Configuring core ServiceNow components

This section describes how to configure core components in ServiceNow.

Clearing the ServiceNow platform cache

Before installing the AWS Service Management scoped app, we recommend you clear the ServiceNow platform cache. To do so, enter this URL: https://[InsertServiceNowInstanceNameHere]/cache.do.

Note

Ensure that you install the update set in a non-production or sandbox environment. Consult a ServiceNow system administrator if you need approval to clear the ServiceNow platform cache.

Clearing the web browser cache

Clear the web browser cache to remove previously rendered product forms.

Activating ServiceNow plugins

AWS Service Management Connector uses three ServiceNow plugins to provide useful components to the integration features:

• User Criteria Scoped API (for AWS Service Catalog integration)

• Discovery and Service Mapping Patterns (for AWS Config integration)

• Change Management – Change Model Foundation Data (for AWS Systems Manager Change Manager integration)

To activate the User Criteria Scoped API plugin

1. In your ServiceNow dashboard, enter plugins into the navigation panel in the upper left.

2. When the System Plugins page populates, next to the Name dropdown, search for User Criteria.

3. Choose User Criteria Scoped API and then choose Activate.

To activate the Discovery and Service Mapping Patterns plugin

1. In your ServiceNow dashboard, enter plugins into the navigation panel in the upper left.

2. When the System Plugins page populates, next to the Name dropdown, search for Discovery.

3. Choose Discovery and Service Mapping Patterns and then choose Activate.

Note

This plugin is free and aligns to the CMDB tables outside of ServiceNow’s family release CMDB updates.

To activate the Change Management – Change Model Foundation Data plugin

1. In your ServiceNow dashboard, enter plugins in the navigation panel in the upper left.

2. When the System Plugins page populates, next to the Name dropdown, search for Change Management.

3. Choose Change Management - Change Model Foundation Data and then choose Activate.

Installing ServiceNow Connector scoped application

The AWS Service Management Connector for ServiceNow is a conventional, scoped application that was developed and released through a ServiceNow Update Set. Update sets are code changes to the out-of-the-box platform and enables developers to move code across ServiceNow instances.

You can download and install the certified version of the connector for no additional cost from these locations:

• ServiceNow store

• ServiceNow Update Set: AWS Service Management Connector offers an Update Set for users who want to install the connector application in a ServiceNow Personal Developer Instance (PDI) or sandbox environment.

If you don't already have a ServiceNow instance, start with the following first step. If you already have a ServiceNow instance, use the previous links to download and install the connector.

Follow these instructions to install the Connector through the update set.

Obtain a ServiceNow instance

1. Open Obtaining a Personal Developer Instance.

2. Create ServiceNow developer program credentials.

3. Follow the instructions for requesting a ServiceNow instance.

4. Capture your instance details, including URL, administrative ID, and temporary password credentials.

To install the update set

1. In your ServiceNow dashboard, enter update sets into the navigation panel in the upper left.

2. Choose Retrieved Update Sets from the results.

3. Choose Import Update Set from XML and upload the release XML file.

4. Choose the AWS Service Management Connector for ServiceNow update set.

5. Choose Preview Update Set, which makes ServiceNow validate the Connector update set.

6. Choose Update.

7. Choose Commit Update Set to apply the update set and create the application. This procedure should complete 100%.

Configuring Connector using Guided Setup

The Connector for ServiceNow includes a Guided Setup mechanism to enable customers to configure and mark complete ServiceNow installation components for the AWS Service Management Connector.

Guided Setup enables the customers to plan the roll-out of the Connector and perform the basic configurations of the Connector to launch it across ServiceNow staged environments.

The Connector Guided Setup:

• Provides a direct set of links to the pages in the ServiceNow instance where you can perform the configuration.

• Tracks completed tasks so you can stop and start again where you left off.

• Enables less maneuvering between AWS documentation and the ServiceNow instance.

• Coordinates the deployment and configurationof the Connector for individuals and teams.

