End of support notice: On March 31, 2027, AWS will end support for AWS Service Management Connector. After March 31, 2027, you will no longer be able to access the AWS Service Management Connector console or AWS Service Management Connector resources. For more information, see [AWS Service Management Connector end of support](https://docs.aws.amazon.com/smc/latest/ag/smc-end-of-support.html).
# Setting up AWS Service Management Connector for ServiceNow
Before installing the AWS Service Management Connector for ServiceNow, verify that you have the necessary permissions in your AWS account and ServiceNow instance.
**Topics**
+ [
# AWS Service Management Connector for ServiceNow prerequisites
](aws-prereqs.md)
+ [
# Setting baseline permissions for AWS Service Management Connector for ServiceNow
](sn-base-perms.md)
+ [
# Creating Connector for ServiceNow users
](create-sc-users.md)
+ [
# Configuring core ServiceNow components
](sn-config-core-components.md)
# AWS Service Management Connector for ServiceNow prerequisites
Make sure you have AWS and ServiceNow prerequisites configured before you get started.
+ ** AWS Service Catalog with the Connector** — You must have an AWS account to configure your AWS portfolios and products. For details, refer to [Setting up for Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/setup.html) and [Using AppRegistry.](https://docs.aws.amazon.com/servicecatalog/latest/arguide/intro-app-registry.html)
+ **AWS Config details** — Configure the service settings to record data for the resource types of interest. We recommend you include provisioned products and CloudFormation stacks, in addition to the major resource types that your team uses. For more information, see [Setting up AWS Config with the console](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html). This version of the Connector enables the import of aggregated Config data in a single AWS account from more than one AWS Region or account. To use this feature, you must configure an aggregator in AWS. For more information, see [Setting up an aggregator using the console](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html).
+ **AWS Systems Manager Automation with the Connector** — This feature requires no AWS-side set up. As standard, AWS provides a number of automation documents (runbooks). If you want additional automation documents (runbook), retrieve them in the Connector. For more information, see [Working with Automation Runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html).
+ **AWS Systems Manager OpsCenter with the Connector** — You must enable the service in all Regions and accounts where you want to sync OpsItems. For more information, see [ Getting started with OpsCenter](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html)
+ **AWS Security Hub CSPM with the Connector** — You must enable the service in all Regions and accounts where you want to sync Findings. For details, see [Setting up Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html). We recommend you connect ServiceNow with the primary (main) AWS account for AWS Security Hub CSPM. For more information, see [Managing administrator and member accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts.html).
+ **Support with the Connector** — Your account must have a [Business](https://aws.amazon.com/premiumsupport/plans/business/) or [Enterprise](https://aws.amazon.com/premiumsupport/plans/enterprise/) Support plan to use support integration with the Connector.
+ **AWS Systems Manager Change Manager with the Connector** — You must enable the service in all Regions and accounts where you want to sync change templates. The AWS Systems Manager Change Manager integration of AWS Service Management Connector introduces a curated version of the integration. It allows customers to execute pre-approved change templates that contain at least one Automation Runbook and does not require approvals during execution from ServiceNow. For more information, see [Setting up Change Manager.](https://docs.aws.amazon.com/systems-manager/latest/userguide/change-manager-setting-up.html)
+ **AWS Systems Manager Incident Manager with the Connector** — You must enable Incident Manager in all AWS Regions and accounts from where you want to sync the incidents. For details, see [Setting up for AWS Systems Manager Incident Manager.](https://docs.aws.amazon.com/incident-manager/latest/userguide/setting-up.html)
+ **AWS Health with the Connector** — Your account must have a [Business](https://aws.amazon.com/premiumsupport/plans/business/) or [Enterprise](https://aws.amazon.com/premiumsupport/plans/enterprise/) Support plan to use AWS Health integration with the Connector.
+ **ServiceNow instance** — You need a ServiceNow instance to install the ServiceNow Connector scoped application. The initial installation should occur in either an enterprise sandbox or a [ServiceNow Personal Developer Instance](https://developer.servicenow.com/app.do#!/document/content/app_store_doc_getting_started_newyork_topic_lyf_bf2_3r?v=newyork) (PDI), depending on your organization’s technology governance requirements. The ServiceNow administrator needs the admin role to install the Connector for ServiceNow scoped application.
