End of support notice: On March 31, 2027, AWS will end support for AWS Service Management Connector. After March 31, 2027, you will no longer be able to access the AWS Service Management Connector console or AWS Service Management Connector resources. For more information, see [AWS Service Management Connector end of support](https://docs.aws.amazon.com/smc/latest/ag/smc-end-of-support.html).
# Using AWS Service Management Connector for Jira Service Management Data Center
The AWS Service Management Connector for Jira Service Management (Connector) (formerly the AWS Service Catalog Connector) enables Jira Service Management end users to provision, manage, and operate AWS resources natively through Atlassian's Jira Service Management.
It enables Jira Service Management administrators to:
+ Provide preapproved, secured, and governed AWS resources to end users through AWS Service Catalog.
+ Create and manage operational items through AWS Systems Manager OpsCenter.
+ Execute automation playbooks through AWS Systems Manager Automation.
+ Track resources in a configuration item view powered by AWS Config.
+ View, create, investigate, add correspondence, and resolve Support cases through Jira Service Management (including AMS Accelerate support cases).
+ Manage and resolve incidents affecting AWS-hosted applications through integrations with AWS Systems Manager Incident Manager.
These integrations streamline AWS native services by making it easier for you to consume and provide Jira Service Management governance and oversight over AWS products.
The AWS-supplied connector is available at no charge in the Atlassian Marketplace. This new feature is generally available in all AWS Regions where AWS Service Catalog, AWS Config, and AWS Systems Manager services are available.
# Service management alignment
This Connector aligns to industry best practices, such as ITIL®’s service management areas by enabling tools (services) with the intersection of people, processes and partners. The Connector also addresses a baseline set of service management practices you can use in existing operational tooling:
| Service management area | AWS service(s) integration |
| --- | --- |
| Service Catalog management deployment management (Provisioning) | [AWS Service Catalog](https://aws.amazon.com/servicecatalog/), AWS CloudFormation, and AWS Systems Manager Automation requests and provisions vetted and predictable products and performs post-provision actions. |
| Incident management (Ticketing) | [Support](https://aws.amazon.com/premiumsupport/) (AWS services and platform incidents). [AWS Systems Manager](https://aws.amazon.com/hsystems-manager/) OpsCenter (Jira operational Issues derived and detected for solutions built on AWS platform). [AWS Security Hub CSPM](https://aws.amazon.com/security-hub/) (Jira Issues from security Findings). AWS Systems Manager Incident Manager (AWS services and platform incidents). |
| Service configuration management (CMDB) | [AWS Config](https://aws.amazon.com/config/) (Track AWS resources related to the Jira Issue). |
In addition, [Atlassian Jira Service Management](https://www.atlassian.com/software/jira/service-management/features/service-desk) (JSM) is service desk software for modern IT teams. Jira Service Management request types enable self-service for developers and end users to order IT services based on request fulfillment approvals and workflows.
# Jira Service Management supported versions
The AWS Service Management Connector (connector) for Jira Service Management Data Center supports Jira software (Jira Service Management) release for both the current and single prior version in each of the major, minor, and point release streams for:
Jira Data Center 7.13.18 to 9.16.1
A Jira Service Management Connector (connector) for Jira Service Management Cloud is also available in the Atlassian Marketplace. For more information, see [AWS Service Management Connector for Jira Service Management Cloud](https://docs.aws.amazon.com/smc/latest/ag/integrations-jsmcloud.html).
# Release notes
Version 2.0.8 includes updates to core features. Version 2.0.5 of the AWS Service Management Connector for Jira Service Management introduces an integration with AWS Systems Manager Incident Manager cases and Jira incidents.
**Version 2.0.8 core features**
+ Updated package dependencies.
**Version 2.0.7 core features**
+ Updated version of **aws-sdk** library.
+ Fix for XML parser issue.
**AWS Systems Manager Incident Manager**
+ Allows Jira Service Management end users to view and resolve a Jira issue when AWS Systems Manager Incident Manager creates or updates an incident.
+ Automatically relate an AWS incident to the associated AWS OpsItem when AWS Systems Manager OpsCenter integration is enabled.
+ Allows bidirectional or unidirectional synchronization of the ‘resolved’ status between a Jira issue and a corresponding AWS incident.
The latest version also includes prior integrations to AWS services, such as Support, AWS Security Hub CSPM, AWS Service Catalog, AWS Config, AWS Systems Manager automation, and AWS Systems Manager OpsCenter.
**Support**
+ Configure dual synchronization of Support cases with Jira Service Management incidents.
+ View, create, resolve and add correspondences to Support tickets directly from Jira Incident.
**AWS Security Hub CSPM integration **
+ Configure synchronization of AWS Security Hub CSPM Findings within Jira Service Management.
+ Create, view, investigate and resolve AWS Security Hub CSPM Findings as Jira issues.
+ View updates from synced security Findings Jira Issues in AWS Security Hub CSPM.
**AWS Service Catalog**
+ Render AWS Service Catalog portfolios and products in the Jira Service Management Customer Portal and Jira Agent views.
+ Associate Jira Service Management approval groups to AWS Service Catalog portfolios to require approvals for Jira Service Management user product requests.
+ Assign the default Jira user that the Jira workflow engine uses.
+ Configure AWS product request form components available for end users to view.
+ Create AWS Tags across provisioned products.
+ View AWS specific parameters on EC2 resources, such as Availability Zones, Image ID, Instance Id, KeyPair, Security Group, and VPC.
**AWS Config**
+ Render AWS Config configuration item details on provisioned AWS products through Jira Service Management request.
+ View the configuration item relationships in a tree structure.
+ Associate AWS Config items details to Jira issues.
**AWS Systems Manager Automation**
+ Render AWS Systems Manager automation documents in the Jira Service Management Customer Portal and Jira Agent views.
+ Request and execute AWS Systems Manager automation documents through Jira Service Management.
+ Create Jira issues (incidents) that provide actionable remediation suggestions through a Connector-specific AWS Systems Manager automation document.
**AWS Systems Manager OpsCenter**
+ Create and update a Jira Issue when you create and update an operational item (OpsItem) in AWS Systems Manager OpsCenter.
+ Update OpsItems in AWS Systems Manager OpsCenter when you update the Jira issue in Jira Service Management.
+ View and execute automation runbooks to resolve OpsItems and view execution results from the Jira Issue.
+ Support multiple AWS accounts.
+ Support FIPS endpoints and usage in the AWS GovCloud East and GovCloud West Regions.
+ Support the latest releases of Jira Service Management Server and data center versions.
# Prerequisites for Jira Service Management Data Center
Before installing the AWS Service Management Connector for Jira Service Management, you need an AWS account and an Atlassian instance with [Jira Service Management pre-installed](https://servicecatalogconnector.s3.amazonaws.com/SM_ConnectorForJSD_2.0.8.zip). Verify that you have the necessary permissions in your AWS account and Jira Service Management software.
For a zip file containing Connector add-on code as well as AWS Configuration files, download and extract the [AWS Service Management Connector for JSM configuration files](https://servicecatalogconnector.s3.amazonaws.com/SM_ConnectorForJSD_2.0.7.zip).
## AWS prerequisites
+ To use Service Catalog with the Connector, you need an AWS account to configure your AWS portfolios and products. For more information, see [Setting Up AWS Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/setup.html).
+ To see AWS Config details, configure the service settings to record data for the resource types of interest. We recommend including provisioned products and CloudFormation stacks, in addition to the major resource types your team uses. For more information, see [Setting Up AWS Config with the Console](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html).
+ To use AWS Systems Manager Automation with the Connector, you don't need AWS-side setup. A number of automation documents are available from AWS as standard. If you want to use additional automation documents, they are available in the Connector. For more information, see [Working with Automation Documents (Playbooks)](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html).
+ To use AWS Systems Manager OpsCenter with the Connector, enable OpsCenter in the AWS Systems Manager console. For more information, see [AWS Systems Manager OpsCenter](https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html). The Connector also enables viewing resources and automation documents (runbooks) associated to OpsItem. For more information to associate resources to OpsItems in AWS OpsCenter, see [Working with Related Resources](https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-working-with-OpsItems.html#OpsCenter-working-with-OpsItems-related-resources) . For more information to associate automation documents to OpsItems in AWS OpsCenter, see [Remediating OpsItem issues using Systems Manager automation](https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-remediating.html).
+ To use AWS Security Hub CSPM with the Connector, you must enable the service in all Regions and accounts where you want to sync Findings. For more information, see [Setting up Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html). We recommend you connect Jira Service Management with the primary AWS account for AWS Security Hub CSPM. For more information, see [Managing administrator and member accounts.](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts.html)
+ To use Support with the Connector, your account must have a [Business](https://aws.amazon.com/premiumsupport/plans/business/) or [Enterprise](https://aws.amazon.com/premiumsupport/plans/enterprise/) Support plan to use support integration.
+ To use AWS Systems Manager Incident Manager with the Connector and allow the Connector to synchronize Incidents for a specific Region, you must enable Incident Manager in that account and Region. For details on the service endpoint, see [AWS Systems Manager Incident Manager endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/incident-manager.html).
**Note**
AWS Service Management Connector allows AWS Managed Services (AMS) Accelerate users to create Incidents and Service Requests through Jira Service Management. To ensure that your account has the required permissions to create AMS Accelerate support cases, make sure you onboard your account to Accelerate. For more information, see [Getting Started with AMS Accelerate](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/getting-started-acc.html).
