Configuring ServiceNow - AWS Service Management Connector
Validating the synchronization of Amazon WorkSpaces from AWS ConfigAddressing stale AWS Config items in the ServiceNow CMDBStale Config itemsIdentifying stale Config itemsConfiguring synchronization of AWS Config data using an Aggregator in ServiceNow CMDBConfiguring available ServiceNow tables to sync as AWS Config custom resources

Configuring ServiceNow

This version of the AWS Service Management Connector enables ServiceNow administrators to configure system properties, Config Aggregators, and AWS Config custom resources from select ServiceNow tables.

To configure the new AWS Config integration System properties

  1. In the navigator, enter AWS Service Management.

  2. Choose System Properties, and then chooseAWS Config.

  3. Review the available settings and recommendations in the table below.

    Available settings Description
    The name of the S3 bucket from where to get the resource provider ZIP files

    The S3 bucket for custom resources from ServiceNow that populates AWS Config.

    Default and hard coded value: cmdb-resource-providers

    Note

    Service Management Connector recommends that you do not change this setting.

    Name of the Discovery source for synchronization with AWS Config

    The setting that correlates the Discovery source in ServiceNow.

    Default and hard coded value: AWS Service Management Connector

    Note

    Service Management Connector recommends you do not change this setting.

    What field to use for correlation ID

    Administrators use this setting to specify which column contains the correlation ID for each AWS Config.

    The correlation ID disambiguates AWS Config item that might have the same resource ID (such as SQS queues). It consists of the comma separated string of:

    • Source account number

    • Source Region

    • Resource type, such as AWS::EC2::Instance

    • Resource ID

    Default: correlation_id

    What field to use for AWS capture time

    Administrators use this setting to specify which column contains the capture time (such as capture time from AWS Config) for each AWS Config item.

    Default: last_discovered

    What field to use for last sync time

    Administrators use this setting to specify which column contains the last sync time (such as the last time AWS Config integration performed a synchronization for a given item) for each AWS Config item.

    Default: checked_in

    Enable the creation of a relationship for state sync

    Administrators use this setting to enable the creation of a relationship to a special state sync configuration item.

    When enabled, each synchronized item links to a particular state sync, or execution. By enabling this feature, it allows the SMC to identify stale items.

    Warning: This action creates an additional relationship per synchronized item. Depending on the number of items, it might have a performance impact.

    Default: No
    Enable the deletion of the previous relationship for state sync

    Administrators use this setting to enable the deletion of previous relationships to a special state sync configuration item.

    When enabled, a successful synchronization to a given AWS Config time deletes the previous relationships to state sync configuration item.

    Warning: This action performs GlideAggregate queries for each group of synchronized accounts, Regions, or Aggregators. Depending on the number of items, it might have a performance impact.

    Default: No

    What Install status to put stale config item into

    Administrators use this setting to automatically change the install_status of configuration items identified as stale.

    This action ensures that the status of stale resources correctly updates when using an Aggregator. Be aware this feature works only if you set What field to use for last sync time and enable Enable the creation of a relationship for state sync.

    Allowed values:

    • Installed

    • Retired

    • Absent

    • Do nothing

    Default: Do nothing

    Interval in minutes between the execution of full Config synchronization Administrators use this setting to control the time between full syncs of Config data. The default is 720 minutes or 12 hours.
    Use MTM for managing stale status

    This setting ensures the use of separate tables for handing relationships for sync status instead of using the cmdb_rel_ci table. AWS Service Management Connector recommends using the default setting.

    Default: Yes

Validating the synchronization of Amazon WorkSpaces from AWS Config

To validate the synchornization of Amazon WorkSpaces in AWS Config

  1. Execute the scheduled job synchronize Amazon WorkSpaces manually.

  2. Navigate to AWS Config, and then choose WorkSpaces.

  3. Validate the data.

Note

Amazon WorkSpaces synchronization is only supported for stand-alone accounts, not for AWS Config Aggregator accounts.

The SyncUser role must include the DescribeWorkSpacesPolicy for the synchronization to execute successfully.

Addressing stale AWS Config items in the ServiceNow CMDB

In addition to the AWS Config settings, AWS SMC for ServiceNow now exposes a global API to identify stale config items from the AWS Config integration.

Note

This feature requires you to enable the creation relationship to sync the status setting in the AWS Config System Properties in the ServiceNow scoped app.

Stale Config items

Stale Config items are the existing AWS Config items that did not update during the most recent sync for the same source (such as account, Region, and Aggregator name).

Identifying stale Config items

Note

ServiceNow administrators are the target audience for this section.

The script includes x_126749_aws_sc.AwsSmc and exposes a public API. You can use this script to access any application scope, including global scope. As an example, run this script:


   x_126749_aws_sc.AwsSmc.asSyncUser().getStaleConfigItems().forAll(function(object)
{
  gs.info(
       object.accountNumber + '/' + object.region + ' '
       + (object.aggregatorName ? 'aggregator: ' + object.aggregatorName + ' ' :
'')
       + 'ci: ' + object.ci.name
       + ' - ' + object.ci.getDisplayValue('install_status')
  );
});

As a background script, it would log the following: 

Info: 11111111/us-east-1 ci: i-1234567fg6j8 - Installed
Info: 11111111/us-west-1 ci: i-9876541fdgfd - Installed
Info: 22222222/eu-west-1 aggregator: all-dev ci: i-1df5235ftt55 - Installed

Each object contains the properties below:

Property Type Description
accountNumber String The account number from which the stale config item originates.
region String The Region from which the stale config item originates.
aggregatorName String The Aggregator name (if applicable) from which the stale config item originates.
lastSynced GlideDateTime The GlideDateTime of the when the last synchronization occurred.
CI GlideRecord The GlideRecord of the stale config item.