# Setting baseline permissions for AWS Service Management Connector for ServiceNow
This section describes how to configure Identity and Access Management (IAM) permissions, AWS Service Catalog, and other AWS services to use AWS Service Management Connector for ServiceNow.
To use an CloudFormation template to set up the AWS configurations of the Connector for ServiceNow, refer to the AWS configurations for Connector for ServiceNow [AWS commercial Regions ](https://servicecatalogconnector.s3.amazonaws.com/SM_ConnectorForServiceNow-AWS_Configurations_Commercialv5.0.0.json), [AWS GovCloud Regions](https://servicecatalogconnector.s3.amazonaws.com/SM_ConnectorForServiceNow-AWS_Configurations_GovCloudv5.0.0.json), and [AWS China Regions](https://servicecatalogconnector.s3.amazonaws.com/SM_ConnectorForServiceNow-Amazon_Configurations_Chinav5.0.0.json).
**Note**
The CloudFormation template creates IAM users with permissions to all existing integrations, and *is intended to enable all supported integrations in a sandbox or developer ServiceNow instance*. For quality-assurance and production, you must apply least-privilege permissions based on the integrations enabled through the connector. Review the [Creating users]() section for additional information.
**Note**
If you choose to use the Connector for ServiceNow AWS Configuration template, go to the [AWS Service Catalog Administrator Guide ](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html).
# Creating Connector for ServiceNow users
For each AWS account, the Connector for ServiceNow requires two users:
+ **AWS Sync User**: A user to sync AWS resources (such as portfolios, products, automation documents (runbook), Ops Items, Incident Manager incidents, change templates and requests, configuration items, and security Findings), sync AWS support cases, and AWS Health events and resources to ServiceNow .
+ **AWS End User**: A user who can provision products as an end user, execute requests, and view resources that ServiceNow exposes. This role includes any required roles to provision and execute.
**Note**
To align with best practices, AWS recommends periodically rotating IAM user access keys. For more information, refer to [Manage IAM user access keys properly](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#securing_access-keys).
# Creating the AWS Service Management Connector Sync user
This section describes how to create the AWS Sync user and associate the appropriate IAM permission. To perform this task, you need IAM permissions to create new users. The following steps to create a Sync user and End user are not required if you use the CloudFormation template to deploy the permissions. Review [Setting baseline permissions for AWS Service Management Connector for ServiceNow](sn-base-perms.md) for more information.
**Note**
The CloudFormation template to set up the AWS configurations of the Connector for ServiceNow creates the Sync user and End user with the required permissions for all the supported integrations.
**To create AWS Service Management Connector sync user**
1. Follow the instructions in [Creating an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) to create a sync user (SMSyncUser). The user needs programmatic and AWS Management Console access to follow the Connector for ServiceNow installation instructions.
1. Set permissions for your sync user (SMSyncUser). Choose **Attach existing policies directly** and select:
+ **`AWSServiceCatalogAdminReadOnlyAccess`** (AWS managed policy)
+ **`AmazonSSMReadOnlyAccess`** (AWS managed policy)
+ **`AWSConfigUserAccess`** (AWS managed policy)
+ **`AWSSupportAccess`** (AWS managed policy)
1. Create this policy: `ConfigBidirectionalPolicy`. Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html), and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:RegisterType",
"cloudformation:DescribeTypeRegistration",
"cloudformation:DeregisterType",
"config:PutResourceConfig"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
```
------
The provided AWS Configuration template consists of two policies: `ConfigBiDirectionalPolicy` and `SecurityHubPolicy`.
