End of support notice: On March 31, 2027, AWS will end support for AWS Service Management Connector. After March 31, 2027, you will no longer be able to access the AWS Service Management Connector console or AWS Service Management Connector resources. For more information, see [AWS Service Management Connector end of support](https://docs.aws.amazon.com/smc/latest/ag/smc-end-of-support.html).
# Creating Connector for ServiceNow users
For each AWS account, the Connector for ServiceNow requires two users:
+ **AWS Sync User**: A user to sync AWS resources (such as portfolios, products, automation documents (runbook), Ops Items, Incident Manager incidents, change templates and requests, configuration items, and security Findings), sync AWS support cases, and AWS Health events and resources to ServiceNow .
+ **AWS End User**: A user who can provision products as an end user, execute requests, and view resources that ServiceNow exposes. This role includes any required roles to provision and execute.
**Note**
To align with best practices, AWS recommends periodically rotating IAM user access keys. For more information, refer to [Manage IAM user access keys properly](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#securing_access-keys).
# Creating the AWS Service Management Connector Sync user
This section describes how to create the AWS Sync user and associate the appropriate IAM permission. To perform this task, you need IAM permissions to create new users. The following steps to create a Sync user and End user are not required if you use the CloudFormation template to deploy the permissions. Review [Setting baseline permissions for AWS Service Management Connector for ServiceNow](sn-base-perms.md) for more information.
**Note**
The CloudFormation template to set up the AWS configurations of the Connector for ServiceNow creates the Sync user and End user with the required permissions for all the supported integrations.
**To create AWS Service Management Connector sync user**
1. Follow the instructions in [Creating an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) to create a sync user (SMSyncUser). The user needs programmatic and AWS Management Console access to follow the Connector for ServiceNow installation instructions.
1. Set permissions for your sync user (SMSyncUser). Choose **Attach existing policies directly** and select:
+ **`AWSServiceCatalogAdminReadOnlyAccess`** (AWS managed policy)
+ **`AmazonSSMReadOnlyAccess`** (AWS managed policy)
+ **`AWSConfigUserAccess`** (AWS managed policy)
+ **`AWSSupportAccess`** (AWS managed policy)
1. Create this policy: `ConfigBidirectionalPolicy`. Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html), and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:RegisterType",
"cloudformation:DescribeTypeRegistration",
"cloudformation:DeregisterType",
"config:PutResourceConfig"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
```
------
The provided AWS Configuration template consists of two policies: `ConfigBiDirectionalPolicy` and `SecurityHubPolicy`.
1. Create this policy: `SecurityHubPolicy`. Then follow the instructions in [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html), and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage"
],
"Resource": "arn:aws:sqs:us-east-1:111122223333:QueueName",
"Effect": "Allow"
},
{
"Action": [
"securityhub:BatchUpdateFindings"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
```
------
1. Create this policy: `OpsCenterExecutionPolicy.` Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:CreateOpsItem",
"ssm:GetOpsItem",
"ssm:UpdateOpsItem",
"ssm:DescribeOpsItems"
],
"Resource": "*"
}
]
}
```
------
1. Create this policy: `AWSIncidentBaselinePolicy`. Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ssm-incidents:ListIncidentRecords",
"ssm-incidents:GetIncidentRecord",
"ssm-incidents:UpdateRelatedItems",
"ssm-incidents:ListTimelineEvents",
"ssm-incidents:GetTimelineEvent",
"ssm-incidents:UpdateIncidentRecord",
"ssm-incidents:ListRelatedItems",
"ssm:ListOpsItemRelatedItems"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
```
------
1. [Optional] Create this policy: `AWSChangeManagerCloudtrailPolicy`. Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"cloudtrail:DescribeQuery",
"cloudtrail:ListEventDataStores",
"cloudtrail:StartQuery",
"cloudtrail:GetQueryResults"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
```
------
1. Create this policy: `DescribeWorkSpacesPolicy`. Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": ["workspaces:DescribeWorkspaces"],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
1. Add a policy that allows `budgets:ViewBudget` on all resources (\$1).
1. Review and choose **Create User**.
1. Note the access and secret access information. Download the .csv file that contains the user credential information.
**Note**
To align with best practices, AWS recommends periodically rotating IAM user access keys. For more information, refer to [Manage access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#securing_access-keys).