Note

Only ServiceNow admin users can access the Guided Setup to configure the Connectors.

To configure Connector using Guided Setup

1. Log in to your ServiceNow instance as an admin user.

2. Enter AWS Service Management Connector in the left filter navigator.

3. Choose Guided Setup.

4. Review details on the Guided Setup homepage and choose Get Started.

5. Review details on each section.

6. To perform a task, select the task and choose Configure.

7. After completion of the task, choose Mark as Complete.

   To skip sections or tasks that do not apply to you, choose Skip.

Platform system administrator components

To enable the AWS Service Management Connector scoped application named AWS Service Management, the system admin must create a discovery source, and configure specific platform tables, forms, and views.

Create a discovery source AWS Service Management Connector entry

You must create a new discovery data source, AWS Service Management Connector.

To enable AWS to report discovered CIs into your CMDB

1. Choose System Definition. Then select Choice Lists.

2. Choose New.

3. Create a new entry with these details:

   • Table: Configuration Item [cmdb_ci]

   • Element: discovery_source

   • Label: AWS Service Management Connector

   • Value: AWS Service Management Connector

Note

Make sure you are in Global mode in ServiceNow System Settings to modify System Definitions.

Administering AWS Service Management Connector Dashboard

As the system administrator, you can restrict access to the dashboard and its reports for specific users, roles or groups.

To restrict access to the connector dashboard

1. In the ServiceNow instance, navigate to the AWS Service Management Connector dashboard.

2. Choose the Share icon and then select Add users, groups, or roles.

3. Add the users, groups, or roles that require access to the dashboard.

4. (optional) You can also restrict access to the reports available in the dashboard. For detailed instructions, review Administering reports in the ServiceNow product documentation.

Enabling permissions on ServiceNow Platform

For AWS products to display under AWS portfolios as sub-categories in the ServiceNow Service Catalog, you need to modify the Application Access form for Catalog Item Category tables. This action is necessary because a ServiceNow scoped API is not available for the Catalog Item Category table.

To view AWS Service Catalog products (Catalog Item Category)

1. Enter Tables in the Navigator and choose System Definition, then choose Tables.

2. In the list of tables, search for a table with label Catalog Item Category (or with the name sc_cat_item_category). The list of tables displays.

3. Choose Category to view the form defining the table.

4. Choose the Application Access tab on the form and select Can Create, Can Update, and Can Delete on the form.

5. Choose Update.

To enable the connector to control visibility of Service Catalog products on Service Portal through Allowed Groups

Note

This step is only required if the Application Access is not already enabled in your ServiceNow instance. Additionally, Service Management Connector recommends that you enable the User Criteria Scope API plugin.

1. Enter Tables in the Navigator and choose System Definition, then choose Tables.

2. In the list of tables, search for a table with label Catalog Item Available for (or with the name sc_cat_item_user_criteria_mtom). The list of tables displays.

3. Choose Category to view the form defining the table.

4. Choose the Application Access tab on the form and select Can Create and Can Update on the form.

5. Choose Update.

ServiceNow permissions for administrators of the Connector scoped app

The AWS Service Management scoped app has two ServiceNow roles that enable access to configure the application. This feature enables system admins to grant one or more user's privileges to administer the application, without having to open full sysadmin access to them. System admins can assign these roles to either individual users or to one administrator user.

To set up Connector application administrator privileges

1. Enter Users in the navigator and select System Security – Users.

2. Choose a user to grant one or both previous roles (such as admin). You can also create a user.

3. Choose Edit on the Roles tab of the form.

4. Filter the collection of roles by the prefix x_126749_aws_sc.

5. Choose one or more of the following and add them to the user: x_126749_aws_sc_account_admin, x_126749_aws_sc_portfolio_manager, x_126749_ aws_sc.appregistry_manager, x_126749_ aws_sc.automation_manager, x_126749_aws_sc.finding_manager, x_126749_aws_sc.opscenter_manager, x_126749_aws_sc.support_case_manager , x_126749_aws_sc.change_manager_manager, x_126749_aws_sc.productsearchaccess, x_126749_aws_sc.cloudtrail_event_user, and x_126749_aws_sc.health_dashboard_viewer.