1. Create this policy: `SecurityHubPolicy`. Then follow the instructions in [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html), and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage"
],
"Resource": "arn:aws:sqs:us-east-1:111122223333:QueueName",
"Effect": "Allow"
},
{
"Action": [
"securityhub:BatchUpdateFindings"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
```
------
1. Create this policy: `OpsCenterExecutionPolicy.` Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:CreateOpsItem",
"ssm:GetOpsItem",
"ssm:UpdateOpsItem",
"ssm:DescribeOpsItems"
],
"Resource": "*"
}
]
}
```
------
1. Create this policy: `AWSIncidentBaselinePolicy`. Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ssm-incidents:ListIncidentRecords",
"ssm-incidents:GetIncidentRecord",
"ssm-incidents:UpdateRelatedItems",
"ssm-incidents:ListTimelineEvents",
"ssm-incidents:GetTimelineEvent",
"ssm-incidents:UpdateIncidentRecord",
"ssm-incidents:ListRelatedItems",
"ssm:ListOpsItemRelatedItems"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
```
------
1. [Optional] Create this policy: `AWSChangeManagerCloudtrailPolicy`. Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"cloudtrail:DescribeQuery",
"cloudtrail:ListEventDataStores",
"cloudtrail:StartQuery",
"cloudtrail:GetQueryResults"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
```
------
1. Create this policy: `DescribeWorkSpacesPolicy`. Then follow the instructions in [Creating IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": ["workspaces:DescribeWorkspaces"],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
1. Add a policy that allows `budgets:ViewBudget` on all resources (\$1).
1. Review and choose **Create User**.
1. Note the access and secret access information. Download the .csv file that contains the user credential information.
**Note**
To align with best practices, AWS recommends periodically rotating IAM user access keys. For more information, refer to [Manage access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#securing_access-keys).
# Creating the AWS Service Management Connector end user
This section describes how to create the AWS Service Management Connector end user and associates the appropriate IAM permission. To perform this task, you need IAM permissions to create new users.
****To create AWS Service Management Connector end user****
1. Follow the instructions in [Creating an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) to create a user (SMEndUser). The user needs programmatic and AWS Management Console access to follow the Connector for ServiceNow installation instructions.
For products using CloudFormation StackSets, you need to create a StackSet inline policy. With CloudFormation StackSets, you are able to create products across multiple accounts and Regions.
Using an administrator account, you define and manage a Service Catalog product. You also use it to provision stacks into selected target accounts across specified Regions. You need to have the necessary permissions defined in your AWS accounts.
To set up the necessary permissions, see [Granting Permissions for Stack Set Operations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html). Follow the instructions to create an `AWSCloudFormationStackSetAdministrationRole` and an `AWSCloudFormationStackSetExecutionRole`.
1. Add the following permissions (policies) to the user:
+ `AWSServiceCatalogEndUserFullAccess` (AWS managed policy)
+ `StackSet` (inline policy) - For Service Catalog products with stack sets, you need to modify the SMEndUser to include the Read Only permissions for the services you want to provision. For example, to provision an Amazon S3 bucket, include the `AmazonS3ReadOnlyAccess` policy to the `SMEndUser`.
+ `OpsCenterExecutionPolicy`
+ `AmazonEC2ReadOnlyAccess` (AWS managed policy)
+ `AmazonS3ReadOnlyAccess` (AWS managed policy)
# Creating the SCConnectLaunch role
The `SCConnectLaunch` role is an IAM role that places baseline AWS service permissions into the AWS Service Catalog launch constraints. Configuring this role enables segregation of duty through provisioning product resources for ServiceNow end users.
The `SCConnectLaunch` role baseline contains permissions to Amazon EC2 and Amazon S3 services. If your products contain more AWS services, you must either include those services in the `SCConnectLaunch` role or create new launch roles.
This section describes how to create the `SCConnectLaunch` role. This role places baseline AWS service permissions in the Service Catalog launch constraints. For more information, see [Service Catalog Launch Constraints](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints-launch.html).
****To create SCConnectLaunch role****
1. Create this policy: `AWSCloudFormationFullAccess` policy. Choose **create policy** and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"cloudformation:List*",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplateSummary",
"cloudformation:SetStackPolicy",
"cloudformation:ValidateTemplate",
"cloudformation:UpdateStack",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteChangeSet",
"s3:GetObject"
],
"Resource":"*"
}
]
}
```
------
**Note**
`AWSCloudFormationFullAccess` includes additional permissions for ChangeSets.