Optionally, you can also pass an options object as the second argument to the forAll method that allows you to customize the search for stale items.

Property Type Description
lowerTimeLimit GlideDateTime The threshold GlideDateTime from when you should search items. Any stale item last updated prior to that date does not return.
upperTimeLimit GlideDateTime The threshold GlideDateTime until you should search for items. Any item last updated after that date does not return.
excludeStatus Number The install_status to filter on.

Timestamps of sync resources:

  • LastSyncTimeField(default checked_in): The start of the current sync process.

  • first_discovered (for new records): The current time. We set the LastDiscoveredField (default last_discovered) to the configurationItemCaptureTime of the resource, if it exists or is undefined.

Additional notes on stale records

When AWS Service Management Connector reads AWS Config records that refer to other resources, it often creates a relationship to those resources.

In some cases, the related resource does not have an entry in the ServiceNow CMDB. In these cases, the Connector creates a record for that relationship, with an install status of absent. When the Connector reads the AWS Config record for the related resource, that record populates.

To see active resources, you should filter ServiceNow records synced from AWS Config by an install status of not Absent.

Disclaimer

Because the script compares items linked to stale sync records, it is unable to identify stale resources synced before the installation of this SMC version. When switching to sync with an Aggregator or switching from Aggregator sync to non-Aggregator sync, the script also fails to detect items that became stale between the last non-Aggregator sync and the first Aggregator sync.

Configuring synchronization of AWS Config data using an Aggregator in ServiceNow CMDB

Prerequisite: You need to opt-in and configure the AWS account that contains the aggregated AWS Config resources details prior to performing the steps below. For more information, see Configuring AWS Accounts to Synchronize in the Connector.

To configure the Connector to use an Aggregator to synchronize AWS Config data

  1. In the AWS Service Management scoped app, choose the Setup module.

  2. Choose Aggregators for AWS Config.

  3. Choose New.

  4. Enter the name of the new Config Aggregator.

  5. Choose the Region where you created the new Config Aggregator.

  6. Choose the AWS account that should use the new Aggregator. Only AWS accounts opted into the Connector for ServiceNow that have Integrate with AWS Config are viewable.

  7. Choose Submit.

    If you define an Aggregator for an AWS account and Region, the Aggregator integration becomes the only AWS Config to ServiceNow CMDB synchronization mechanism for that AWS account.

Configuring available ServiceNow tables to sync as AWS Config custom resources

In this Connector for ServiceNow release, you can now sync a set of ServiceNow tables in the CMDB to AWS Config as custom resources.

The ServiceNow tables and AWS Config custom resource mapping are as follows:

ServiceNow CMDB table AWS custom resource
cmdb_ci_apache_web_server Apache Web Server
cmdb_ci_app_server Application Server
cmdb_ci_app_server_java Java Server
cmdb_ci_app_server_tomcat Tomcat Server
cmdb_ci_app_server_tomcat_war Tomcat Web Application
cmdb_ci_app_server_websphere IBM Websphere Application
cmdb_ci_app_server_ws_ear Websphere Enterprise Archive
cmdb_ci_appl Application
cmdb_ci_appl_dot_net A .Net Application
cmdb_ci_appl_now_app_comp ServiceNow Application Component
cmdb_ci_appl_sap SAP Application
cmdb_ci_appl_sap_hana_db SAP Hana Database
cmdb_ci_appl_sap_system SAP System
cmdb_ci_appl_sharepoint Microsoft Sharepoint Application
cmdb_ci_application_cluster Application Cluster
cmdb_ci_application_server_resource Application Server Resource
cmdb_ci_application_software Application Software
cmdb_ci_db_mssql_database MySql Database
cmdb_ci_db_mysql_instance MySql Instance
cmdb_ci_kubernetes_cluster Kubernetes Cluster
To configure ServiceNow tables as AWS Config custom resources
Note

When you configure ServiceNow tables as AWS Config custom resources you might encounter an increase in your billing statement for the creation of additional resources.

  1. In the navigator, enter AWS Service Management.

  2. Choose Setup, then Tables Sync to AWS Config.

  3. Choose New.

  4. Choose an in scope ServiceNow table.

  5. Choose an account and Region for the new resource type. You can select any supported Region, in addition to preconfigured Regions for the account.

  6. Click Submit.

  7. Repeat steps above to include additional ServiceNow tables available to sync as AWS Config custom resources.

    The amount of time to create new AWS Config resources depends on the number of ServiceNow tables you selected. You can see resources in the Schema version field upon successful completion. The period synchronization of resources automatically includes the new AWS Config custom resource type. As details in the ServiceNow table update, this information syncs to AWS Config custom resource.