user to grant one or both previous roles (such as admin). You can also create a user. To specify your release version (Rome, Quebec, Paris, Orlando), choose it from the Release version dropdown in the left navigation bar.

  3. Choose Edit on the Roles tab of the form.

  4. Filter the collection of roles by the prefix x_126749_aws_sc.

  5. Choose one or more of the following and add them to the user: x_126749_aws_sc_account_admin, x_126749_aws_sc_portfolio_manager, x_126749_ aws_sc.appregistry_manager, x_126749_ aws_sc.automation_manager, x_126749_aws_sc.finding_manager, x_126749_aws_sc.opscenter_manager, x_126749_aws_sc.support_case_manager , x_126749_aws_sc.change_manager_manager, x_126749_aws_sc.productsearchaccess, x_126749_aws_sc.cloudtrail_event_user, and x_126749_aws_sc.health_dashboard_viewer.

  6. Choose Save.

To add AWS Service Catalog to ServiceNow Service Catalog categories

  1. Choose Self Service | Service Catalog and select the Add content icon in the upper right.

  2. Choose the AWS Service Catalog Product entry. To add it to your catalog home page, choose the first Add Here link on the second row of the selection panel at the bottom of the page.

To add AWS Systems Manager automation documents (runbook) to ServiceNow Service Catalog categories

  1. Choose Self Service | Service Catalog and select the Add content icon in the upper right.

  2. Select the AWS Systems Manager entry. To add it to your catalog home page, choose the first Add Here link on the second row of the selection panel at the bottom of the page.

Note

This Connector release displays all AWS Systems Manager documents in the AWS account that has AWS Systems Manager selected.

System administrators can deactivate AWS Systems Manager document requests. To deactivate requests, choose AWS Systems Manager, Automation Documents, and deselect Active. After deactivation of the document, you no longer see the document in the ServiceNow Service Catalog.

The Connector creates closed change requests on post provision actions (such as update, terminate and self-service) for AWS Service Catalog products visible in ServiceNow.

To achieve a closed change request from post provisioned actions, add a change request type and configure the sys_id for the group assigned to the closed change records in the Connector AWS Service Catalog system properties.

To add a change request type for closed change request from post provisioned actions

  1. If you upgrade from a previous version of the AWS Service Management scoped app, you must remove the AWS Product Termination change request type before you create a new change request type.

  2. You must add a new change request type called AWS Provisioned Product Event for the scoped application to trigger an automated change request in Change Management. For more information, see Add a new change request type.

  3. Open an existing change request.

  4. Open (right-click) the context menu for Type and then choose Show Choice List.

  5. Choose New and complete these fields:

    • Table: Change Request

    • Label: AWS Provisioned Product Event

    • Value: AWSProvisionedProductEvent

    • Sequence: pick the next unused value

  6. Submit the form.

To add a change request type for executing AWS Systems Manager Change Manager change templates

You must add a new change request type called AWSChangeRequest for the scoped application to view and execute AWS Change Manager change templates in ServiceNow Change Management. For more information, see Add a new change request type.

  1. Open an existing change request.

  2. Open (right-click) the context menu for Type and then choose Show Choice List.

  3. Choose New and complete these fields:

    • Table: Change Request

    • Label: AWS Change Request

    • Value: AWSChangeRequest

    • Sequence: pick the next unused value

  4. Submit the form.

To enable AWS Systems Manager Change Manager integration Change models

AWS Systems Manager Change Manager integration in ServiceNow requires Change Model feature in ServiceNow.

  1. In the navigator, enter sys_properties.list.

  2. Enter *change_model in the Search panel to view and edit the properties.

  3. Review the available settings and recommendations in the table below.

Note

For more information on Change model system properties, see Change models properties.

