AWS Gov cloud is comprised of two geographical regions that are distinct from AWS public cloud region. AWS Gov cloud provides a smaller subset of functionality of the public cloud, albeit, syntactically and semantically identical. The primary difference between gov and public cloud is the access endpoints.

ServiceNow Cloud Management and Cloud Discovery introduced support for AWS Gov Cloud in London release (focusing on IaaS resources), refer to the documentation for details.

AWS Organization support for AWS Gov Cloud

In April 2019, AWS announced support for AWS Organization for the Gov Cloud. This article covers the details of setting up AWS Organizations for AWS Gov Cloud as AWS documentation in this area is a bit unclear. I am hoping this blog post would help ServiceNow community readers.

An AWS Gov Cloud account is always paired 1:1 with an AWS commercial account. One can request an AWS Gov Cloud account from a commercial account. Refer to AWS documentation for details.

In order to create an AWS Organization for Gov cloud and bringing / adding new accounts under it, follow the steps below:

1. Establish an initial Gov Cloud account (lets call it GovDemo1) from an AWS Commercial account (CommAcct1). Make sure you have the right administrative IAM role to request a Gov Cloud acct. This can be done using AWS Console -> My Account.

2. Additional Gov Cloud accounts can be created using AWS CLI. E.g:

$ aws organizations create-gov-cloud-account --email govclouddemo2@gmail.com --account-name "GovDemo2"

Make sure to use credentials for the initial commercial account (CommAcct1). The above operation will create one Gov cloud account (GovDemo2) and a corresponding Commercial cloud account (CommAcct2).

In order to check the status of the account creation, use the following CLI command. The request-id is the ID returned after the create-gov-cloud-account call. For example:

$ aws organizations describe-create-account-status --create-account-request-id car-ad170010cebc11e883fd21a0c8417226

Response: {

"CreateAccountStatus": {

“GovCloudAccountId": "345438173776",

"AccountName": "GovDemo2",

"State": "SUCCEEDED",

"RequestedTimestamp": 1567564537.206,

"CompletedTimestamp": 1567564665.876,

"Id": "car-ad170010cebc11e883fd21a0c8417226",

"AccountId": "087479796752"

}

}

In case you don’t get the GovCloudAccountId in the response, login to the commercial account (CommAcct2) using AWS Console, go to My Account and try requesting a new Gov Cloud account. Since the paired Gov cloud account already exists for that commercial account, the system will show you the account number.

The Gov Cloud (GovDemo2) will end up in the root organization where the CommAcct1 and CommAcct2 are.

ServiceNow integration with AWS Organization on AWS Gov Cloud

First things first – make sure Discovery plugin is active.

In order to fully support AWS Organization, you will need to first import the following Discovery pattern by following the steps below:

1. In the left-navigation, search for Discovery Patterns.

2. Click on the Name field title in the table and import the XML file 3. This will import a new version of Amazon AWS Organizations.

4. Be sure and Publish this new Discovery Pattern.