AWS Cloud Operations & Migrations Blog

How Kyndryl used AWS Service Management Connector, AWS Config and AWS Systems Manager to achieve lifecycle management of AWS resources through ServiceNow

Customers need a way to do lifecycle management of AWS resources in the AWS Cloud. Many customers leverage managed solutions providers to manage their AWS accounts, and they’re looking for AWS native solutions and integrations to solve their business problems.

Lifecycle management includes discovering new resources from customer’s AWS environment, populating them via federation into ServiceNow’s Configuration Management Database (CMDB), “on-boarding” those resources via tasks and running managed services operations on them.

Kyndryl designs, builds, manages and modernizes the mission-critical technology systems that the world depends on every day. As a certified AWS Managed Services Provider (MSP) and AWS Premier Consulting Partner with four partner programs, and 50+ AWS customer launches, Kyndryl has the ability to create solutions for challenges that fit the unique and evolving needs of customers.

The current process of AWS resource onboarding at Kyndryl involves multiple teams (e.g. tools, build, compliance and delivery teams) and tools (e.g. Ansible, Netcool, Datadog and ServiceNow). Prior to this automation, the process involved a sequence of manual tasks shown in the following, and it could take anywhere from days to weeks:

  • Resource Discovery and CI creation using inhouse solution
  • Installing agents and configuring
  • Register devices to Ansible/Netcool
  • Running Healthcheck, Security and Compliance tasks

How Kyndryl made it work – Solution overview

Kyndryl designed an Automation approach that involved AWS Service Management Connector, AWS Config, AWS Systems Manager, and ServiceNow for easier onboarding of Amazon Elastic Compute Cloud (Amazon EC2) endpoint instances. The solution included the following steps:

  1. Near real-time discovery of Amazon EC2 instances from AWS Config using AWS Service Management Connector for resources that are tagged as “Kyndryl Managed”.
  2. Use ServiceNow as an orchestration engine for automation.
  3. Triggering the onboarding of discovered Amazon EC2 instances using ServiceNow CMDB and Service Portal.
  4. Systems Manager automation execution through Change Request / Tasks.
  5. Track progress, create a central repository of onboarding evidences, and send notifications for the success/failures of onboarding tasks to stakeholders.

Detailed architecture diagram

Architecture diagram for AWS resource lifecycle management from ServiceNow

Figure 1. Architecture diagram for AWS resource lifecycle management from ServiceNow.

Discovery of Amazon EC2 instances using AWS Service Management Connector into ServiceNow’s CMDB

Kyndryl leverages AWS Service Management Connector integration with AWS Config to have near real-time visibility of AWS Resources. The scheduled job runs every 31 mins to synchronize data into ServiceNow CMDB. Kyndryl is a domain separated environment in ServiceNow and further customizes AWS Service Management Connector to do the following steps that are critical for a multi-tenant environment of managed service provider:

  • Tag based filtering which discovers only resources that are tagged as Kyndryl managed.
  • On Before business rule was created in CMDB base class to route the AWS Config resource to the domain, the company and the AWS account it belongs to.
  • On After business rule was created to build relationship between OS Image class and virtual machine (VM) instance (Windows, Linux) class in ServiceNow.

ServiceNow as orchestration engine:

Kyndryl has a domain-separated environment in ServiceNow in which they can host multiple enterprise customers. Kyndryl has built its own QuickStart framework that provides a customized catalog items to request the onboarding of Windows and Linux virtual servers. These catalog items are available through the ServiceNow service portal, where users can request the process. The catalog item functions in a way where, based on the requester, the company field populates, and from the company it lists all of the associated AWS accounts. Once the AWS account is selected, the portal queries the ServiceNow CMDB and lists all of the available virtual Windows and Linux machines.

Onboarding process of Amazon EC2 Instances:

The resources with tag value “kyndryl_managed = Yes” and “kyndryl_onboarding = not_initiated” are available for the request management workflow. The sample portal page is shown in the following, where a requester can submit an order by selecting one of the available VM’s for onboarding.

Service Portal Onboarding page for Amazon EC2 Instances

Figure 2. Service Portal Onboarding page for Amazon EC2 Instances.

It is possible to select and submit up to 10 VMs for onboarding through a single request. Once the request is submitted, ServiceNow will trigger individual request for each VM, and subsequently automate execution of tasks.

Requested Item Summary

Figure 3. Requested Item Summary.

The request process, requested item (RITM), will create a change request for onboarding of AWS Linux VM, as shown in the following.

Change Request

Figure 4. Change Request.

Automation execution through change tasks

A series of change tasks are now executed through the change request. The associated change tasks will run automation execution tasks that include:

  1. Ansible automation tasks that invoke API calls to Ansible tower to execute playbooks on the AWS environment.
  2. AWS Automation that leverages direct API calls from ServiceNow to execute Systems Manager documents on AWS resources. The documents include installing prerequisites, creating local service-id, Datadog agent configuration, etc
  3. CI Wizard automation within the ServiceNow platform to make updates to ServiceNow CMDB
Change Request Tasks for Automation Execution

Figure 5. Change Request Tasks for Automation Execution.

Upon the successful completion of change tasks, the change request is set to complete, and the request is complete, which successfully onboards the VM instance and allows Kyndryl to manage AWS resources. At any point in the workflow, if any automation execution failure happens, then the change request flow is set to pending, and an incident is created for a failed task. Once the incident is resolved, the execution and further pending tasks will be set to completion.


Kyndryl now offers a solution for the lifecycle management of your AWS resources, such as Amazon EC2 instances with end-to-end automation leveraging AWS Service Management Connector, AWS Config, and Systems Manager documents. To learn more about how Kyndryl can assist with your multi-cloud business challenges, visit Kyndryl. To learn more about AWS Service Management Connector and its capabilities, visit AWS Service Management Connector.

About the authors:

Chandra Chappa

Chandra Chappa is a Denver based Sr. Service Management Specialist with AWS Service Management Connector. Chandra enjoys helping customers enable end-to-end IT lifecycle management to AWS Field, Customers, and Solutions Architect Partners. In his free time, he likes playing local club cricket and enjoys spending time with family and friends.

Pankaj Khandelwal

Pankaj Khandelwal is an Enterprise Cloud Architect with Kyndryl Public Cloud team. He designs and builds automation and solutions that enable customers to accelerate their cloud adoption journey. In his free time, Pankaj likes to trek, climb, cycle or do yoga/meditation.