Available settings Desired value
com.snc.change_management.change_model.hide

false

com.snc.change_management.change_model.type_compatibility

true

ServiceNow Permissions Recap
ServiceNow Persona Scoped App Permissions ServiceNow Permission Type Description
Admin x_126749_aws_sc_portfolio_manager Role (scoped app) Manage AWS Service Catalog portfolios and product access
x_126749_aws_sc_account_admin Role (scoped app) Onboard and manage AWS accounts
x_126749_ aws_sc.appregistry_manager Role (scoped app) View AppRegistry applications and attribute groups
x_126749_aws_sc.automation_manager Role (scoped app) Manage Automation Documents and view Automation executions
x_126749_aws_sc.finding_manager Role (scoped app) View AWS Security Hub findings
x_126749_aws_sc.opscenter_manager Role (scoped app) Default access control for OpsItem integration.
x_126749_aws_sc.change_manager_manager Role (scoped app) Manage AWS Systems Manager Change Manager change templates
x_126749_aws_sc.support_case_manager Role (scoped app) Manage AWS Support services and categories
x_126749_aws_sc.productsearchaccess Role (scoped app) End user role for searching AWS Service Catalog products using the search widget
x_126749_aws_sc.cloudtrail_event_user Role (scoped app) Default ACL for CloudTrail events on AWS Systems Manager Change Manager
x_126749_aws_sc.health_dashboard_viewer Role (scoped app) View AWS Health dashboard
End User (i.e., Abel Tuter) Order_AWS_Products Group

Configuring AWS Service Management Connector scoped application

After installing and configuring the AWS Service Management Connector , you must configure the scoped application and applicable roles.

To configure the AWS Service Management Connector scoped application permissions

  1. In your ServiceNow instance, create a user group called Order_AWS_Products.

    Members of this group can order AWS Service Catalog products. For instructions, see Create a user group.

  2. Grant ServiceNow permissions to these users:

    • System Administrator (admin): For simplicity in this example, user admin is the administrator of the AWS Service Management scoped application. Grant this user both of the administrative permissions from the adapter: x_126749_aws_sc_account_admin, x_126749_aws_sc_portfolio_manager, x_126749_ aws_sc.appregistry_manager, x_126749_ aws_sc.automation_manager, x_126749_aws_sc.finding_manager, x_126749_aws_sc.opscenter_manager, x_126749_aws_sc.support_case_manager and x_126749_aws_sc.change_manager_manager, x_126749_aws_sc.productsearchaccess, x_126749_aws_sc.cloudtrail_event_user, and x_126749_aws_sc.health_dashboard_viewer.

      Add System Administrator to the new ServiceNow group Order_AWS_Products. In a real scenario, these roles would likely be granted to different users or groups.

    • Abel Tuter: The user abel.tuter is an illustrative end user. Grant Abel the new role Order_AWS_Products. This permission allows Abel to order products from AWS.

Configuring AWS accounts to synchronize in the Connector

  1. Log in as the system administrator.

  2. Enter AWS in the navigator. Choose the AWS Service Management scoped app.

  3. In the AWS Service Management scoped app Accounts menu, create one entry for every AWS account. You need to use the keys and secret keys from the users you created in AWS.

To create an account entry

  1. Enter the name as an account entry identifier, such as Connector_Demo (for Commercial Region), or Connector_Demo_GovCloud (for GovCloud Region).

  2. Enter the AWS access key and secret access key from the AWS account sync user IAM configurations.

  3. Enter the AWS access key and secret access key from the AWS account end user IAM configurations.

  4. Choose the AWS service integrations that you want visible for this AWS account. The choices include:

    • Integrate with AWS Service Catalog (including AppRegistry)

    • Integrate with AWS Config

      Choose AWS Config if you plan to integrate AWS Config cloud resources per each AWS account or through the latest AWS Config Aggregator integration feature. The Connector for ServiceNow includes an AWS Config aggregator feature that enables ServiceNow administrators to align aggregated AWS Config details into one AWS account.

      If you plan to view AppRegistry related resources details, choose AWS Config with AWS Service Catalog.

    • Integrate with AWS Systems Manager Automation.

      Choose AWS Systems Manager Automation if you want to execute automation documents (runbook) to remediate incidents from OpsItems.

    • Integrate with AWS Systems Manager OpsCenter.

    • Integrate with AWS Security Hub.

    • Integrate with AWS Support.

    • Integrate with AWS Systems Manager Change Manager.

