AWS Security Blog
How to set up a two-way integration between AWS Security Hub and ServiceNow
If you use both AWS Security Hub and ServiceNow, the new AWS Service Management Connector for ServiceNow integration enables you to provision, manage, and operate your AWS resources natively through ServiceNow. In this blog post, I’ll show you how to set up the new two-way integration of Security Hub and ServiceNow by using the AWS Service Management Connector for ServiceNow. As a ServiceNow administrator, with this integration you can automatically create ServiceNow incident or problem tickets from AWS Security Hub findings, and when you update those tickets in ServiceNow, the changes are automatically replicated back into the original Security Hub findings. For example, if you resolve the ticket in ServiceNow, the workflow status of the finding in Security Hub will also be resolved.
To complete this walkthrough, you will need a ServiceNow instance available, with the connector configured. For more information on how to set this up, see AWS Service Management Connector for ServiceNow in the AWS Service Catalog Administrator Guide.
On the AWS side, you need AWS Security Hub enabled in your AWS account. For more information, see Enabling Security Hub manually in the AWS Security Hub User Guide.
This walkthrough uses an AWS CloudFormation template to create the necessary AWS resources for this integration. In this example, I use the AWS Region us-east-1, but you can use any of the supported Regions for Security Hub.
To download and run the CloudFormation template
- Download the sample template provided for this walkthrough.
- Open the AWS CloudFormation console, choose Create stack, choose With new resources (standard), and select Template is ready. In Specify template, choose Upload a template file and use the template downloaded in step 1.
To create the CloudFormation stack
- In the CloudFormation console, choose Specify stack details, and enter a Stack name (in the example, I named mine SecurityHub-ServiceNow-Integration). Leave the other default values as shown in Figure 1, then choose Next.
- On the Configure stack options page, choose Next.
- On the Review page, select the check box I acknowledge that AWS CloudFormation might create IAM resources with custom names, as shown in Figure 2. (Optional) If you would like more information about this acknowledgement, choose Learn more.
- Choose Create stack.
- After you see the CloudFormation stack as CREATE_COMPLETE, you can see the list of resources that are created, as shown in Figure 3.
Next, you will integrate ServiceNow with Security Hub.
To integrate ServiceNow with Security Hub
- In the ServiceNow instance, go to AWS Service Management Connector, choose Setup, choose AWS Accounts, then choose New.
- In the ServiceNow add an AWS account page as shown in Figure 4, make sure the check box Integrate with AWS Security Hub is selected, then choose Submit.
- In the SecurityHub-ServiceNow-Integration CloudFormation stack that you created previously, see the Outputs section to get the values for SCSyncUserAccesKey, SCSyncUserSecretAccesKey, SCEndUserAccessKey, and SCEndUserSecretAccessKey, as shown in Figure 5.
Note: Because this is an example walkthrough, I show the access key and secret key generated as CloudFormation outputs. However, if you are using the AWS Service Management Connector for ServiceNow in a production workload, see How do I create an AWS access key? to understand the connectivity and create the access key and secret key for the users.
- In ServiceNow, enter all the values from the CloudFormation Outputs, and choose the Region you used to launch your CloudFormation resources. I chose the Region US East (N. Virginia), because I launched my CloudFormation resources for this walkthrough in us-east-1.
- Choose Submit. You should see the created account page, as shown in Figure 6.
The connector is preconfigured to automatically create ServiceNow incidents for Security Hub findings. The findings will have the same information in both the AWS Security Hub console as well as ServiceNow console.
To test the integration
- In the AWS Security Hub console, choose Findings on the AWS console. The findings will be populated and you can use one of the findings to test the two-way integration. For this example, I use a finding that reports one of my AWS account IAM users with credentials unused for 90 days or more, as shown in Figure 7.
- In the view from ServiceNow, you can search for Security Hub and see the same finding, as shown in Figure 8.
- To see the incident view in ServiceNow, next to the Incident field, choose the Information icon () as shown in Figure 8, then choose Open record.
- The urgency in ServiceNow is mapped to the severity in Security Hub findings. As shown in Figure 9, the Urgency is set to 2 – Medium. This setting corresponds to the AWS console Security Hub finding Severity label set to MEDIUM, as shown previously in Figure 7.
- You can set the Urgency as applicable to the finding and its impact. In this walkthrough, you are going to set it as 1-High.
- In ServiceNow, change the Urgency to 1 – High. In this example, I also add optional work notes, as shown in Figure 10. The work notes will only be visible in ServiceNow. Then choose Update.
- In the Security Hub console, you can see the finding’s Severity label is updated to HIGH, as shown in Figure 11. However, the work notes are not visible.
- To resolve the issue in ServiceNow, choose the incident, and for Resolution code select Solved (Permanently), as shown in Figure 12.
- In the Security Hub console for the related finding, you can see that the Workflow status has updated to RESOLVED, as shown in Figure 13.
As a ServiceNow administrator, you can edit the system properties in ServiceNow to select the severity of AWS Security Hub findings that are used to create ServiceNow incidents.
To select the severity of findings used to create incidents
- In ServiceNow, in the AWS Security Hub system properties, select the check boxes for the severities you want to create incidents for, as shown in Figure 14.
- In the ServiceNow page for AWS Security Hub system properties, you also have the option to select the recommended course of action to be taken when new Security Hub findings are synced. As shown in the previous steps, the default is to create an incident, but you can also choose to create a problem, or create both problem and incident, or do nothing.
In this blog post, I showed you how to setup the new two-way integration of AWS Security Hub and ServiceNow using the AWS Service Management Connector for ServiceNow.
To learn more about ServiceNow’s integration with Security Hub, watch the video AWS Security Hub – Bidirectional integration with ServiceNow ITSM, and see AWS Service Management Connector for ServiceNow in the AWS Service Catalog Administrator Guide.
To download the free AWS Service Management Connector for ServiceNow, see the ServiceNow App Store. If you have additional questions, please post them to AWS Forums.
If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.