1. Create this policy: `ServicecodeCatalogSSMActionsBaseline`. Follow the instructions in [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html), and add this code in the JSON editor:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"Stmt1536341175150",
"Action":[
"servicecatalog:AssociateResource",
"servicecatalog:DisassociateResource",
"servicecatalog:ListServiceActionsForProvisioningArtifact",
"servicecatalog:ExecuteprovisionedProductServiceAction",
"ssm:DescribeDocument",
"ssm:GetAutomationExecution",
"ssm:StartAutomationExecution",
"ssm:StopAutomationExecution",
"ssm:StartChangeRequestExecution",
"cloudformation:ListStackResources",
"ec2:DescribeInstanceStatus",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Effect":"Allow",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"*",
"Condition":{
"StringEquals":{
"iam:PassedToService":"ssm.amazonaws.com"
}
}
}
]
}
```
------
1. Create the `SCConnectLaunch` role. Then assign the trust relationship to Service Catalog.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Attach the relevant policies to the `SCConnectLaunch` role.
We recommend you customize and scope your launch policies to the specific AWS Services, which are in the associated CloudFormation template for the given Service Catalog product.
For example, to provision EC2 and S3 products, your role policies are as follows:
+ `AmazonEC2FullAccess` AWS managed policy)
+ `AmazonS3FullAccess` AWS managed policy)
+ `AWSCloudFormationFullAccess` (custom managed policy)
+ `ServiceCatalogSSMActionsBaseline` (custom managed policy)
# Configuring core ServiceNow components
This section describes how to configure core components in ServiceNow.
**Note**
Before installing the AWS Service Management scoped app, we recommend you clear the ServiceNow platform and your browser cache.
Ensure that you install the update set in a non-production or sandbox environment. Consult a ServiceNow system administrator if you need approval to clear the ServiceNow platform cache.
**Topics**
+ [
# Activating ServiceNow plugins
](sn-activate-plugins.md)
+ [
# Installing ServiceNow Connector scoped application
](sn-install-connector.md)
+ [
# Configuring Connector using Guided Setup
](sn-guided-setup.md)
+ [
# Platform system administrator components
](sn-configure-connector.md)
+ [
# ServiceNow permissions for administrators of the Connector scoped app
](sn-permissions-admin.md)
+ [
# Configuring AWS Service Management Connector scoped application
](sn-configure-sc-connector-scoped-app.md)
+ [
# Configuring AWS accounts to synchronize in the Connector
](sn-configure-accounts.md)
+ [
# Validating ServiceNow connectivity to AWS Regions
](validate-regions.md)
+ [
# Manually syncing scheduled jobs
](manual-sync-scheduled-jobs.md)
# Activating ServiceNow plugins
AWS Service Management Connector uses three ServiceNow plugins to provide useful components to the integration features:
+ User Criteria Scoped API (for AWS Service Catalog integration)
+ Discovery and Service Mapping Patterns (for AWS Config integration)
+ Change Management – Change Model Foundation Data (for AWS Systems Manager Change Manager integration)
**To activate the User Criteria Scoped API plugin**
1. In your ServiceNow dashboard, enter **plugins** into the navigation panel in the upper left.
1. When the **System Plugins** page populates, next to the **Name** dropdown, search for **User Criteria**.
1. Choose **User Criteria Scoped API** and then choose **Activate**.
**To activate the Discovery and Service Mapping Patterns plugin**
1. In your ServiceNow dashboard, enter **plugins** into the navigation panel in the upper left.
1. When the **System Plugins** page populates, next to the **Name** dropdown, search for **Discovery**.
1. Choose **Discovery and Service Mapping Patterns** and then choose **Activate**.
**Note**
This plugin is free and aligns to the CMDB tables outside of ServiceNow’s family release CMDB updates.
**To activate the Change Management – Change Model Foundation Data plugin**
1. In your ServiceNow dashboard, enter **plugins** in the navigation panel in the upper left.
1. When the System Plugins page populates, next to the **Name** dropdown, search for **Change Management**.
1. Choose **Change Management - Change Model Foundation Data** and then choose **Activate**.
# Installing ServiceNow Connector scoped application
The AWS Service Management Connector for ServiceNow is a conventional, scoped application that was developed and released through a ServiceNow update set. Update sets are code changes to the base platform that lets developers move code across ServiceNow instances.