    • Integrate with AWS Health.

    • Integrate with AWS Systems Manager Incident Manager.

  5. Choose Account Regions. Select the Commercial or GovCloud Region. To see the AWS account Regions, double-click Insert a new row….

    Note

    AWS Support API uses a specific GovCloud endpoint for GovCloud accounts to enable AWS Support integration for GovCloud accounts. As a result, choose a GovCloud Region in Account Regions as you onboard the account in ServiceNow.

  6. Repeat the step above to insert additional Regions.

  7. Save or update the account entries.

  8. Validate AWS account connectivity by following the steps in Validating connectivity to AWS Regions. Note that in this Connector for ServiceNow 4.5.0, Validate Accounts only appears once after you submit or update the account entry.

    Note

    AWS Service Management Connector allows synchronization of updated keys by any automation or integration, through a REST endpoint. For more information, see Syncing updated keys programatically in ServiceNow.

Validating connectivity to AWS Regions

You can now validate connectivity to AWS accounts between the ServiceNow Connector_Demo account and the AWS IAM SMSyncUser and SMEndUser.

To validate connectivity to AWS account

  1. In the AWS Service Management scoped app, choose Setup, then AWS Accounts.

  2. Choose Connector_Demo and select Validate Account.

    A successful connection results in the message, Successfully validating AWS account in each referenced Region.

If the AWS IAM access key or secret access key are incorrect, you receive an error message.

Manually syncing scheduled jobs

The Connector for ServiceNow includes nine sync jobs related to AWS services integrations. During the initial setup, manually execute the sync job for your AWS service integration instead of waiting for Scheduled Jobs to run.

To sync AWS service integrations or accounts manually

  1. Log in as system administrator.

  2. Find Scheduled Jobs in the navigator panel.

  3. Search the following AWS Service Management Connector scheduled jobs (including default sync intervals) in the table below:

    AWS Service Management Scheduled Job Name Brief description Default Sync Interval
    Sync all Automation Execution Syncs execution of AWS Systems Manager Automation runbooks (documents) 5 minutes
    Sync all provisioned AWS Service Catalog products Syncs latest status of provisioned AWS Service Catalog products 5 minutes
    Sync all ServiceNow resources to AWS Config Syncs ServiceNow resources mapped to AWS Config custom resources 6 Hours
    Synchronize changes to all AWS Accounts Syncs changes to AWS services opted into each AWS account associated to the Connector 1 Day
    Synchronize AWS Config Syncs resource details or relationships from AWS Config into the ServiceNow CMDB 31 minutes
    Synchronize AWS Security Hub Syncs bi-directionally security findings from AWS Security Hub to ServiceNow incidents or problems 31 minutes
    Synchronize AWS Service Catalog Syncs AWS Service Catalog products into ServiceNow Service Catalog request items 31 minutes
    Synchronize AWS Systems Manager Automation Syncs AWS Systems Manager Automation runbooks (documents) into ServiceNow Service Catalog request items 31 minutes
    Synchronize AWS Systems Manager OpsCenter Syncs bi-directionally OpsItems from AWS Systems Manager OpsCenter to ServiceNow incidents 31 minutes
    Synchronize AWS Support Cases through SQS Syncs AWS Support Cases created or updated from AWS into ServiceNow 1 min
    Synchronize status of synced Support Cases Syncs status of Closed Incidents from AWS to ServiceNow 6 hours
    Synchronize AWS Systems Manager Change Manager Syncs pre-approved Change templates and Change Requests from AWS to ServiceNow 31 min
    Synchronize AWS Systems Manager Incident Manager Syncs Incident Manager incidents from AWS to ServiceNow 1 min
    Synchronize AWS Health Syncs Health events and resource information from AWS to ServiceNow 5 min
  4. Choose the desired sync job, and choose Execute Now.

    Note

    If you do not see Execute Now in the upper left corner, choose Configure Job Definition. Execute Now is visible. ServiceNow Administrator can adjust the Scheduled Job repeat interval as required.

Data is visible in the AWS Service Management scoped app menus after the Connector’s scheduled synchronization job has run.