# Creating the AWS Service Management Connector end user
This section describes how to create the AWS Service Management Connector end user and associates the appropriate IAM permission. To perform this task, you need IAM permissions to create new users.
****To create AWS Service Management Connector end user****
1. Follow the instructions in [Creating an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) to create a user (SMEndUser). The user needs programmatic and AWS Management Console access to follow the Connector for ServiceNow installation instructions.
For products using CloudFormation StackSets, you need to create a StackSet inline policy. With CloudFormation StackSets, you are able to create products across multiple accounts and Regions.
Using an administrator account, you define and manage a Service Catalog product. You also use it to provision stacks into selected target accounts across specified Regions. You need to have the necessary permissions defined in your AWS accounts.
To set up the necessary permissions, see [Granting Permissions for Stack Set Operations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html). Follow the instructions to create an `AWSCloudFormationStackSetAdministrationRole` and an `AWSCloudFormationStackSetExecutionRole`.
1. Add the following permissions (policies) to the user:
+ `AWSServiceCatalogEndUserFullAccess` (AWS managed policy)
+ `StackSet` (inline policy) - For Service Catalog products with stack sets, you need to modify the SMEndUser to include the Read Only permissions for the services you want to provision. For example, to provision an Amazon S3 bucket, include the `AmazonS3ReadOnlyAccess` policy to the `SMEndUser`.
+ `OpsCenterExecutionPolicy`
+ `AmazonEC2ReadOnlyAccess` (AWS managed policy)
+ `AmazonS3ReadOnlyAccess` (AWS managed policy)
# Creating the SCConnectLaunch role
The `SCConnectLaunch` role is an IAM role that places baseline AWS service permissions into the AWS Service Catalog launch constraints. Configuring this role enables segregation of duty through provisioning product resources for ServiceNow end users.
The `SCConnectLaunch` role baseline contains permissions to Amazon EC2 and Amazon S3 services. If your products contain more AWS services, you must either include those services in the `SCConnectLaunch` role or create new launch roles.
This section describes how to create the `SCConnectLaunch` role. This role places baseline AWS service permissions in the Service Catalog launch constraints. For more information, see [Service Catalog Launch Constraints](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints-launch.html).
****To create SCConnectLaunch role****
1. Create this policy: `AWSCloudFormationFullAccess` policy. Choose **create policy** and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"cloudformation:List*",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplateSummary",
"cloudformation:SetStackPolicy",
"cloudformation:ValidateTemplate",
"cloudformation:UpdateStack",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteChangeSet",
"s3:GetObject"
],
"Resource":"*"
}
]
}
```
------
**Note**
`AWSCloudFormationFullAccess` includes additional permissions for ChangeSets.
1. Create this policy: `ServicecodeCatalogSSMActionsBaseline`. Follow the instructions in [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html), and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"Stmt1536341175150",
"Action":[
"servicecatalog:AssociateResource",
"servicecatalog:DisassociateResource",
"servicecatalog:ListServiceActionsForProvisioningArtifact",
"servicecatalog:ExecuteprovisionedProductServiceAction",
"ssm:DescribeDocument",
"ssm:GetAutomationExecution",
"ssm:StartAutomationExecution",
"ssm:StopAutomationExecution",
"ssm:StartChangeRequestExecution",
"cloudformation:ListStackResources",
"ec2:DescribeInstanceStatus",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Effect":"Allow",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"*",
"Condition":{
"StringEquals":{
"iam:PassedToService":"ssm.amazonaws.com"
}
}
}
]
}
```
------
1. Create the `SCConnectLaunch` role. Then assign the trust relationship to Service Catalog.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Attach the relevant policies to the `SCConnectLaunch` role.
We recommend you customize and scope your launch policies to the specific AWS Services, which are in the associated CloudFormation template for the given Service Catalog product.
For example, to provision EC2 and S3 products, your role policies are as follows:
+ `AmazonEC2FullAccess` AWS managed policy)
+ `AmazonS3FullAccess` AWS managed policy)
+ `AWSCloudFormationFullAccess` (custom managed policy)
+ `ServiceCatalogSSMActionsBaseline` (custom managed policy)