For each AWS account, the Connector for Jira Service Management also requires API access with [Baseline permissions.](jsd-baseline-permissions.md)
## Jira Service Management prerequisites
****
In addition to your AWS account, you need the Jira Service Management software installed on your Atlassian instance before you can install the AWS Service Management Connector add-on. The Jira Service Management administrator needs the *admin* role to install the AWS Service Management Connector add-on.
Before configuring your AWS connector, ensure you follow Atlassian recommendations for securing your Jira Service Management instances. For more information, see [Preventing Security Attacks](https://confluence.atlassian.com/adminjiraserver/preventing-security-attacks-938847893.html).
The Connector for Jira Service Management add-on is available to download in the [Atlassian Marketplace](https://marketplace.atlassian.com/apps/1221283/aws-service-catalog-connector-for-jsd).
# Setting up baseline AWS users and permissions
This section provides instructions on how to set up the baseline AWS users and permissions for the AWS Service Management Connector for Jira Service Management.
**Topics**
+ [Available template for baseline permissions](#template-baseline)
+ [Creating AWS Service Management Connector Sync User](jsd-creating-sc-sync-user.md)
+ [Creating AWS Service Management Connector End User](jsd-creating-sc-end-user.md)
+ [Creating SCConnectLaunch Role](jsd-creating-scconnectlaunch-role.md)
## Available template for baseline permissions
To use an AWS CloudFormation template to set up the AWS configurations of the Connector for Jira Service Management, see the AWS configurations for [Connector for Jira Service Management - AWS Commercial Regions](https://servicecatalogconnector.s3.amazonaws.com/SM_ConnectorForJSMv2.0.0-AWS_Configurations_Commercial.json ) and [Connector for Jira Service Management - AWS GovCloud West Region](https://servicecatalogconnector.s3.amazonaws.com/SM_ConnectorForJSMv2.0.0-AWS_Configurations_GovCloud.json).
**Note**
If you use the Connector for Jira Service Management AWS Configuration template, go to the [Service Catalog Administrator Guide](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html).
For each AWS account, the Connector for Jira Service Management requires two sets of an access key identifier and a secret key for API access. These correspond to users in AWS Identity and Access Management (IAM). Specifically, you should set up:
+ An IAM user to sync AWS resources and to sync and manage Support cases through Jira Service Management.
+ An IAM user able to perform end user functionality to provision and execute requests exposed through Jira Service Management, including any roles required to perform the provisioning and execution. We recommend launch roles for Service Catalog to comply with IAM best practices.
These can be the same user and can be an existing user. We recommend you assign two new users for Connector.
**Note**
To align with best practices, AWS recommends periodically rotating IAM user access keys. For more information, refer to [Manage access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#securing_access-keys).
# Creating AWS Service Management Connector Sync User
The following section describes how to create the AWS Connector sync user and associate the appropriate IAM permissions. To perform this task, you need IAM permissions to create new users.
**To create AWS Service Management Connector sync user**
1. Follow the instructions in **[Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html)** to create the policy, **SSMOpsItemActionPolicy**. This policy enables Jira administrators to create and manage AWS Systems Manager OpsItems.
Copy this policy and paste it into **Policy Document**:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:CreateOpsItem",
"ssm:GetOpsItem",
"ssm:UpdateOpsItem",
"ssm:DescribeOpsItems",
"ssm:CreateOpsItem"
],
"Resource": "*"
}
]
}
```
------
1. Follow the instructions in [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and create the policy, **ConfigBidirectionalSecurityHubSQSBaseline**.
Copy this policy and paste it in the JSON editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"VisualEditor0",
"Effect":"Allow",
"Action":[
"cloudformation:RegisterType",
"cloudformation:DescribeTypeRegistration",
"cloudformation:DeregisterType",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"securityhub:BatchUpdateFindings"
],
"Resource":"*"
}
]
}
```
------
1. Follow the instructions in **[Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html)** to create the policy, **AWSIncidentBaselinePolicy**.
Copy this policy and paste it in the JSON editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ssm-incidents:ListIncidentRecords",
"ssm-incidents:GetIncidentRecord",
"ssm-incidents:UpdateRelatedItems",
"ssm-incidents:ListTimelineEvents",
"ssm-incidents:GetTimelineEvent",
"ssm-incidents:UpdateIncidentRecord",
"ssm-incidents:ListRelatedItems",
"ssm:ListOpsItemRelatedItems"
],
"Resource":"*"
}
]
}
```
------
1. Follow the instructions in **[Creating an IAM User in your AWS Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html)** to create a sync user (SCSyncUser). The user needs programmatic access and AWS Management Console access to follow the Connector for Jira Service Management installation instructions.
Set permissions for your sync user (SCSyncUser). Choose **Attach the following policies directly** and select **AWSServiceCatalogAdminReadOnlyAccess**,** AmazonSSMReadOnlyAccess**,** SSMOpsItemActionPolicy**,** AWSSupportAccess**,** AWSIncidentBaselinePolicy**, and** ConfigBidirectionalSecurityHubSQSBaseline.**
1. Add a policy that allows **budgets:ViewBudget** on all resources (\$1).
1. Review and choose **Create User**.
1. Note the access and secret access information. Download the .csv file that contains the user credential information.
# Creating AWS Service Management Connector End User
The following section describes how to create the AWS Service Management Connector end user and associate the appropriate IAM permissions. To perform this task, you need IAM permissions to create new users.
**To create AWS Service Management Connector end user**
1. Follow the instructions in [Creating an IAM user in your AWS Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) to create a user (such as SCEndUser). The user needs programmatic and AWS Management Console access to follow the Connector for Jira Service Management installation instructions.
1. For products with CloudFormation StackSets, you need to create a stack set inline policy. With CloudFormation StackSets, you can create products to deploy across multiple accounts and Regions.
Using an administrator account, you define and manage a Service Catalog product and use it as the basis for provisioning stacks into selected target accounts across specified Regions. You need to have the necessary permissions defined in your AWS accounts.
To set up the necessary permissions, follow the instructions in [Granting Permissions for Stack Set Operations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html) to create an **AWSCloudFormationStackSetAdministrationRole** and an **AWSCloudFormationStackSetExecutionRole**.
1. Create the stack set inline policy to enable the provisioning of a product across multiple Regions in one account, replacing the `arn` number string with your account number.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::123456789123:role/AWSCloudFormationStackSetExecutionRole"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::123456789123:role/AWSCloudFormationStackSetAdministrationRole"
}
]
}
```
------
1. Add the following permissions (policies) to the user **SCEndUser**:
+ **AWServiceCatalogEndUserFullAccess **- (AWS managed policy)
+ **StackSet** - (inline policy)
+ **AmazonS3ReadOnlyAccess** - (AWS managed policy)
+ **AmazonEC2ReadOnlyAccess** - (AWS managed policy)
+ **AWSConfigUserAccess** - (AWS managed policy)
+ **SSMOpsItemActionPolicy** - (inline policy)
+ **ConfigBidirectionalSecurityHubSQSBaseline** - (inline policy)
**Note**
For Service Catalog products with CloudFormation StackSets, you need to include the read only permissions for the services you want to provision. For example, to provision an Amazon S3 bucket, include the **AmazonS3ReadOnlyAccess** policy to the **SCEndUser** role.
1. Also add a policy that allows the following on all resources (\$1): **ssm:DescribeAutomationExecutions**, **ssm:DescribeDocument**, and ssm:**StartAutomationExecution**.
1. Review and choose **Create User**.
1. Note the access and secret access information. Download the .csv file that contains the user credential information.
# Creating SCConnectLaunch Role
The following section describes how to create the **SCConnectLaunch** role. This role places baseline AWS service permissions into the Service Catalog launch constraints. For more information, see CORRECT LINK.
**To create SCConnectLaunch role**
1. Create the **AWSCloudFormationFullAccess** policy. Choose **create policy** and then paste the following in the JSON editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"cloudformation:List*",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplateSummary",
"cloudformation:SetStackPolicy",
"cloudformation:ValidateTemplate",
"cloudformation:UpdateStack",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteChangeSet",
"s3:GetObject"
],
"Resource": "*"
}
]
}
```
------
1. Create a policy called **ServiceCatalogSSMActionsBaseline**. Follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html), and paste the following into the JSON editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Stmt1536341175150",
"Action": [
"servicecatalog:ListServiceActionsForProvisioningArtifact",
"servicecatalog:ExecuteprovisionedProductServiceAction",
"ssm:DescribeDocument",
"ssm:GetAutomationExecution",
"ssm:StartAutomationExecution",
"ssm:StopAutomationExecution",
"cloudformation:ListStackResources",
"ec2:DescribeInstanceStatus",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
1. Create the **SCConnectLaunch** role. Assign the trust relationship to Service Catalog.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Attach the relevant policies to the **SCConnectLaunch** role. Attach the following baseline IAM policies:
+ **AmazonEC2FullAccess** (AWS managed policy)
+ **AmazonS3FullAccess ** (AWS managed policy)
+ **AWSCloudFormationFullAccess** (custom managed policy)
+ **ServiceCatalogSSMActionsBaseline** (custom managed policy)
**Note**
You can use the available AWS CloudFormation templates for the JSM connector to configure your AWS account to enable AWS Service Catalog integration. This stack includes the *Sync user* and *End user* roles, which attach the required permissions for all available integrations. For more information, see [Baseline Permissions](https://docs.aws.amazon.com/smc/latest/ag/jsd-baseline-permissions.html).