Download and install a certified version of the connector for no additional cost from the following locations:
+ [ ServiceNow store](https://store.servicenow.com/sn_appstore_store.do#!/store/application/f0b117a3db32320093a7d7a0cf961912/)
+ [ ServiceNow update set](https://servicecatalogconnector.s3.amazonaws.com/AWS_SC_update_set_5.1.12.zip): AWS Service Management Connector offers an update set for users who want to install the connector application in a ServiceNow Personal Developer Instance (PDI) or sandbox environment.
If you don't already have a ServiceNow instance, start with the following first step. If you already have a ServiceNow instance, use the previous links to download and install the connector.
To install the connector, complete the following steps.
**Obtain a ServiceNow instance**
1. Open [ Obtaining a Personal Developer Instance](https://developer.servicenow.com/dev.do#!/guides/rome/developer-program/pdi-guide/obtaining-a-pdi).
1. Create ServiceNow developer program credentials.
1. Follow the instructions for requesting a ServiceNow instance.
1. Capture your instance details, including URL, administrative ID, and temporary password credentials.
**To install the update set**
1. In your ServiceNow dashboard, enter **update sets** into the navigation panel in the upper left.
1. Choose **Retrieved Update Sets** from the results.
1. Choose **Import Update Set from XML** and upload the release XML file.
1. Choose the **AWS Service Management Connector for ServiceNow** update set.
1. Choose **Preview Update Set**, which makes ServiceNow validate the Connector update set.
1. Choose **Update**.
1. Choose **Commit Update Set** to apply the update set and create the application. This procedure should complete 100%.
# Configuring Connector using Guided Setup
The Connector for ServiceNow includes a Guided Setup mechanism to enable customers to configure and mark complete ServiceNow installation components for the AWS Service Management Connector.
Guided Setup enables the customers to plan the roll-out of the Connector and perform the basic configurations of the Connector to launch it across ServiceNow staged environments.
The Connector Guided Setup:
+ Provides a direct set of links to the pages in the ServiceNow instance where you can perform the configuration.
+ Tracks completed tasks so you can stop and start again where you left off.
+ Enables less maneuvering between AWS documentation and the ServiceNow instance.
+ Coordinates the deployment and configuration of the Connector for individuals and teams.
**Note**
Only ServiceNow admin users can access the Guided Setup to configure the Connectors.
**To configure Connector using Guided Setup**
1. Log in to your ServiceNow instance as an admin user.
1. Enter **AWS Service Management Connector** in the left filter navigator.
1. Choose **Guided Setup**.
1. Review details on the Guided Setup homepage and choose **Get Started**.
1. Review details on each section.
1. To perform a task, select the task and choose **Configure**.
1. After completion of the task, choose **Mark as Complete**.
To skip sections or tasks that do not apply to you, choose Skip.
# Platform system administrator components
To enable the AWS Service Management Connector scoped application named **AWS Service Management**, the system admin must create a discovery source, and configure specific platform tables, forms, and views.
**Create a discovery source AWS Service Management Connector entry**
You must create a new discovery data source, AWS Service Management Connector.
**To enable AWS to report discovered CIs into your CMDB**
1. Choose **System Definition**. Then select **Choice Lists**.
1. Choose **New**.
1. Create a new entry with these details:
+ **Table:** **Configuration Item [cmdb\$1ci]**
+ **Element:** **discovery\$1source**
+ **Label:** **AWS Service Management Connector**
+ **Value:** **AWS Service Management Connector**
**Note**
Make sure you are in Global mode in ServiceNow System Settings to modify System Definitions.
# Administering AWS Service Management Connector Dashboard
As the system administrator, you can restrict access to the dashboard and its reports for specific users, roles or groups.
**To restrict access to the connector dashboard**
1. In the ServiceNow instance, navigate to the AWS Service Management Connector dashboard.
1. Choose the **Share** icon and then select **Add users, groups, or roles**.
1. Add the users, groups, or roles that require access to the dashboard.
1. (optional) You can also restrict access to the reports available in the dashboard. For detailed instructions, review [ Administering reports](https://docs.servicenow.com/bundle/utah-now-intelligence/page/use/reporting/concept/c_AdminsteringReports.html) in the *ServiceNow product documentation*.