6. Choose Save.

To add Service Catalog to ServiceNow Service Catalog categories

1. Choose Self Service | Service Catalog and select the Add content icon in the upper right.

2. Choose the AWS Service Catalog Product entry. To add it to your catalog home page, choose the first Add Here link on the second row of the selection panel at the bottom of the page.

To add AWS Systems Manager automation documents (runbook) to ServiceNow Service Catalog categories

1. Choose Self Service | Service Catalog and select the Add content icon in the upper right.

2. Select the AWS Systems Manager entry. To add it to your catalog home page, choose the first Add Here link on the second row of the selection panel at the bottom of the page.

Note

This Connector release displays all AWS Systems Manager documents in the AWS account that has AWS Systems Manager selected.

System administrators can deactivate AWS Systems Manager document requests. To deactivate requests, choose AWS Systems Manager, Automation Documents, and deselect Active. After deactivation of the document, you no longer see the document in the ServiceNow Service Catalog.

The Connector creates closed change requests on post provision actions (such as update, terminate and self-service) for AWS Service Catalog products visible in ServiceNow.

To achieve a closed change request from post provisioned actions, add a change request type and configure the sys_id for the group assigned to the closed change records in the Connector AWS Service Catalog system properties.

To add a change request type for closed change request from post provisioned actions

1. If you upgrade from a previous version of the AWS Service Management scoped app, you must remove the AWS Product Termination change request type before you create a new change request type.

2. You must add a new change request type called AWS Provisioned Product Event for the scoped application to trigger an automated change request in Change Management. For more information, see Add a new change request type.

3. Open an existing change request.

4. Open (right-click) the context menu for Type and then choose Show Choice List.

5. Choose New and complete these fields:

   • Table: Change Request

   • Label: AWS Provisioned Product Event

   • Value: AWSProvisionedProductEvent

   • Sequence: pick the next unused value

6. Submit the form.

To add a change request type for executing AWS Systems Manager Change Manager change templates

You must add a new change request type called AWSChangeRequest for the scoped application to view and execute AWS Change Manager change templates in ServiceNow Change Management. For more information, see Add a new change request type.

1. Open an existing change request.

2. Open (right-click) the context menu for Type and then choose Show Choice List.

3. Choose New and complete these fields:

   • Table: Change Request

   • Label: AWS Change Request

   • Value: AWSChangeRequest

   • Sequence: pick the next unused value

4. Submit the form.

To enable AWS Systems Manager Change Manager integration Change models

AWS Systems Manager Change Manager integration in ServiceNow requires Change Model feature in ServiceNow.

1. In the navigator, enter sys_properties.list.

2. Enter *change_model in the Search panel to view and edit the properties.

3. Review the available settings and recommendations in the table below.

Note

For more information on Change model system properties, see Change models properties.

Available settings	Desired value
com.snc.change_management.change_model.hide	false
com.snc.change_management.change_model.type_compatibility	true