# Configuring Service Catalog Integration
After you create two IAM users with baseline permissions in each account, you can now configure Service Catalog. This section describes how to configure Service Catalog to have a portfolio that includes an Amazon S3 bucket product. Use the Amazon S3 template in [Creating an Amazon S3 Bucket for Website Hosting](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-s3.html#scenario-s3-bucket-website ) for your preliminary product. Copy and save the Amazon S3 template to your device.
**To configure Service Catalog**
1. Follow the steps in [Step 3: Create an AWS Service Catalog Portfolio](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted-portfolio.html) to create a portfolio.
1. To add the Amazon S3 bucket product to the portfolio you just created, enter the product details in the Service Catalog console on the **Upload new product** page.
1. For **Select template**, choose the Amazon S3 bucket CloudFormation template you saved to your device.
1. Set **Constraint type** to **Launch** for the product that you just created with the **SCConnectLaunch** role in the baseline permissions. For additional launch constraint instructions, see [AWS Service Catalog Launch Constraints](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints-launch.html).
**Note**
The AWS configuration design requires each Service Catalog product to have either a launch or StackSet constraint. Failure to follow this step can result in an *Unable to Retrieve Parameter* message within Jira Service Management Service Catalog.
# Creating Stack Set Constraint
CloudFormation StackSets enable users to create products that deploy across multiple accounts and Regions. In Service Catalog, a stack set constraint allows you to configure product deployment options.
**To apply a stack set constraint to a Service Catalog product**
1. As an AWS Service Catalog administrator, choose the portfolio that contains the product you want to apply a constraint.
1. Expand **Constraints** and choose **Add constraints**.
1. Choose the product from **Product** and set **Constraint type** to **Stack Set**. Then choose **Continue**.
1. On the **Stack set constraint** page, enter a description.
1. Choose the accounts in which you want to create products.
1. Choose the Regions in which you want to deploy products. Products deploy in these Regions in the order that you specify.
1. Choose the **AWSCloudFormationStackSetAdministratorRole** role to manage your target accounts.
1. Choose the **AWSCloudFormationStackSetExecutionRole** role that the administrator role will assume.
1. Choose **Submit**.
**Note**
You can use the available AWS CloudFormation templates for the JSM connector to configure your AWS account to enable AWS Service Catalog integration. For more information, see [Baseline Permissions](https://docs.aws.amazon.com/smc/latest/ag/jsd-baseline-permissions.html).
Example stack set outputs:
```
SCStackSetAdministratorRoleARN
arn:aws:iam::123456789123:role/AWSCloudFormationStackSetAdministrationRole SCIAMStackSetExecutionRoleName
AWSCloudFormationStackSetExecutionRole
SCIAMAdminRoleARN
arn:aws:iam::123456789123:role/AWSCloudFormationStackSetAdministrationRole
```
Note that Service Catalog products can have either a stack set or a launch constraint, but not both.
## Video: Integrate AWS products in your Jira Service Management portal
This video (11:22) describes how to integrate AWS products into your Jira Service Management portal. Jira Service Management enables end users to provision, manage, and operate AWS resources natively with Jira Service Management from Atlassian.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/1AODGjhqufo)
# Configuring AWS Security Hub CSPM Integration
AWS Security Hub CSPM enables users to view security findings from AWS services, such as Amazon Guard Duty, Amazon Inspector, as well as AWS Partner solutions.
If you use both [AWS Security Hub](https://aws.amazon.com/security-hub/?aws-security-hub-blogs.sort-by=item.additionalFields.createdDate&aws-security-hub-blogs.sort-order=desc) and [Jira Service Management](https://www.atlassian.com/software/jira/service-management) (JSM), the AWS Service Management Connector for JSM allows you to create an automated, bidirectional integration between Security Hub CSPM and JSM. This two-way integration synchronizes your Security Hub findings and Jira issues.
Specifically, as a Jira administrator, you can use this integration to automatically create Jira issues from Security Hub CSPM findings. When you update those tickets in Jira, the changes are automatically replicated back to the original Security Hub CSPM findings. For example, when you resolve the issue in Jira, the workflow status of the Security Hub CSPM finding also changes to `RESOLVED`. This action ensures Security Hub CSPM always has up-to-date information about your security posture.
**To configure AWS Security Hub CSPM integration features**
1. Enable AWS Security Hub CSPM. For more information, see [Accessing Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html#securityhub-get-started).
1. Set up an SQS queue to receive updated Findings. Name the queue **AwsSmcJsmSecurityHubQueue** to align with the default name in the JSM Connector Settings for the AWS Security Hub CSPM integration. For more information, see [Getting started with Amazon SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-getting-started.html).
1. Set up a Amazon EventBridge rule to detect changes to Findings and push these to the queue. For more information, see [Getting started with Amazon EventBridge.](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-get-started.html)
The CloudWatch rule should have the following event pattern and should point to the SQS queue created in Step 2.
```
"EventPattern": {
"source": [
"aws.securityhub"
]
}
```
1. You can also customize this CloudWatch Events rule to only pull in Security Hub CSPM findings that have specific finding types, severity labels, workflow statuses, or compliance statuses. For details about how to filter the event pattern, see [Configuring an EventBridge rule for automatically sent findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-all-findings.html) in the *AWS Security Hub User Guide*.
**Note**
You can use the available AWS CloudFormation templates for the JSM connector to configure your AWS account to enable AWS Service Catalog integration. For more information, see [Baseline Permissions](https://docs.aws.amazon.com/smc/latest/ag/jsd-baseline-permissions.html).
## Video: Bidirectional integration with Atlassian Jira Service Management
This video (8:40) describes how to set up a bidirectional integration with Atlassian Jira Service Management. This feature makes it easier for AWS Security Hub CSPM users to automatically create and update issues in Jira Service Management from AWS Security Hub CSPM findings and ensure that updates to those tickets are synced with the findings.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/uEKwu0M8S3M)
# Configuring Support Integration
To enable the Connector to synchronize Support tickets, the account should have a [Business](https://aws.amazon.com/premiumsupport/plans/business/) or [Enterprise](https://aws.amazon.com/premiumsupport/plans/enterprise/) Support plan. For more information, see [Getting started with Support.](https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html)
**Note**
AWS Service Management Connector allows AWS Managed Services (AMS) Accelerate users to create Incidents and Service Requests through Jira Service Management. To ensure that your account has the required permissions to create AMS Accelerate (Accelerate) support cases, make sure you onboard your account to Accelerate. For more information, see [Getting Started with AMS Accelerate](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/getting-started-acc.html).
**To configure Support integration features**
1. Set up an SQS queue (in N.Virginia (us-east-1) for Commercial regions and US West (us-gov-west-1) for GovCloud regions) to receive updates on Support cases. Name the queue **AWSServiceManagementConnectorSupportQueue **to align with the default name within the JSM Connector Settings for the Support integration. For more information, see [Getting started with Amazon SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-getting-started.html).
1. Set up an Amazon EventBridge rule to detect changes to Support case and push these to the queue. For more information, see [Getting Started with Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-get-started.html).
The Amazon EventBridge rule should have the following event pattern and should point to the SQS queue created in Step 2.
```
EventPattern":{
"source":[
"aws.support"
],
}
```
**Note**
You can use the available AWS CloudFormation templates for the JSM connector to configure your AWS account to enable AWS Service Catalog integration. For more information, see [Baseline Permissions](https://docs.aws.amazon.com/smc/latest/ag/jsd-baseline-permissions.html).
For creation of SQS queue and EventBridge rule, use [ Connector for Jira Service Management - AWS Support Commercial Regions](https://servicecatalogconnector.s3.amazonaws.com/SM_ConnectorForJSMv1.9.0-AWS_Support_Configurations_Commercial.json) and [ Connector for Jira Service Management AWS Support GovCloud West Region](https://servicecatalogconnector.s3.amazonaws.com/SM_ConnectorForJSMv1.9.0-AWS_Support_Configurations_GovCloud.json).
# Configuring AWS Systems Manager Incident Manager Integration
To allow the Connector to synchronize Incidents from AWS Systems Manager Incident Manager for a specific Region, you must enable Incident Manager in that account and Region. For more information, see [What is AWS Systems Manager Incident Manager](https://docs.aws.amazon.com/incident-manager/latest/userguide/what-is-incident-manager.html).
# Configuring Jira Service Management
The AWS Service Management Connector for Jira Service Management is a conventional Jira Service Management add-on. Add-ons are code changes to the Jira software that extend its functionality or extend the functionality of Jira Service Management software. The Connector for Jira Service Management add-on is available to download in the [Atlassian Marketplace](https://marketplace.atlassian.com/apps/1221283/aws-service-catalog-connector-for-jsd).