# Enabling permissions on ServiceNow Platform
For AWS products to display under AWS portfolios as sub-categories in the ServiceNow Service Catalog, you need to modify the Application Access form for Catalog Item Category tables. This action is necessary because a ServiceNow scoped API is not available for the Catalog Item Category table.
**To view AWS Service Catalog products (Catalog Item Category)**
1. Enter **Tables** in the Navigator and choose **System Definition**, then choose **Tables**.
1. In the list of tables, search for a table with label **Catalog Item Category** (or with the name `sc_cat_item_category`). The list of tables displays.
1. Choose **Category** to view the form defining the table.
1. Choose the **Application Access** tab on the form and select **Can Create**, **Can Update**, and **Can Delete** on the form.
1. Choose **Update**.
**To enable the connector to control visibility of Service Catalog products on Service Portal through Allowed Groups**
**Note**
This step is only required if the Application Access is not already enabled in your ServiceNow instance. Additionally, Service Management Connector recommends that you enable the `User Criteria Scope API` plugin.
1. Enter **Tables** in the Navigator and choose **System Definition**, then choose **Tables**.
1. In the list of tables, search for a table with label **Catalog Item Available for** (or with the name `sc_cat_item_user_criteria_mtom`). The list of tables displays.
1. Choose **Category** to view the form defining the table.
1. Choose the **Application Access** tab on the form and select **Can Create** and **Can Update** on the form.
1. Choose **Update**.
# ServiceNow permissions for administrators of the Connector scoped app
The AWS Service Management scoped app has two ServiceNow roles that enable access to configure the application. This feature enables system admins to grant one or more user's privileges to administer the application, without having to open full sysadmin access to them. System admins can assign these roles to either individual users or to one administrator user.
**To set up Connector application administrator privileges**
1. Enter **Users** in the navigator and select **System Security – Users**.
1. Choose a user to grant one or both previous roles (such as admin). You can also [Administer the Now Platform](https://docs.servicenow.com/bundle/washingtondc-platform-administration/page/administer/general/concept/intro-now-platform-landing.html).
1. Choose **Edit** on the **Roles** tab of the form.
1. Filter the collection of roles by the prefix **x\$1126749\$1aws\$1sc**.
1. Choose one or more of the following and add them to the user: ** x\$1126749\$1aws\$1sc\$1account\$1admin**, **x\$1126749\$1aws\$1sc\$1portfolio\$1manager**,** x\$1126749\$1 aws\$1sc.appregistry\$1manager,** **x\$1126749\$1 aws\$1sc.automation\$1manager**, **x\$1126749\$1aws\$1sc.finding\$1manager**, **x\$1126749\$1aws\$1sc.opscenter\$1manager**, **x\$1126749\$1aws\$1sc.support\$1case\$1manager **, **x\$1126749\$1aws\$1sc.change\$1manager\$1manager**, **x\$1126749\$1aws\$1sc.productsearchaccess**, **x\$1126749\$1aws\$1sc.cloudtrail\$1event\$1user**, and **x\$1126749\$1aws\$1sc.health\$1dashboard\$1viewer.**
1. Choose **Save**.
**To add Service Catalog to ServiceNow Service Catalog categories**
1. Choose **Self Service \$1 Service Catalog** and select the **Add content** icon in the upper right.
1. Choose the **AWS Service Catalog Product** entry. To add it to your catalog home page, choose the first **Add Here** link on the second row of the selection panel at the bottom of the page.
**To add AWS Systems Manager automation documents (runbook) to ServiceNow Service Catalog categories**
1. Choose **Self Service \$1 Service Catalog** and select the **Add content** icon in the upper right.
1. Select the **AWS Systems Manager** entry. To add it to your catalog home page, choose the first **Add Here** link on the second row of the selection panel at the bottom of the page.
**Note**
This Connector release displays all AWS Systems Manager documents in the AWS account that has AWS Systems Manager selected.
System administrators can deactivate AWS Systems Manager document requests. To deactivate requests, choose **AWS Systems Manager**, **Automation Documents**, and deselect **Active**. After deactivation of the document, you no longer see the document in the ServiceNow Service Catalog.
The Connector creates closed change requests on post provision actions (such as update, terminate and self-service) for AWS Service Catalog products visible in ServiceNow.