ServiceNow Permissions Recap
ServiceNow Persona	Scoped App Permissions	ServiceNow Permission Type	Description
Admin	x_126749_aws_sc_portfolio_manager	Role (scoped app)	Manage AWS Service Catalog portfolios and product access
	x_126749_aws_sc_account_admin	Role (scoped app)	Onboard and manage AWS accounts
	x_126749_ aws_sc.appregistry_manager	Role (scoped app)	View AppRegistry applications and attribute groups
	x_126749_aws_sc.automation_manager	Role (scoped app)	Manage Automation Documents and view Automation executions
	x_126749_aws_sc.finding_manager	Role (scoped app)	View AWS Security Hub findings
	x_126749_aws_sc.opscenter_manager	Role (scoped app)	Default access control for OpsItem integration.
	x_126749_aws_sc.change_manager_manager	Role (scoped app)	Manage AWS Systems Manager Change Manager change templates
	x_126749_aws_sc.support_case_manager	Role (scoped app)	Manage AWS Support services and categories
	x_126749_aws_sc.productsearchaccess	Role (scoped app)	End user role for searching AWS Service Catalog products using the search widget
	x_126749_aws_sc.cloudtrail_event_user	Role (scoped app)	Default ACL for CloudTrail events on AWS Systems Manager Change Manager
	x_126749_aws_sc.health_dashboard_viewer	Role (scoped app)	View AWS Health dashboard
End User (i.e., Abel Tuter)	Order_AWS_Products	Group

Configuring AWS Service Management Connector scoped application

After installing and configuring the AWS Service Management Connector , you must configure the scoped application and applicable roles.

To configure the AWS Service Management Connector scoped application permissions

1. In your ServiceNow instance, create a user group called Order_AWS_Products.

   Members of this group can order Service Catalog products. For instructions, see Create a user group.

2. Grant ServiceNow permissions to these users:

   • System Administrator (admin): For simplicity in this example, user admin is the administrator of the AWS Service Management scoped application. Grant this user both of the administrative permissions from the adapter: x_126749_aws_sc_account_admin, x_126749_aws_sc_portfolio_manager, x_126749_ aws_sc.appregistry_manager, x_126749_ aws_sc.automation_manager, x_126749_aws_sc.finding_manager, x_126749_aws_sc.opscenter_manager, x_126749_aws_sc.support_case_manager and x_126749_aws_sc.change_manager_manager, x_126749_aws_sc.productsearchaccess, x_126749_aws_sc.cloudtrail_event_user, and x_126749_aws_sc.health_dashboard_viewer.

     Add System Administrator to the new ServiceNow group Order_AWS_Products. In a real scenario, these roles would likely be granted to different users or groups.

   • Abel Tuter: The user abel.tuter is an illustrative end user. Grant Abel the new role Order_AWS_Products. This permission allows Abel to order products from AWS.

Configuring AWS accounts to synchronize in the Connector

1. Log in as the system administrator.

2. Enter AWS in the navigator. Choose the AWS Service Management scoped app.

3. In the Accounts menu, create one entry for every AWS account. Use the keys and secret keys from the users you created in AWS.

To create an account entry

1. Enter the name as an account entry identifier, such as Connector_Demo (for Commercial Region), or Connector_Demo_GovCloud (for GovCloud Region).

2. Enter the access key and secret access key from the AWS account sync user IAM configurations.

3. Enter the access key and secret access key from the AWS account end user IAM configurations.

4. Choose the visible AWS service integrations for this AWS account. The choices include:

   • Integrate with Service Catalog (including AppRegistry)

   • Integrate with AWS Config

     Choose AWS Config if you plan to integrate AWS Config cloud resources per each AWS account or through the latest AWS Config Aggregator integration feature. The Connector for ServiceNow includes an AWS Config aggregator feature that enables ServiceNow administrators to align aggregated AWS Config details into one AWS account.

     If you plan to view AppRegistry related resources details, choose AWS Config with AWS Service Catalog.

   • Integrate with AWS Systems Manager Automation

     Choose AWS Systems Manager Automation if you want to execute automation documents (runbook) to remediate incidents from OpsItems.

   • Integrate with AWS Systems Manager OpsCenter

   • Integrate with AWS Security Hub

   • Integrate with AWS Support

   • Integrate with AWS Systems Manager Change Manager

   • Integrate with AWS Health

   • Integrate with AWS Systems Manager Incident Manager

5. Choose Account Regions. Select the Commercial or GovCloud Region. To see the AWS account Regions, double-click Insert a new row….

