Integrating AWS Systems Manager Change Manager in ServiceNow
AWS Service Management Connector includes a curated version of the Change Manager integration. To allow the Connector to synchronize change templates, the change templates should be:
-
An Approved status in AWS
-
At least one Automation Runbook associated with it
-
Enabled as auto-approval
For more information, see AWS Systems Manager Change Manager.
You can also view resources affected by the changes that were executed on their AWS accounts from the AWS CloudTrail events available on the AWS change request.
Note
Currently, only the first level events that occurred in the execution of an automation document will be tracked and synched. Steps which have nested automations will not have the events synced. This can however be traced separately in the AWS CloudTrail console using Lake feature by their unique automation execution ID.
Configuring AWS
AWS Systems Manager uses the service-linked role named AWSServiceRoleForAmazonSSM.
AWS Systems Manager uses this IAM service role to manage AWS resources on your behalf. For more
information, see Using service-linked roles for AWS Systems Manager.
To create a service-linked role for AWS Systems Manager
Follow the instructions in Creating a service-linked role (console) to create the role.
Choose AWS Service as Systems Manager and the use case as Systems Manager – Inventory and Maintenance Window.
Review the details and be sure to attach
AmazonSSMServiceRolePolicy. Then choose Create Role.
To create AutomationAssumeRole
Follow the instructions in Creating an IAM role in your AWS account to create a role,
ServiceNowChangeManagerRole.Add permissions for
ServiceNowChangeManagerRole.Choose the use case as Systems Manager and chooseAmazonSSMAutomationRole(AWS managed policy).
Note
You can use baseline AWS CloudFormation tempates to create the ServiceNowChangeManagerRole role.
For more information, see Setting baseline
permissions for AWS Service Management Connector for ServiceNow.
Note
ServiceNowChangeManagerRole contains the minimum baseline
permissions to execute change templates that contain automation runbooks on EC2
instances. To invoke automation runbooks on other services, you need to attach
additional policies. For more information, see Create a service role for Automation.
To create an event data store (optional)
To create AWS CloudTrail Lake, follow the instructions outlined in Create an event data store in your AWS account to create the event data store.
Configuring AWS Support integration system properties with ServiceNow
The AWS Systems Manager Change Manager integration for AWS Service Management Connector aligns with the Change Management process in ServiceNow. It enables you to align the internal Change Management process for executing pre-approved change templates directly from a ServiceNow instance.
To configure the AWS Support integration system properties
-
In the navigator, enter
AWS Service Management. -
Choose System Properties, then AWS Systems Manager Change Manager.
-
Review the available settings and recommendations in the table below.
| Available settings | Description |
|---|---|
| Name of the Change Manager category to assign to AWS Change Template from AWS Systems Manager Change Manager |
The setting correlates to the Catalog item category in ServiceNow to which the synchronized AWS Change templates are associated. |
|
Assignment Group ( |
The setting automatically assigns the change requests created
from the change templates to the Assignment Group that relates
to the |
| Default role name that allows the Automation to perform the actions on your behalf | The setting contains the default role to create change requests
from AWS change templates. The setting is available if the
user does not fill in the The value is case-sensitive and must exist in every account using the AWS Systems Manager Change Manager. |
| AWS CloudTrail Lake: Event Data Store Name |
Defines the Name of the AWS CloudTrail Lake: Event Data Store Name to target. Note that to use AWS Systems Manager Change Manager's CloudTrail Lake Event integration an Event Data Store with this Name MUST exist in all regions defined in AWS Accounts with AWS Systems Manager Change Manager enabled. |
| AWS CloudTrail Lake: Maximum number of events to retrieve per synchronization | Default : 1000 |
Validating AWS Systems Manager Change Manager integration in ServiceNow
This section describes how to validate AWS Systems Manager Change Manager integration in ServiceNow.
To view AWS Systems Manager Change templates
-
Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view).
-
In the navigator, enter
AWS Service Management Connector. -
To show a list of all synched Change templates, choose Change Templates under Systems Manager.
To view Systems Manager Change Request
-
Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view).
-
In the navigator, enter
AWS Service Management Connector. -
To show a list of all synched Change Requests created from ServiceNow, choose Change Requests under Systems Manager.
-
Choose a Change Request to open the record.
To view AWS Systems Manager Change Request Ops Items
-
Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view).
-
In the navigator, enter
AWS Service Management Connector. -
To show a list of all synched Change Requests created from ServiceNow, choose Change Request Ops Items under Systems Manager.
-
Choose an Ops Item to open the record.
To create AWS Systems Manager Change Manager change
-
Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view).
-
In the navigator, enter
Change. Then choose Create New to view the various Change options. -
Choose Create AWS Systems Manager Change Manager Change: Make changes to AWS resources using Change Manager Templates.
-
Choose the runbook you want to execute and complete all the required fields.
-
Choose Submit to create a ServiceNow Change Request.
-
Choose Request Approval to send approval requests to members of the Assignment group.
After change approval, it moves to a Scheduled state.
-
Choose Implement.
-
Scroll to the bottom and view Change Tasks under related lists to view the Change task associated with Automation Execution.
After the Change Execution is complete, the change moves to a Closed state.
To view AWS CloudTrail events for the Change execution
This procedure requires you to create and configure AWS CloudTrail Lake on AWS and configure the Lake name on the AWS Systems Manager Change Manager system properties in ServiceNow
Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view).
In the navigator, enter
AWS Service Management Connector.To show a list of all synched Change Requests created from ServiceNow, choose Change Requests under AWS Systems Manager.
Choose a Change Request to open the record.
Use UI Action, Sync CloudTrail Events, to start the synchronization of events.
Choose the same Change Request to reopen the record.
Scroll to the bottom of the Change Request form and use CloudTrail Events related list to review the events of the Change execution.
Fields mapped from AWS Change Request Ops Item records to ServiceNow Change Request records
This table shows how AWS Change Request Ops item maps to ServiceNow Change Request.
| AWS Change Request Ops Item | ServiceNow Change Request |
|---|---|
|
AWS Account |
x_126749_aws_sc_awsaccount |
|
AWS Request ID |
x_126749_aws_sc_awsrequestid |
| AWS Region | x_126749_aws_sc_awsregion |
| AWS Status | x_126749_aws_sc_awsstatus |
