Visibility is everything when it comes to keeping on top of your AWS infrastructure. We walk you through how to achieve it using pattern-based cloud discovery in ServiceNow – so you can stop guessing and start acting.
If your organisation uses AWS, you know how easy it is for cloud infrastructure to grow faster than you can keep track. New servers, databases, and services appear constantly, often across multiple AWS accounts.
ServiceNow’s pattern-based Cloud Discovery helps you bring some order to the chaos. It automatically identifies and maps all your AWS resources into the Configuration Management Database (CMDB), giving you one clear, trusted view of what exists in your cloud environment.
But if you’ve looked at ServiceNow’s official documentation, you’ll know it’s detailed. Very detailed.
So, let’s break it down in plain English. This article is here to help you understand why pattern-based discovery is the way to go, what’s required on the AWS side, and how to approach this setup with confidence.
What is AWS Cloud Discovery in ServiceNow?
In simple terms, Cloud Discovery lets ServiceNow “see” your AWS infrastructure. It connects through a MID Server and retrieves details about resources such as EC2 instances, S3 buckets, VPCs, load balancers, and databases.
That information flows into the CMDB, where you can view it as a living model of your cloud environment, ready for reporting, automation, or service impact analysis.
Pattern-based vs. API-based: Why pattern wins
Pattern-based discovery works through a MID Server and executes discovery “patterns” (essentially pre-built scripts) that query AWS using its own APIs.
This approach has a few big advantages over the simpler Cloud API (CAPI) discovery method:
- Richer data: Get detailed data about your AWS resources, including relationships between components like EC2 instances, load balancers, and VPCs.
- Automation: Enable scheduled, automated discovery through your existing ITOM Discovery framework, so you can manage AWS just like your on-prem infrastructure.
- Stronger security: Keep credentials and network access under your control via the MID Server, aligning with enterprise security practices.
If your goal is to build a dependable, continuously updated CMDB that supports IT operations, service mapping, or governance, pattern-based discovery is the right choice.
How the connection works
ServiceNow needs permission to “see” your AWS environment. That permission comes through AWS credentials, which can be handled in two ways:
1. Credential-based discovery
This means giving ServiceNow a set of AWS access keys that belong to a specific user. Those keys are stored securely inside ServiceNow. It’s straightforward, especially if your MID Server is on-premises or outside AWS itself.
2. Credential-less discovery
This avoids storing any keys at all. Instead, your MID Server runs on an AWS EC2 instance that already has the right permissions through its IAM Role. The role automatically issues temporary credentials through AWS’s Security Token Service (STS), removing the need to store secrets inside ServiceNow. This method is cleaner, more secure, and follows AWS best practice. No long-term secrets to manage or rotate.
Credential-less discovery is more secure, more scalable, and generally preferred for production environments.
Get started with AWS Cloud Discovery in ServiceNow
Book my demoAWS account models explained
AWS organisations can be structured in different ways. You might have just one AWS account, or you might manage many under an AWS Organisation.
ServiceNow’s discovery supports several models for this, depending on how your accounts are linked.
| Model | Explanation | Best for... |
|---|---|---|
| Model 1: Single Account | You’ve only got one AWS account. The MID Server connects directly to it and discovers what’s inside. | Smaller or simpler setups, or proofs of concept. |
| Model 2: Management → Member | You’ve got a central ‘Management’ account that controls a few ‘Member’ accounts underneath. The Management account connects to ServiceNow and tells it how to reach each Member. | The most common setup for AWS Organisations. |
| Model 3: Accessor → Management → Member (Role-Chaining) | You’ve got an extra account (the ‘Accessor’) solely for discovery. It connects to the Management account, which then connects to all the Members. | Large or complex setups where you want to separate discovery duties. |
| Model 4: Accessor → Member/Management Direct | The Accessor account talks directly to every account – no Management layer in between. | Environments with simpler trust relationships. |
If you’re not sure which one you’re using, don’t worry – that’s something we can help you identify during planning.
Before you start: what needs to be in place
Before you run any discovery jobs, you’ll need a few things lined up in AWS:
IAM roles and trusts
Permissions
Cross-account role setup
MID Server location
Most of this can be automated using AWS CloudFormation Templates (CFTs), so you don’t have to set everything up manually.
You can access the official ServiceNow Cloud Discovery Patterns spreadsheet here.
Setting AWS Cloud Discovery up in ServiceNow
Once the AWS side is ready, the ServiceNow steps are relatively straightforward:
- Confirm your MID Server is running and connected to your instance.
- Add AWS credentials (for credential-based discovery only).
- Create cloud service accounts for each AWS account you plan to discover: Accessor, Management, and Members.
- Map cross-account relationships in ServiceNow.
- Test each account connection using the ‘Test Account’ button. The logs will show exactly where any permissions or trust issues occur.
- Schedule discovery from the Cloud Discovery Workspace to begin populating your CMDB.
The outcome
Once discovery runs successfully, you’ll have a living map of your AWS environment inside ServiceNow, including:
- Detailed records of EC2, VPCs, subnets, load balancers, and databases.
- Relationships between components.
- Data for service mapping, impact analysis, and operational monitoring.
This visibility is exactly what pattern-based discovery was built for, giving you a dependable source of truth for both IT and cloud operations.
Pattern-based discovery may take a little more effort to set up than API-based discovery, but the payoff is far greater in accuracy, security, and long-term maintainability.
How we can help
If you want to know more about mapping your AWS environment using ServiceNow or are ready to get started, book a demo with us today, and we’ll help you turn that AWS chaos into clarity.