After completing the IAM and Service Catalog configurations, clear your web browser cache to remove previously rendered Jira Service Management forms, and then configure Jira Service Management. Installation tasks within Jira Service Management include:
**Topics**
+ [Installing Jira Service Management Connector add-on](install-jsd-connector.md)
+ [Configuring AWS Accounts and Regions](jsd-configure-accounts-regions.md)
+ [Configuring Service Catalog portfolios in Jira](config-SC-portfolios-jsd.md)
# Installing Jira Service Management Connector add-on
Follow these steps to install the Jira Service Management Connector add-on.
1. Log in to your Jira instance as an admin.
1. From the admin menu, choose **Add-ons**.
1. On the **Manage add-ons** screen, choose **Find new apps** or **Find new add-ons** from the left side of the page.
1. Find **AWS Service Management Connector for JSM**. The search results should include app versions compatible with your Jira instance.
1. Choose **Install** to download and install your app.
1. Proceed to **Configuring AWS Accounts and Regions**.
Alternatively, download the [AWS Service Management Connector for Jira Service Management](https://servicecatalogconnector.s3.amazonaws.com/jira-servicedesk-connector-2.0.8-20240610-0810.obr) file.
1. Go to **Manage apps**.
1. Select **Upload app** and upload the OBR file.
1. Proceed to **Configuring AWS Accounts and Regions**.
You can apply the Connector for Jira Service Management add-on to the supported Jira software (Jira Service Management) releases noted above.
# Configuring AWS Accounts and Regions
After you install the AWS Service Management Connector, you need to configure it. To do so, choose the Jira administration icon in the top right, then choose **Add-ons**.
1. From the Service Catalog section on the left navigation menu, choose **AWS Accounts**.
1. Choose **Connect new account**.
1. Enter the account alias (used to identify the AWS account in the Connector).
1. Enter the credentials for SC-sync-user. It is the access key identity and credentials for a sync user saved from the AWS configuration. SC-sync-user credentials can retrieve portfolios and products to make them available through Jira Service Management. You can set the allowed groups that can access them.
1. Enter the credentials for SC-end-user. It is the access key identity and credentials for the end user saved from the AWS configuration. The SC-end-user credentials provision products on behalf of a Jira user.
1. Add **AWS Regions**. It contains Service Catalog products and portfolios you want available in Jira Service Management.
1. Choose **Test Connectivity**.
1. Upon successful connection status, choose **Connect**.
**Note**
We recommend the Sync user and End user be new users in AWS, used only with AWS Service Management Connector. These users should have minimum required privileges. You can use the available AWS CloudFormation templates for your sandbox and development AWS accounts to configure and enable available integrations. For more information, see [Baseline Permissions](https://docs.aws.amazon.com/smc/latest/ag/jsd-baseline-permissions.html).
# Configuring Service Catalog portfolios in Jira
This section describes how to configure AWS Service Catalog portfolios within Jira.
Once your account or accounts are set up and connectivity is successful, use the **AWS Account** page to manage, for each account, which groups can access each portfolio in each Region. You can expand and collapse each Region and edit and add groups for each portfolio. Only users in the designated groups have access to those products. By default, no groups have access.
**Note**
At least one group must be associated to a Service Catalog portfolio for Jira Service Management end users to request AWS products.
**To provision products and portfolios**
1. Choose **AWS Accounts**.
1. Choose **Manage** for the AWS account in which you want to configure portfolios.
1. Under **Portfolios**, expand the Region associated with the account. Portfolios display under each Region.
1. In the **Permission to request** column, choose **Add groups** for the portfolios that you want to make visible in Jira Service Management. Select the group you want to see and request Service Catalog products.
**Note**
Because the AWS Service Management Connector for Jira Service Management allows Jira users to provision AWS products in the portfolios their groups have access to, and to control those provisioned products, users should maintain security in their Jira accounts.
1. If products in this portfolio do not require approvals, choose **Save**.
# Jira Service Management Approvals for Products in Service Catalog Portfolios
The AWS Service Management Connector for Jira Service Management enables administrators to configure approvals for products at the portfolio level. All products in a portfolio that contain approval permissions require approval, so AWS and Jira administrators might need to collaborate on the Service Catalog portfolio structure.
**To configure the approval process**
1. Choose **AWS Accounts**.
1. Choose **Manage** on the AWS account for which you want to configure portfolio approvals.
1. In the **Permission to approve** column, choose **Add groups** for the portfolios that require product approvals.
1. Select **Require approval for provisioning**.
1. Under **Permission to approve**, choose **Add group**.
1. Choose **Save**.
**Note**
If a portfolio only has a group associated with **Permissions to request**, products in the portfolio immediately provision when you submit the product request.
# Products and budgets
For reference, two other tabs in the **Admin - AWS Accounts - Manage** section let you view information on portfolios.
The **Available Products** tab lists the products in the portfolio and budgetary information on each. The **Budgets** tab gives overall budgetary information on the portfolio.
**Note**
Find details about additional configurations for the AWS Service Catalog request form and Automated Tags in the next section Configuring Connector Settings.
# Configuring Connector Settings (Jira Project Enablement and Request Type)
In addition to configuring AWS accounts, the AWS Service Management Connector contains AWS services and UI settings (AWS Service Catalog) that enable projects and configure AWS Systems Manager OpsCenter.
**Note**
There are no per-account settings for AWS Config and AWS Systems Manager Automation through the JSM Connector.
# Connector features enabled by default
**To configure the default Connector features for specific AWS services**
For a new installation of Connector, we enable the default project configuration for all Connector features (AWS Service Catalog, AWS Config, AWS Systems Manager Automation, AWS Systems Manager OpsCenter, and AWS Security Hub CSPM). If you are upgrading an existing installation, for security reasons, we do not intially enable new features.
**Note**
If you are using the AWS Security Hub CSPM integration, we recommend you also turn on AWS Config.
If you use the AWS Config integration with JSM, this might add more resource details in JSM issues created for AWS Security Hub CSPM Findings. For example, if the original Finding has limited resource details, the Config resource enrichment provides fuller information.
Also, if the resource no longer exists, the Config enrichment provides information about the resource status. If the resource details changed since the creation of the Finding, the Config enrichment provides the latest details, but it does not overwrite the original details.
1. In the left navigation menu, under **AWS Service Management**, select **Connector settings.**
1. At the top, under **Connector features enabled by default**, select each feature depending whether you want projects using the default configuration to be able to use them or not.
1. Choose **Save**.
# Configuring UI Settings (AWS Service Catalog)
Configure the AWS Service Catalog product widget components to make them viewable to end users.
To address the varying personas of end users requesting AWS products, the Connector for Jira Service Management includes an add-on app setting to enable or disable components of the AWS product widget. By default, we enable AWS product components.
**To modify the AWS product view**
1. In the left navigation menu, under **AWS Service Management**, choose **AWS Connector settings**.
1. In the **UI settings** (Service Catalog) section, deselect any AWS product component such as:
1. Allow the product name to be edited. (If unchecked, we provide an autogenerated name the user cannot edit.)
1. Allow the user to select a launch option. (If unchecked, we select the default launch option and hide it.)
1. Allow the user to select a product version. (If unchecked, we select the default product version and hide it.)
1. Allow the user to add or edit tags. (If unchecked, we select the default values for tag options and hide it.)
1. Allow user to create a plan for creation or update of a provisioned product. (If unchecked, we hide the plans section.)
1. Choose **Save**.
# Configuring projects enabled for the Connector
The AWS Service Management Connector for Jira Service Management requires the add-on to be associated to one or more Jira projects and for JSM request types. You can configure which Connector features are enabled for each Jira project.
**To configure the Jira projects for AWS Service Catalog, AWS Config, AWS Systems Manager Automation, AWS Systems Manager OpsCenter, AWS Security Hub CSPM, Support, and AWS Systems Manager Incident Manager.**
1. In the left navigation menu, under **AWS Service Management Connector**, choose **Connector settings**.
1. Under **Projects enabled for Connector**, you must enable at least one Jira project. You can [create a new Jira Service Management project](https://confluence.atlassian.com/servicedeskserver043/setting-up-your-service-desk-974367545.html) or add an existing one. Only users with access to the associated project can access the Connector. When you apply this update, the Connector adds the necessary issue types and other Jira items for AWS Service Catalog products to be available in those projects. You can return to this screen and add or remove projects at any time.
1. Projects initially take the default configuration for which Connector features are enabled. Choose **Edit** in a project row to change the configuration for individual projects. We permit projects to use more features than the default.
1. Choose **Save.**
**Note**
For end-users to be able to request AWS Service Catalog products, one or more projects must be enabled and users must have Jira permissions to create issues in the Jira project and Permission to Request in the Jira settings for the AWS Account for at least one portfolio with products.
**AWS Systems Manager Automation enablement considerations**
We currently do not support fine-grained permissions in Jira for which users and groups should be allowed to access which AWS Systems Manager automation documents. If you enable a project for Systems Manager Automation, then any user with permission to create issues in that project can run any of the automations. You can restrict access by limiting which users have access to projects with AWS Systems Manager Automation enabled.
# Associate Jira projects to the AWS Systems Manager OpsCenter integration
Once you've enabled projects for the Connector, AWS Systems Manager OpsCenter requires Jira admins to associate Jira project(s) to this integration, as well as determine the full sync and delta sync intervals.