To achieve a closed change request from post provisioned actions, add a change request type and configure the `sys_id` for the group assigned to the closed change records in the Connector AWS Service Catalog system properties.
**To add a change request type for closed change request from post provisioned actions**
1. If you upgrade from a previous version of the AWS Service Management scoped app, you must remove the **AWS Product Termination** change request type before you create a new change request type.
1. You must add a new change request type called **AWS Provisioned Product Event** for the scoped application to trigger an automated change request in Change Management. For more information, see [IT Service Management](https://docs.servicenow.com/bundle/washingtondc-it-service-management/page/product/it-service-management/reference/r_ITServiceManagement.html).
1. Open an existing change request.
1. Open (right-click) the context menu for **Type** and then choose **Show Choice List**.
1. Choose **New** and complete these fields:
+ **Table**: **Change Request**
+ **Label**: **AWS Provisioned Product Event**
+ **Value**: **AWSProvisionedProductEvent**
+ **Sequence**: pick the next unused value
1. Submit the form.
**To add a change request type for executing AWS Systems Manager Change Manager change templates**
You must add a new change request type called `AWSChangeRequest` for the scoped application to view and execute AWS Change Manager change templates in ServiceNow Change Management. For more information, see [IT Service Management](https://docs.servicenow.com/bundle/washingtondc-it-service-management/page/product/it-service-management/reference/r_ITServiceManagement.html).
1. Open an existing change request.
1. Open (right-click) the context menu for **Type** and then choose **Show Choice List**.
1. Choose **New** and complete these fields:
+ Table: **Change Request**
+ Label: **AWS Change Request**
+ Value: **AWSChangeRequest**
+ Sequence: pick the next unused value
1. Submit the form.
**To enable AWS Systems Manager Change Manager integration Change models**
AWS Systems Manager Change Manager integration in ServiceNow requires Change Model feature in ServiceNow.
1. In the navigator, enter **sys\$1properties.list**.
1. Enter **\$1change\$1model** in the **Search** panel to view and edit the properties.
1. Review the available settings and recommendations in the table below.
**Note**
For more information on Change model system properties, see [IT Service Management](https://docs.servicenow.com/bundle/washingtondc-it-service-management/page/product/it-service-management/reference/r_ITServiceManagement.html).
| Available settings | Desired value |
| --- | --- |
| com.snc.change\$1management.change\$1model.hide | false |
| com.snc.change\$1management.change\$1model.type\$1compatibility | true |
**ServiceNow Permissions Recap**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/smc/latest/ag/sn-permissions-admin.html)
# Configuring AWS Service Management Connector scoped application
After installing and configuring the AWS Service Management Connector, you must configure the scoped application and applicable roles.
**To configure the AWS Service Management Connector scoped application permissions**
1. In your ServiceNow instance, create a user group called **Order\$1AWS\$1Products**.
Members of this group can order Service Catalog products. For instructions, see [Administer the Now Platform.](https://docs.servicenow.com/bundle/washingtondc-platform-administration/page/administer/general/concept/intro-now-platform-landing.html)
1. Grant ServiceNow permissions to these users:
+ **System Administrator (admin)**: For simplicity in this example, user **admin** is the administrator of the AWS Service Management scoped application. Grant this user both of the administrative permissions from the adapter:** x\$1126749\$1aws\$1sc\$1account\$1admin,** **x\$1126749\$1aws\$1sc\$1portfolio\$1manager**, **x\$1126749\$1 aws\$1sc.appregistry\$1manager**, **x\$1126749\$1 aws\$1sc.automation\$1manager**, **x\$1126749\$1aws\$1sc.finding\$1manager**,** ****x\$1126749\$1aws\$1sc.opscenter\$1manager**, **x\$1126749\$1aws\$1sc.support\$1case\$1manager** and **x\$1126749\$1aws\$1sc.change\$1manager\$1manager**, **x\$1126749\$1aws\$1sc.productsearchaccess**, **x\$1126749\$1aws\$1sc.cloudtrail\$1event\$1user**, and **x\$1126749\$1aws\$1sc.health\$1dashboard\$1viewer**.
Add **System Administrator** to the new ServiceNow group **Order\$1AWS\$1Products**. In a real scenario, these roles would likely be granted to different users or groups.