   Note

   AWS Support API uses a specific GovCloud endpoint for GovCloud accounts to enable AWS Support integration for GovCloud accounts. Choose a GovCloud Region in Account Regions when you onboard the account in ServiceNow.

6. Repeat the step above to insert additional Regions.

7. Save or update the account entries.

8. Validate AWS account connectivity by following the steps in Validating connectivity to AWS Regions. Note that in this Connector for ServiceNow, Validate Accounts only appears once after you submit or update the account entry.

   Note

   AWS Service Management Connector allows synchronization of updated keys using any automation or integration through a REST endpoint. For more information, see Syncing updated keys programatically in ServiceNow.

Validating connectivity to AWS Regions

You can now validate connectivity to AWS accounts between the ServiceNow Connector_Demo account and the AWS IAM SMSyncUser and SMEndUser.

To validate connectivity to AWS account

1. In the AWS Service Management scoped app, choose Setup, then AWS Accounts.

2. Choose Connector_Demo and select Validate Account.

   A successful connection results in the message, Successfully validating AWS account in each referenced Region.

If the AWS IAM access key or secret access key are incorrect, you receive an error message.

Manually syncing scheduled jobs

The Connector for ServiceNow includes nine sync jobs related to AWS services integrations. During the initial setup, manually execute the sync job for your AWS service integration instead of waiting for Scheduled Jobs to run.

To sync AWS service integrations or accounts manually

1. Log in as system administrator.

2. Find Scheduled Jobs in the navigator panel.

3. Search the following AWS Service Management Connector scheduled jobs (including default sync intervals) in the table below:

   AWS Service Management Scheduled Job Name	Brief description	Default Sync Interval
   Sync all Automation Execution	Syncs execution of AWS Systems Manager Automation runbooks (documents)	5 minutes
   Sync all provisioned AWS Service Catalog products	Syncs latest status of provisioned AWS Service Catalog products	5 minutes
   Sync all ServiceNow resources to AWS Config	Syncs ServiceNow resources mapped to AWS Config custom resources	6 Hours
   Synchronize changes to all AWS Accounts	Syncs changes to AWS services opted into each AWS account associated to the Connector	1 Day
   Synchronize AWS Config	Syncs resource details or relationships from AWS Config into the ServiceNow CMDB	31 minutes
   Synchronize AWS Security Hub	Syncs bi-directionally security findings from AWS Security Hub to ServiceNow incidents or problems	31 minutes
   Synchronize AWS Service Catalog	Syncs AWS Service Catalog products into ServiceNow Service Catalog request items	31 minutes
   Synchronize AWS Systems Manager Automation	Syncs AWS Systems Manager Automation runbooks (documents) into ServiceNow Service Catalog request items	31 minutes
   Synchronize AWS Systems Manager OpsCenter	Syncs bi-directionally OpsItems from AWS Systems Manager OpsCenter to ServiceNow incidents	31 minutes
   Synchronize AWS Support Cases through SQS	Syncs AWS Support Cases created or updated from AWS into ServiceNow	1 min
   Synchronize status of synced Support Cases	Syncs status of Closed Incidents from AWS to ServiceNow	6 hours
   Synchronize AWS Systems Manager Change Manager	Syncs pre-approved Change templates and Change Requests from AWS to ServiceNow	31 min
   Synchronize AWS Systems Manager Incident Manager	Syncs Incident Manager incidents from AWS to ServiceNow	1 min
   Synchronize AWS Health	Syncs Health events and resource information from AWS to ServiceNow	5 min
   Synchronize Amazon WorkSpaces	Syncs Amazon WorkSpaces resource type from AWS Config	31 min

4. Choose the desired sync job, and choose Execute Now.

   Note

   If you do not see Execute Now in the upper left corner, choose Configure Job Definition. Execute Now is visible. ServiceNow Administrator can adjust the Scheduled Job repeat interval as required.

Data is visible in the AWS Service Management scoped app menus after the Connector’s scheduled synchronization job has run.