**To associate the Jira projects enabled for the Connector to the AWS Systems Manager OpsCenter integration features**
1. In the left navigation menu, under **AWS Service Management Connector**, choose **Connector settings**.
1. Create a [new Jira Service Management Project](https://confluence.atlassian.com/servicedeskserver043/setting-up-your-service-desk-974367545.html). Under **OpsCenter Configuration**, you must enable at least one Jira project. You can create a [new Jira Service Management project](https://confluence.atlassian.com/servicedeskserver043/setting-up-your-service-desk-974367545.html) or add an existing one. Only users with access to the associated project can access the Connector. When you apply this update, the Connector adds the necessary issue type to associated project(s). You can return to this screen and add or remove projects at any time.
1. Under **AWS Systems Manager OpsCenter Configuration**, in the **Full Sync Interval** and **Delta Sync Interval** fields, you can change the sync interval if you want. The **Full Sync** and** Delta** interval determines how often Jira Service Management conducts syncs all or changes to OpsItems details with AWS Systems Manager OpsCenter respectively. Increasing this number reduces the number of API calls to AWS, but increases the time for OpsItems updates to reflect in the Connector.
1. Choose **Save**.
# Associating Jira projects to the AWS Security Hub CSPM integration
After you've enabled projects for the Connector, AWS Security Hub CSPM requires Jira admins to associate Jira project(s) to this integration, and configurations to manage the Security Hub integration.
**To associate the Jira projects enabled for the Connector to the AWS Security Hub CSPM integration features**
1. In the left navigation menu under **AWS Service Management Connector**, choose **Connector settings**.
1. Create a [new Jira Service Management Project](https://confluence.atlassian.com/servicedeskserver043/setting-up-your-service-desk-974367545.html).
Under **Security Hub Configuration**, you must enable at least one Jira project. You can create a [new Jira Service Management project ](https://confluence.atlassian.com/servicedeskserver043/setting-up-your-service-desk-974367545.html) or add an existing project. Only users with access to the associated project can access the Connector.
When you apply this update, the Connector adds the necessary issue type to associated project(s). You can return to this screen and add or remove projects at any time.
1. Under **AWS Security Hub CSPM Configuration,** in the **Sync Interval **field, you can change the sync interval if you want. **SQS Queue Name **and **Number of messages to pull from SQS** set the Amazon SQS queue and the polling size, respectively. **Synchronize AWS Security Hub CSPM Findings according to their Severity value ** determines the Findings with specific severities that sync to the JSM project.
1. Choose **Save**.
# Associate Jira projects to the Support integration
After you enable projects for the Connector, Support integration requires Jira admins to associate Jira project(s) to this integration, as well as determine the SQS Queue Name and sync intervals.
**To associate the Jira projects enabled for the Connector to the AWS Systems Manager OpsCenter integration features**
1. In the left navigation menu, under **AWS Service Management Connector**, choose C**onnector settings**.
1. Create a [new Jira Service Management Project](https://confluence.atlassian.com/servicedeskserver043/setting-up-your-service-desk-974367545.html).
Under **Support Configuration**, you must enable at least one Jira project. You can create a [new Jira Service Management project ](https://confluence.atlassian.com/servicedeskserver043/setting-up-your-service-desk-974367545.html) or add an existing one. Only users with access to the associated project can access the Connector.
When you apply this update, the Connector adds the necessary issue type to associated project(s). You can return to this screen and add or remove projects at any time.
1. Under **Support Configuration**, in the **Sync Interval,** you can change the sync interval if you want. The **Sync Interval** determines how often Jira Service Management conducts syncs for all **AWS Services** and **AWS Categories**.** SQS Queue Name **identifies the Amazon SQS queue from which the Support case events sync to JSM
1. Choose **Save**.
# Associating Jira projects to the AWS Systems Manager Incident Manager integration
Once you've enabled projects for the Connector, AWS Systems Manager Incident Manager integration requires Jira admins to associate Jira project(s) to this integration, as well as determine the full sync and delta sync intervals.
**To associate the Jira projects enabled for the Connector to the AWS Systems Manager Incident Manager integration features**
1. In the left navigation menu, under **AWS Service Management Connector**, choose **Connector settings**.
1. Create a new [Jira Service Management Project](https://confluence.atlassian.com/servicedeskserver043/setting-up-your-service-desk-974367545.html). Under **Incident Manager Configuration**, you must enable at least one Jira project. You can create a new Jira Service Management project or add an existing one. Only users with access to the associated project can access the Connector. When you apply this update, the Connector adds the necessary issue type to associated project(s). You can return to this screen and add or remove projects at any time.
1. Under **AWS Systems Manager Incident Manager Configuration**, the **Synchronization of the resolved status**, determine whether a resolution of an Incident from AWS should transition the corresponding Jira issue to the **Resolved** Status or the inverse. The default sync interval for this integration is one minute.
1. Choose **Save**.
# Configuring core operational settings
**To configure operational settings for the AWS Service Management Connector for Jira Service Management**
1. In the left navigation menu, under **AWS Service Management Connector**, choose **Connector settings**.
1. Under **Core operational settings**, in the **Synchronization interval** field, you can change the sync interval if you want.
This interval determines how often Jira Service Management syncs with AWS. Increasing this number reduces the number of API calls to AWS, but increases the time for updates in AWS portfolios and automation documents to reflect in the Connector. Information on actively provisioning products and ongoing automation executions updates are more frequent.
1. Under **Core operational settings**, in the **JIRA Administrator to run as** field, you can change the admin user assigned to perform automated operations within JIRA.
**Important**
The Connector performs many actions within Jira, and needs to do those actions as a Jira user. By default, Connector chooses the Jira Admin user with the lowest ID, which works for many environments.
However, that approach might be the wrong strategy if the initial admin user has been disabled, or if there is a different admin user. For clarity within the Connector, it can be a good idea to create a new user called, for example, "AWS Connector Admin", and select that as the default user.
We record actions performed automatically by the Connector as being performed by this user, such as synchronizing OpsItems from AWS or adding a comment for changes to an AWS provisioned product. These actions do not affect actions that end users perform, such as requesting a provisioned product or manually creating an OpsItem in Jira, which we record as the end user performing the action.
This user should have global admin permissions, JSM permissions, and admin access to each of the AWS-enabled projects.
1. Choose **Save**.
**Note**
We recommend no changes to entities that the plugin created, such as the addition of fields, workflows, issue types, screens, and so on.
# Configuring automated tags for AWS Service Catalog
The AWS Service Management Connector v1.9.0 enables Jira administrators to add tags (metadata) to AWS Service Catalog provisioned products globally across the add-on or granularly at the portfolio level. These tags are not visible to end users.
Two tag types are available in this release:
+ Generic tags in which the admin can enter the key and value.
+ AWS Service Catalog Request Type tags in which the admin can enter the following syntax for key and value:
**AWS Service Catalog Request Type tags**
| | |
| --- |--- |
| Key | Value |
| Project Code | \$1\$1PROJECT\$1CODE\$1 |
| Project Name | \$1\$1PROJECT\$1NAME\$1 |
| Project Name | \$1\$1ISSUE\$1ID\$1 |
| Username | \$1\$1USERNAME\$1 |
| Opened By | \$1\$1OPENED\$1BY\$1 |
**To add generic AWS tags to AWS Service Catalog provisioned products in Jira Service Management**
1. In the left navigation menu, under **AWS Service Management**, select **Automated Tags**.
1. For Global level tags, enter the Key and Value entries. Under **Portfolio**, select** Global** (set by default). Choose the **\$1** icon to insert.
1. For Portfolio level tags, enter the Key and Value entries. Under **Portfolio**, select the Portfolio dropdown to choose the portfolio associated to associate tag. Choose the **\$1 **icon to insert.
**To add in-scope request type AWS tags to AWS Service Catalog provisioned products derived from Jira Service Management**
1. In the left navigation menu, under **AWS Service Management**, choose **Automated Tags**.
1. For Global level tags, enter the Key and Value entries. Under **Portfolio**, select** Global** (set by default). Select the **\$1** icon to insert.
1. For Portfolio level tags, enter the Key and Value entries. Under **Portfolio**, select the Portfolio dropdown to choose the portfolio to associate with the tag. Choose the **\$1** icon to insert.
After the product provisions, you can see in the AWS console that these tags are associated to the resource.
# Configuring project request type groups
The AWS request type must be in a group for users to be able to access it in Jira Service Management. Enabling Jira projects, as described in [Configuring Connector Settings (Jira Project Enablement and Request Type)](jsd-configure-connector.md), makes AWS product request types available, but Jira Service Management users won't see the request type until you add it to a **Request Type Group**.
**To configure request types**
1. In the AWS Service Management Connector for Jira Service Management, go to the **Connector settings ** page.
1. In the **Projects** section, choose **add the AWS request type**.
1. Choose **Add existing request type** in the upper right-hand corner.
1. Choose **Request AWS product** from the available request type.
1. Choose **Edit Groups** for the **Request AWS product** request type.
1. On the **Edit groups** form, choose **General**, then choose **Save**.
**Note**
When you create a custom **Request AWS Product** request type for the Connector for Jira Service Management, you do not need to edit to the **Request AWS Product** request type. You can add a request type to an existing group. If you don't have a group, create a new group and add the request type to it.
# Setting up AWS resources through Jira Service Management to natively manage resources
The AWS Service Management Connector for Jira Service Management allows Jira Service Management end users to provision, manage, and operate AWS resources natively through Atlassian's Jira Service Management.