+ **Abel Tuter**: The user **abel.tuter** is an illustrative end user. Grant Abel the new role **Order\$1AWS\$1Products**. This permission allows Abel to order products from AWS.
# Configuring AWS accounts to synchronize in the Connector
Learn how to configuring AWS accounts to synchronize in the Connector.
1. Log in as the system administrator.
1. Enter **AWS** in the navigator. Choose the **AWS Service Management** scoped app.
1. In the **Accounts** menu, create one entry for every AWS account. Use the keys and secret keys from the users you created in AWS.
**To create an account entry**
1. Enter the name as an account entry identifier, such as **Connector\$1Demo** (for Commercial Region), or **Connector\$1Demo\$1GovCloud** (for GovCloud Region).
1. Enter the access key and secret access key from the AWS account *sync user *IAM configurations.
1. Enter the access key and secret access key from the AWS account *end user* IAM configurations.
1. Choose the visible AWS service integrations for this AWS account. The choices include:
+ Integrate with Service Catalog (including AppRegistry)
+ Integrate with AWS Config
Choose AWS Config if you plan to integrate AWS Config cloud resources per each AWS account or through the latest AWS Config aggregator integration feature. The Connector for ServiceNow includes an AWS Config aggregator feature that enables ServiceNow administrators to align aggregated AWS Config details into one AWS account.
If you plan to view AppRegistry related resources details, choose **AWS Config **with **AWS Service Catalog**.
+ Integrate with AWS Systems Manager Automation
Choose AWS Systems Manager Automation if you want to execute automation documents (runbook) to remediate incidents from OpsItems.
+ Integrate with AWS Systems Manager OpsCenter
+ Integrate with AWS Security Hub CSPM
+ Integrate with Support
+ Integrate with AWS Systems Manager Change Manager
+ Integrate with AWS Health
+ Integrate with AWS Systems Manager Incident Manager
1. Choose **Account Regions**. Select the **Commercial** or **GovCloud Region**. To see the AWS account Regions, double-click **Insert a new row…**.
**Note**
AWS Support API uses a specific GovCloud endpoint for GovCloud accounts to enable Support integration for GovCloud accounts. Choose a GovCloud Region in Account Regions when you onboard the account in ServiceNow.
1. Repeat the step above to insert additional Regions.
1. Save or update the account entries.
1. Validate AWS account connectivity by following the steps in [Validating connectivity to AWS Regions](validate-regions.md). Note that in this Connector for ServiceNow, **Validate Accounts** only appears once after you submit or update the account entry.
**Note**
AWS Service Management Connector allows synchronization of updated keys using any automation or integration through a REST endpoint. For more information, see [Syncing updated keys programatically in ServiceNow](sn-sync-keys.md).
# Validating ServiceNow connectivity to AWS Regions
You can now validate connectivity to AWS accounts between the ServiceNow **Connector\$1Demo** account and the AWS IAM `SMSyncUser` and `SMEndUser`.
**To validate connectivity to AWS account**
1. In the AWS Service Management scoped app, choose **Setup**, then **AWS Accounts**.
1. Choose **Connector\$1Demo** and select **Validate Account**.
A successful connection results in the message, *Successfully validating AWS account in each referenced Region*.
If the AWS IAM access key or secret access key are incorrect, you receive an error message.
# Manually syncing scheduled jobs
The Connector for ServiceNow includes nine sync jobs related to AWS services integrations. During the initial setup, manually execute the sync job for your AWS service integration instead of waiting for Scheduled Jobs to run.
**To sync AWS service integrations or accounts manually**
1. Log in as system administrator.
1. Find **Scheduled Jobs** in the navigator panel.
1. Search the following AWS Service Management Connector scheduled jobs (including default sync intervals) in the table below:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/smc/latest/ag/manual-sync-scheduled-jobs.html)
1. Choose the desired sync job, and choose **Execute Now**.
**Note**
If you do not see **Execute Now** in the upper left corner, choose **Configure Job Definition**. **Execute Now** is visible. ServiceNow Administrator can adjust the Scheduled Job repeat interval as required.
Data is visible in the AWS Service Management scoped app menus after the Connector’s scheduled synchronization job has run.