+ AWS Config linked resources
+ Suggested AWS Systems Manager remediations for an issue
The Connector provides two fields to use for any issue.
+ *AWS Config Linked Resources*: enables any resource with an entry in AWS Config to have its AWS Config information displayed on the issue in Jira. You can expand and see the information. You can link multiple AWS resources to an issue.
+ *AWS Systems Manager Automation Suggested Remediation*: enables SSM automation documents to be recorded against an issue. They then display, as suggested, ways to correct the issue. When a Jira user views the issue, they can see these suggested remediations and choose to apply them. You can attach multiple suggested remediations to an issue.
You can use the two fields individually, but they work very well together. Upon detecting an incident on an AWS resource or set of resources, setting both allows a Jira user to see the configuration information to confirm or better understand the problem, apply remediations to fix common problems, and then confirm in the AWS Config information that the problem has been fixed.
**To add AWS fields to an existing issue**
1. You must enable the project or projects for the Connector in **Connector Settings** under **Admin -> Manage Add-Ons**, as described in the Connector setup guide.
1. In **Admin**, **Projects**, open the project you want to use these fields.
1. Choose the issue type you want to use in the menu at left.
1. Choose to view **Fields** in the top right (if not already selected). It should then show a list of fields enabled for the screen.
1. Scroll to the bottom where there should be a textbox where you can enter additional fields. Enter **AWS**, then choose the AWS field you want to use.
1. Choose **Add** to apply.
1. Repeat the previous step for the other field if you want to use it.
1. Repeat these steps for each issue type you want to use these fields. Some issue types might share screens so the field might already be added for some.
It is important also to make a note of the field ID for the field or fields you are using. Choose ** Admin -> Issues -> Custom fields** and select **Configure** on each field.
Inspect the opened URL to see the numeric field ID. It should be a 5-digit number.
Alternatively, for any issue in a project where you've added the field (following the instructions above), the REST API at `/rest/api/2/issue/PRJ-1/editmeta` (for example, `http://localhost:2990/jira/rest/api/2/issue/PRJ-1/editmeta`) will include information on the fields.
The REST API should contain an entry `customfield_#####: { ..., name: "AWS Config Linked Resources", ... }`, where `#####` is the numeric field ID.
Once these fields are enabled for projects and issue types, use the Jira REST API to create or update issues with values for these fields. You can use tools such as CloudWatch, AppDynamics, Jenkins, or a Systems Manager Automation Document (provided in the next section).
The REST API endpoint to update an issue is `/rest/api/2/issue/issue-key` and the general schema to pass to set a value is as follows:
```
{ "update": {
"customfield_field-ID": [ {
"set": "value"
} ]
} }
```
See the examples below, or for more information on the REST API, see [JIRA Developer Documentation : Updating an Issue through the JIRA REST APIs](https://developer.atlassian.com/server/jira/platform/updating-an-issue-via-the-jira-rest-apis-6848604/).
# AWS Config Linked Resources
The **AWS Config Linked Resources** field should be set to the JSON string representation of a list of objects (maps) corresponding to the linked resources, each with the following keys:
+ *resourceId*: the ID of the resource in AWS Config
+ *resourceType*: the type of the resource in AWS Config
+ *accountName*: the name or alias of the AWS account configured in Jira that should be used to access this resource
+ *region*: the Region where AWS Config should be accessed to get information on this resource
For example, the following value would show information on the S3 bucket `my-bucket` in `eu-central-1`, using the account and end user credentials specified in Jira for the AWS account identified in Jira as `MyAccount1`:
```
[ { "resourceId": "my-bucket",
"resourceType": "AWS::S3::Bucket",
"accountName": "MyAccount1",
"region": "eu-central-1" } ]
```
# AWS Systems Manager Automation Suggested Remediation
The **AWS Systems Manager Automation Suggested Remediation **field should be set to the JSON string that represents a list of objects (maps) that correspond to the automation documents as remediations, each with the following keys:
+ *documentName*: the name of the Systems Manager automation document
+ *description*: a description of the remediation to display in Jira; this may be different to the document description in AWS and might explain why it is a good remediation for the issue where this is being set
+ *accountName*: the name or alias of the AWS account configured in Jira that should be used to access this resource
+ *region*: the Region where AWS Config should be accessed to get information on this resource
For example, the following value would suggest the `AWS-DisableS3BucketPublicReadWrite` automation document, with a description to show in Jira, to apply in `eu-central-1`, using the account and end-user credentials that is specified in Jira for the AWS account identified in Jira as `MyAccount1`:
```
[ { "documentName": "AWS-DisableS3BucketPublicReadWrite",
"description": "This will make the bucket private, resolving the issue.",
"accountName": "MyAccount1",
"region": "eu-central-1" } ]
```
**Scripting Field Creation**
As an example, the following bash script using curl links the above-noted resource to an issue and attaches a suggested remediation. The values used below assume Jira is at *localhost:2990/jira* with login *admin:admin*, the issue is *PRJ-1*, and the field IDs are 10011 (AWS Config linked resources) and 10010 (suggested remediation). These should be changed to reflect your environment.
1. Set the following to correspond to your environment and issue:
JIRA\$1BASE\$1URL=http://localhost:2990/jira
JIRA\$1USER\$1PASS=admin:admin
ISSUE\$1KEY=PRJ-1
1. Set the field ID and edit the JSON record for an AWS Config resource to link.
```
CUSTOM_FIELD_ID=customfield_10011
cat > value.json EOF
[ { "resourceId": "my-bucket",
"resourceType": "AWS::S3::Bucket",
"accountName": "MyAccount1",
"region": "eu-central-1" } ]
EOF
```
1. Define a helper function to escape the JSON.
```
json_escape () {
printf '%s' "$1" | python -c \
'import json,sys; print(json.dumps(sys.stdin.read()))'
}
```
1. Make the REST call to set the AWS Config Linked Resource field.
```
curl -v -D- -X PUT -H "Content-Type: application/json" \
--data '{ "update": { "'${CUSTOM_FIELD_ID}'": [ {"set": '"$(
json_escape "$(cat value.json)")"' } ] } }' \
-u admin:admin ${JIRA_BASE_URL}/rest/api/2/issue/${ISSUE_KEY}
```
1. Set the field ID and edit the JSON record for a suggested remediation to attach.
```
CUSTOM_FIELD_ID=customfield_10010
cat > value.json EOF
[ { "documentName": "AWS-DisableS3BucketPublicReadWrite",
"description": "This will make the bucket private, resolving the issue.",
"accountName": "MyAccount1",
"region": "eu-central-1" } ]
EOF
```
1. Make the REST call to set the **AWS Systems Manager Automation Suggested Remediations** field.
```
curl -v -D- -X PUT -H "Content-Type: application/json" \
--data '{ "update": { "'${CUSTOM_FIELD_ID}'": [ {"set": '"$(
json_escape "$(cat value.json)")"' } ] } }' \
-u ${JIRA_USER_PASS} ${JIRA_BASE_URL}/rest/api/2/issue/${ISSUE_KEY}
```
The issue should then show AWS Config for the bucket and a suggested remediation to make it private.
# Creating issues with suggestions and a linked AWS resource from AWS Systems Manager
A Systems Manager Automation Document can automatically create a Jira issue with the fields set to have a linked AWS resource and up to three suggested remediation documents.
To install this automation document, download and extract the [JSM Connector Create Remediation Issue Automation and IT Lifecycle Demo.zip](https://servicecatalogconnector.s3.amazonaws.com/JSDConnector-create-remediation-issue-automation-and-it-lifecycle-demo.zip) that contains two files:
+ *JSMConnector-CreateRemediationIssue.ssmdoc.yaml*
+ *JSMConnector-function.zip*
**Follow these steps**
1. Upload the file *JSMConnector-function.zip* to a bucket. In the following command, replace \$1\$1BUCKET\$1 with the appropriate bucket:
```
aws s3 cp JSMConnector-function.zip s3://${BUCKET}/function.zip
```
1. Create the Systems Manager Automation Document, called **JSMConnector-CreateRemediationIssue**, with the contents from the file *JSMConnector-CreateRemediationIssue.ssmdoc.yam*l and an attachment *Key=SourceUrl,Values=s3://\$1\$1BUCKET\$1/*, using the bucket name from the previous step as \$1\$1BUCKET\$1. The following command replaces \$1\$1BUCKET\$1):
```
aws ssm create-document --name "JSMConnector-CreateRemediationIssue" --content "file://JSMConnector-CreateRemediationIssue.ssmdoc.yaml" --document-type "Automation" --document-format "YAML" --attachments "Key=SourceUrl,Values=s3://${BUCKET}/"
```
Once installed, enter the parameters and run it. Note that it requires many of the same parameters, as described previously to connect to Jira.
You should then see an issue in Jira with AWS Config information and the suggested remediation shown.
## Sample Use Case: Automatically Creating Issues for IT Lifecycle Management - Remediating non-compliant public S3 buckets
Once you enable the fields to an issue and create the Systems Manager Automation Document, you can set up rules to automatically create Jira issues for common problem categories in AWS. You can also include suggested remediations to make it easy for Jira agents and end users to see problems and fix them.
This demo creates a Config Rule in AWS, which detects public S3 buckets and makes it possible for Jira agents or end users to disable public access directly from Jira.
You should set up prerequisites, roles for the automation and lambda to execute, and the Jira password as a secure string in Systems Manager Parameter Store.
**To store the Jira password securely in Parameter Store**
1. Open the AWS Console and go to **Systems Manager -> Parameter Store**.
1. Choose **Create parameter**.
1. Set the name as **jira\$1password**.
1. Set the type as **SecureString**.
1. Set the value as the password for the Jira user to create issues.
1. To save, choose **Create parameter**.
An CloudFormation template assists setting up the role and configuration rule: ****JSMConnector-CreateRemediationIssue-MakePublicBucketsPrivateConfigRule.cfn.yaml****
Install the template, setting the following parameters:
+ **JiraURL**: the base URL to your Jira, such that appending* /rest/..*. after it accesses the REST API
+ **JiraUsername**: the username to log in to Jira (with the password specified in *jira\$1password*)
+ **SSMParameterName**: *jira\$1password* (the parameter containing the Jira password)
+ **ProjectKey**: the key of the project (the token before the *-n an issue*), such as *PRJ*.
+ **IssueTypeName**: must exactly match the name of the issue type on the project in Jira
+ **JiraAwsAccountName**: the name of the AWS Account as configured in the Connector in Jira
+ **JiraAwsAccountRegion**: the Region of this violating resource, e.g. *us-east-1*
+ **JiraAwsResourceFieldId**: the field ID of the AWS Config Linked Resources field in Jira, such as *customfield\$110011*.
+ **JiraRemediationsFieldId**: the field ID of the **AWS Systems Manager Automation Suggested Remediation** field in Jira, such as *customfield\$110010*.
The Config Rule runs automatically within the period specified. To see it in action immediately:
1. Create a public Amazon S3 bucket.
1. Open the Config Rule in AWS Config and choose **Re-evaluate**. The rule and the automation can take a short while to run, but within a few minutes you should see a new issue in Jira with AWS Config information for the bucket, which is in violation and suggests the **DisableS3BucketPublicReadWrite** automation document as a remediation.
# Validating AWS Service Management Connector configurationsfor for Jira Service Management
You can validate the AWS Service Management Connector for Jira Service Management installation procedures.
**Topics**
+ [Validationg Service Catalog integration](validate-sc.md)
+ [Validating AWS Systems Manager Automation integration](jsd-sys-automation.md)
+ [Validating AWS Systems Manager OpsCenter integration](opscenter.md)
+ [Validating Support integration](jsd-support-validation.md)
+ [Validating AWS Systems Manager Incident Manager integration](validate-sys-man-incident.md)
+ [Validating AWS Security Hub CSPM integration](jsd-security-hub.md)
# Validationg Service Catalog integration
To validate Service Catalog integration, order a Service Catalog product or view provisioned products.
**To order a Service Catalog product**
1. Log in to your Jira Service Management customer portal as the end user.
1. In the Jira Service Management customer portal, choose **Request AWS product**.
1. Enter **Summary** details.
1. Open the **AWS product request detail** menu and select a product to provision.
1. Fill in the product request details, including product reference name, parameters, and tags.
1. Choose **Create** to submit the Jira Service Management request and provision the Service Catalog product.
1. After the request processes, a message appears indicating that your request was created. When the product is ready to provision, the end user receives a notification that the product is launching.
**To view provisioned products**
1. In the Jira Service Management customer portal, choose **Requests** in the upper right corner.
1. Choose **My Requests** in the Jira Service Management customer portal view.
1. Choose the AWS product you requested.
1. The AWS product details display, including the status of the product request, product events, and activities.
1. If that Connector feature is available, AWS Config information appears. You can expand **Configuration Items** or **Relationships** to see more information. Related resources can be loaded by continuing to expand them underneath the** Relationships** section.
1. Once the product is in the **Available** status, end users can request post-provision operations actions such as **Request update**, **Request termination**, and **Request self-service actions**. These actions render additional product events and activities within the request. Once the product terminates, the request closes in a resolved state.
# Validating AWS Systems Manager Automation integration
To validate AWS Systems Manager Automation integration, execute an automation document and view automation executions.
**To execute an automation document**
1. Log in to your Jira Service Management customer portal as the end user.
1. In the Jira Service Management customer portal, choose **Request AWS automation**.
1. Enter **Summary** details.
1. Open the **AWS automation request detail** menu and choose an automation document to execute.
1. Enter the automation request details, parameters, and tags.
1. Choose **Create** to submit the Jira Service Management request and execute the AWS Systems Manager Automation Document.
1. After the request processes, a message indicates the completion of the request. As the automation executes, the end user receives a notification of progress.
**To view automation executions**
1. In the Jira Service Management customer portal, choose **Requests** in the upper right corner.
1. Choose **My Requests** in the Jira Service Management customer portal view.
1. Choose the AWS automation execution you requested. The AWS automation execution details displays and includes the status of the execution, request details, and steps.
# Validating AWS Systems Manager OpsCenter integration
To validate AWS Systems Manager OpsCenter integration, view or create OpsItems.
**To view OpsItems in Jira Service Management from AWS Systems Manager**
1. Log in to your **Jira Agent** view as an end user.
1. In the **Jira Service Management Jira Agent** view, choose the Jira project associated to OpsCenter
1. Choose **Open Issues** and select the **OpsItem **from AWS that you want to view.
**To create AWS Systems Manager OpsItems in Jira Service Management**
1. Log in to your **Jira Agent** view as an end user.
1. In the **Jira Service Management Jira Agent** view, choose **Create**.
1. In the **Create Issue** field input the following details:
+ **Project**: Auto-populated.
+ **Issue Type**: Choose **AWS OpsItem **if you have multiple issue types.
+ **Summary**: Input Summary Details.
+ **Description**: Input Description.
+ **Priority**: Choose the appropriate Priority (default value is Low).
+ **Severity**: Choose the appropriate Severity (required for AWS OpsItem).
+ **Category**: Choose the appropriate Category (required for AWS OpsItem).
+ **Region**: Choose the appropriate AWS Region (required for AWS OpsItem).
1. Choose **Create**.
**Note**
The newly created OpsItem from Jira Service Management displays in the AWS account view of OpsItem on the next sync between AWS and Jira Service Management.
**To update AWS Systems Manager OpsItems in Jira Service Management**
1. Log in to your** Jira Agent** view as an end user.
1. In the **Jira Service Management Jira Agent** view, choose the Jira project associated to OpsCenter.
1. Choose **Open Issues** and select the **OpsItem** from AWS that you want to update.
1. Choose **Edit Issue**.
1. Update fields available such as Summary, Description, Priority, Severity, Category. The **Resolved **button in the OpsItem issue is also available to select upon resolution.
**Note**
Updates to OpsItem fields from Jira Service Management displays in the AWS account view of OpsItem on the next sync between AWS and Jira Service Management.
**To view AWS related resources in AWS Systems Manager OpsItems through Jira Service Management**
1. Log in to your **Jira Agent** view as an end user.
1. In the **Jira Service Management Jira Agent** view, choose the Jira project associated to OpsCenter.
1. Choose **Open Issues** and select the **OpsItem** from the OpsItem from AWS.
1. Choose the AWS related resource section of the OpsItem selected. This section displays the related resource details.
**To execute runbooks on AWS Systems Manager OpsItems through Jira Service Management**
1. Log in to your **Jira Agent** view as an end user.
1. In the **Jira Service Management Jira Agent** view, choose the Jira project associated to OpsCenter.
1. Choose **Open Issues** and select the **OpsItem**.
1. Choose the OpsItem section of AWS Runbooks. The OpsItem that contains the associated runbooks display a list of automation documents available. (See them next to the star shaped symbol.)
+ Choose **Execute** on the desired runbook. An **Execute Runbook from OpsItem** screen displays.
+ Enter the workflow parameter details associated to the runbook. The runbook will not execute successfully without the correct parameter inputs.
+ Enter metadata tags details if applicable.
+ **Select Create**. An **Execute AWS Systems Manager Automation Request** issue generates and provides the execution status.
OpsItems without associated runbooks are still able to run automated documents.
**To run automated documents not associated with runbooks**
1. In the OpsItem, choose **Show All Runbooks**. A list on AWS Runbooks display.
1. To narrow the list of runbooks available, enter details into the search bar above the first listed runbook.
1. Choose **Execute** on the desired runbook. An **Execute Runbook from OpsItem** screen displays.
1. Enter the workflow parameter details associated to the runbook. The runbook will not execute successfully without the correct parameter inputs.
1. Enter metadata tags details if applicable.
1. Choose **Create**. An **Execute AWS Systems Manager Automation Request** issue displays and provides the execution status.
# Validating Support integration
This section describes how to create, view, and manage integration features for Support.
**To view Support cases from Support as Jira incidents**
1. Log in to your **Jira Agent** view as an end user.
1. In the **Jira Service Management Jira Agent **view, choose the Jira project associated to Support
1. Choose **Incidents** and select the Incident related to the Support case in AWS
**To create a general Support case as a Jira incident**
1. Log in to your Jira Agent view as an end user.
1. In the Jira Service Management Jira Agent view, choose the Jira project associated to Support.
1. Choose **Create **from list header and select Issue Type as **Incident**.
1. Complete the mandatory fields on the form.
Under the Jira Issue Fields section
+ **Summary**- Brief summary of the question or issue
+ **Description** – Detailed account of the question or issue
+ **Priority **– Severity of the AWS Support case
Under Support fields section
+ **Create Support case** – Check this box to create support case
+ **Support Service and Category** – AWS Service and Category of the support case
+ **AWS Cc Email Addresses** – Add cc email addresses to the Support case (not mandatory)
1. Choose **Create**.
1. Choose the Incident you created from the list. The **AWS Case Id** and **AWS Case Status **displays.
**For AWS managed services Accelerate customers to create AMS Accelerate Report Incident in Jira**
1. Log in to your **Jira Agent** view as an end user.
1. In the **Jira Service Management Jira Agent **view, choose the Jira project associated to Support.
1. Choose **Create** from list header and select Issue Type as **Incident**.
1. Complete the mandatory fields on the form.
Under **Jira Issue Fields** section
+ **Summary**- Brief summary of the question or issue
+ **Description** – Detailed account of the question or issue
+ **Priority** – Severity of the Support case
Under **Support fields** section
+ **Create Support case** – Check this box to create support case
+ **AWS Support Service and Category** – Select AMS Operations – Service Request and choose category
+ **AWS Cc Email Addresses **– Add cc email addresses to the Support case (not mandatory)
1. Choose **Create**.
1. Choose the Incident you created from the list. The **AWS case Id **and **AWS case status** displays.
**To add a correspondence and attachment to an existing Support case in Jira incident**
1. Log in to your **Jira Agent **view as an end user
1. In the **Jira Service Management Jira Agent** view, choose the Jira project associated to Support.
1. Choose **Incidents** and select the Incident related to the Support case in AWS.
1. Use **Add Comment** action or scroll to the bottom of the form and **Click to add comment** to add a correspondence with or without attachments
1. Choose **Share with customer**.
**To resolve an Support case in Jira**
1. Log in to your **Jira Agent **view as an end user.
1. In the **Jira Service Management Jira Agent **view, choose the Jira project associated to Support.
1. Choose **Incidents** and select the Incident related to the Support case in AWS.
1. In the Jira Incident form, choose an action from **Workflow**, **Resolve**.
1. Complete the required mandatory fields.
1. Choose **Resolve**.
**Fields mapped from Support case records to Jira Service Management Incident records**
**Status**: We map Support case status values to JSM state.
| JSM incident status | Support case status |
| --- | --- |
| OPEN | Unassigned |
| OPEN | Opened |
| WORK IN PROGRESS | Work in progress |
| WORK IN PROGRESS | Reopened |
| PENDING | Pending customer action |
| COMPLETED | Resolved |
**Priority**: We map Support case severity to JSM Incident Priority
| AWS severity | JSM incident priority |
| --- | --- |
| General Guidance | Minor |
| System Impaired | Low |
| Production System Impaired | Medium |
| Production system down | High |
| Business Critical system down | Blocker |
# Validating AWS Systems Manager Incident Manager integration
This section describes how to validate AWS Systems Manager Incident Manager integration in Jira.
**To view Incident Manager incidents**
1. Log in to your **Jira Agent** view as an end user.
1. In the **Jira Service Management Jira Agent **view, choose the Jira project associated to AWS Systems Manager Incident Manager
1. Use [Jira filters](https://confluence.atlassian.com/servicemanagementserver/saving-your-search-as-a-filter-939937027.html) to show only issues with the Issue Type **AWS Incident**
The resulting list displays all synced Incidents.
**To view Incident Manager incident details**
1. Log in to your **Jira Agent view** as an end user.
1. In the **Jira Service Management Jira Agent view**, choose the Jira project associated to AWS Systems Manager Incident Manager.
1. Use [ Jira filters](https://confluence.atlassian.com/servicemanagementserver/saving-your-search-as-a-filter-939937027.html) to show only issues with the Issue Type **AWS Incident**.
1. Choose **Issue Id (Key)** to open the AWS Incident.
1. Review the details of the AWS Incident from the issue.
1. (Optional) Chose the AWS Incident URL to open the incident in the AWS Incident Manager console.
If AWS Systems Manager integration is enabled, an OpsItem is linked to the AWS Incident.
**To resolve an Incident Manager incident**
1. Log in to your **Jira Agent view** as an end user.
1. In the **Jira Service Management Jira Agent view**, choose the Jira project associated to AWS Systems Manager Incident Manager.
1. Use [ Jira filters](https://confluence.atlassian.com/servicemanagementserver/saving-your-search-as-a-filter-939937027.html) to show only issues with the Issue Type **AWS Incident**.
1. Choose **Issue Id (Key)** to open the AWS Incident you want to resolve.
1. Choose **Resolve**.
**Fields mapped from Incident Manager incidents to Jira issue records**
This table shows how AWS Incident Manager Incidents map to a Jira issue.
| AWS Incident Management Incident | Jira AWS Incident |
| --- | --- |
| TITLE | Summary |
| SUMMARY | Description |
| INCIDENT ARN | AWS Incident ARN |
| AWS ACCOUNT | AWS Account ID |
| AWS REGION | AWS Region |
| STATUS | AWS Incident Status |
| START TIME | AWS Creation Time |
| RESOLVED TIME | AWS Resolved Time |
| UPDATED TIME | AWS Last Updated Time |
| AWS INCIDENT URL | AWS Incident URL |
| IMPACT | Priority |
Incident Status is an integer in Jira Service Management. Jira Service Management Connector maps Incident Manager incident status values to Jira status values.
| AWS Incident Management Incident Status | Jira AWS Incident Status |
| --- | --- |
| Open | OPEN |
| Resolved | RESOLVED |
Jira Service Management Connector maps **Priority - Imact** of an AWS Incident to the priority of the corresponding JIRA issue.
| AWS Incident Management Incident Impact | Jira AWS Incident Priority |
| --- | --- |
| Critical | Blocker |
| High | High |
| Medium | Medium |
| Low | Low |
| No Impact | Minor |
# Validating AWS Security Hub CSPM integration
This section describes how to view AWS Security Hub CSPM Findings, update AWS Systems Manager OpsItems, and view AWS related resources in AWS Systems Manager OpsItems in Jira Service Management.
**To view AWS Security Hub CSPM Findings in Jira Service Management from AWS Systems Manager**
1. Log in to your **Jira Agent **view as an end user.
1. In the **Jira Service Management Jira Agent** view, choose the Jira project associated to the AWS Security Hub CSPM Finding.
1. Choose **Open Issues** and select the **AWS Security Hub CSPM Finding** from AWS that you want to view.
**To update AWS Security Hub CSPM Finding in Jira Service Management**
1. Log in to your **Jira Agent** view as an end user.
1. In the **Jira Service Management Jira Agent** view, choose the Jira project associated to AWS Security Hub CSPM Finding.
1. Choose **Open Issues** and select the AWS Security Hub CSPM Finding from AWS that you want to update.
1. Choose **Edit Issue**.
1. Update the fields available, such as **Severity**, **Priority**, and **Criticality**.
1. Choose **Update** to save the details.
**Note**
Updates to Security Hub Finding fields from Jira Service Management displays in the AWS account view of Findings on the next sync between AWS and Jira Service Management. Only the fields Severity, Priority, and Criticality update in the AWS account from Jira Service Management.
**To view AWS related resources in AWS Security Hub CSPM Findings through Jira Service Management**
1. Log in to your **Jira Agent** view as an end user.
1. In the **Jira Service Management Jira Agent** view, choose the Jira project associated to AWS Security Hub CSPM Finding.
1. Choose **Open Issues** and select the AWS Security Hub CSPM Finding.
1. In the selected AWS resources section of the AWS Security Hub CSPM Finding, you see the related resource details. If the resources relate and the AWS Config integration is active in the Connector, you can drill down on the Config resource details and relationships. The section remains empty if AWS resources do not relate in AWS Security Hub CSPM.
AWS Security Hub CSPM findings follow the [AWS Security Finding Format](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) (ASFF). Here’s a mapping of fields from AWS Security Hub CSPM findings to JSM Incident records.
| JIRA issue field | Security Hub ASFF field |
| --- | --- |
| Created | CreatedAt |
| Updated | UpdatedAt |
| Summary | Title |
| Priority | Severity.Label |
| Status | Workflow.Status |
**Note**
Jira does not duplicate findings. If a Security Hub CSPM finding is sent to Jira with the same finding ID as one previously sent to Jira, Jira updates the ticket with the most recent information in the finding.
# Jira approvals and access controls
The following sections describe approvals and access controls that are available in Jira.
**Approvals**
The approval agent has access to a screen with the options to approve or reject the product request. For a rejection, the agent can add a comment explaining the rejection of the request. The requester is able to see the status of the request, such as *Waiting for Approval*, *Scheduled*, *Launching*, or *Available*.
Changes to approver group members do not impact approvers identified for pre-existing issues, but do affect whether we permit approval. Only approver users assigned to the issue at the time of issue creation can approve the request. The approver user must still be a member of the group to issue an approval. Otherwise, we reject the request.
As with Service Catalog, all post-provision actions, including termination, receive pre-approval for the user or group approved to provision it.
**Access controls**
You can set access controls on portfolios, as described earlier in this guide. Those access controls are in addition to the per-project enablement: users must have access to an AWS Connector-enabled project and belong to the groups enabled for a portfolio to provision products in that portfolio.