ServiceNow CMDB CI relationship sync: faster, more complete
Automatically create asset relationships in ServiceNow CMDB for AWS, Azure, GCP and Kubernetes resources.
In previous posts, we’ve highlighted how Turbot Guardrails simplifies cloud resource discovery for AWS, Azure, GCP, and Kubernetes, syncing these resources directly to ServiceNow's CMDB CI tables or through Import Sets. Now, we’ve extended our resource discovery capabilities to manage relationships automatically, offering a more dynamic and flexible approach to handling CMDB CI relationships for both existing and new CMDB CI tables.
This integration requires no additional ServiceNow modules or cloud services from AWS, Azure, GCP, or Kubernetes. Turbot Guardrails provides a direct, cost-effective solution for automating real-time cloud discovery and relationship management within your CMDB
Guardrails' ServiceNow features are ideal for organizations new to cloud discovery or those looking to enhance existing ServiceNow cloud integrations.
Cloud resource relationship examples
Turbot Guardrails syncs hundreds of different cloud resource relationships using standard ServiceNow relationship types, providing a clear view of how resources interact. These relationships are critical for understanding dependencies, ensuring proper resource configuration, and maintaining real-time insights into cloud infrastructure. Below are four examples spanning AWS, Azure, GCP, and Kubernetes:
| Parent | Child | Example |
|---|---|---|
| Uses | Used by | AWS EC2 Instances use Key pairs for access |
| Contains | Contained by | Azure Storage Accounts contain Queues for messaging |
| Provides | Provided by | GCP Forwarding Rules are provided by Target Pools for assignments |
| Instantiates | Instantiates by | Kubernetes Replicasets instantiate Pods in the cluster |
Why are relationships critical for your CMDB?
Managing relationships between cloud resources in ServiceNow provides essential insights into how cloud services are interconnected, along with critical business context. These relationships benefit multiple teams across the organization:
- Operations Teams: Understanding resource dependencies enables teams to quickly assess the impact of outages or changes. For example, knowing that an AWS EC2 instance is tied to specific VPCs, security groups, and storage volumes allows for faster incident resolution and reduced downtime.
- Security Teams: Visibility into resource relationships helps identify potential vulnerabilities and ensures consistent security policies across cloud environments. By tracking dependencies among virtual machines, databases, and network components, security teams can respond more effectively to risks.
- SACM Teams (Service Asset & Configuration Management): For SACM professionals managing assets, relationships between cloud resources provide a detailed view of how assets align with business services and cost centers. Automatic management of these relationships reduces overhead and provides more accurate tracking of business service ownership, cost allocation, and operational oversight.
Turbot Guardrails approach to cloud discovery
The Turbot Guardrails ServiceNow integration not only extends but also enhances native discovery capabilities by offering broader coverage, real-time updates, and flexible management of relationships—all without the need for additional licensing or services. By combining Turbot Guardrails' automated discovery with ServiceNow, you can accurately sync cloud resources and relationships into your CMDB in real-time, without the added costs or complexity of native tools.
| Feature | Native ServiceNow Discovery | Turbot Guardrails |
|---|---|---|
| Licensing & Services | Requires additional licensing | No extra licensing required |
| Resource Coverage | Limited to core IaaS services | 750+ cloud services across AWS, Azure, GCP, & K8s |
| Relationship Data | Minimal relationship coverage | Relationship associations for all resource types |
| Updates | Scheduled batch jobs | Real-time discovery and updates |
| Customization | Requires professional services | Flexible, point-and-click setup & management |
| Business Context | Manual mappings to non-infra context | Automatic mappings to apps, cost centers, etc |
| Management | Managed separately for each platform | Centralized multi-cloud discovery management |
Configuring ServiceNow cloud resource relationships
Enable Relationship Sync Policies
Relationships between cloud resources are defined and managed through Guardrails policies, configured per resource type such as Azure CosmosDB Account, GCP Firebase Project, Kubernetes ReplicaSet, or AWS S3 Bucket. For instance, to set a policy on an AWS S3 Bucket, you would navigate to the AWS > S3 > Bucket > ServiceNow > Relationships policy and set it to Enforce: Enabled:
The AWS > S3 > Bucket > ServiceNow > Relationships > Template already includes built-in logic to relate the AWS Region with a relationship type of Contains::Contained by. Additionally, it includes a Feeds::Fed By relationship from VPC Flow Logs as a log destination for the logs.
Once enabled, Guardrails will automatically add all AWS S3 buckets to the ServiceNow CI Relationships table (cmdb_rel_ci_list), with the appropriate parent, child, and relationship type details between the buckets and regions.
Now the CI Relationships Table has those CI records synced, all native relationship graphs, visualizations, and views are updated with the latest relationships:
Guardrails will continuously discover and manage relationships if there are changes to the existing resources or when new resources are created. All changes are discovered and synced to ServiceNow in real-time.
Managing custom relationships
Turbot Guardrails provides hundreds of out-of-the-box relationships in templates that are automatically populated when resources are created, updated, or deleted. These templates can be customized and extended to suit your organization’s specific needs.
For example, an AWS S3 Bucket contained by an AWS Region is defined by the following template:
- type: "Contains::Contained by" parent: name: {{ $.region.turbot.title }} sysId: {{ $.region.metadata.serviceNow.sysId }} tableName: {{ $.region.metadata.serviceNow.tableName }}The variables can be adjusted to reference any datapoint discovered by the cloud provider, Turbot, or ServiceNow. In this template, for the acme-demo-turbot-9 S3 Bucket and its related region, Guardrails automatically identifies the metadata that will update the cmdb_rel_ci_list table with the appropriate region name, ServiceNow sysId, and the ServiceNow tableName for the regions table.
- type: "Contains::Contained by" parent: name: "us-east-2" sysId: "5c9eff1f83095210b30766d0deaad331" tableName: "cmdb_ci_cloud_region"You can modify existing policies by adjusting the details above, or extend the relationship by adding another type. For instance, AWS VPC Flow logs are used by VPCs:
- type: "Uses::Used by" parent: name: {{ $.vpc.turbot.title }} sysId: {{ $.vpc.metadata.serviceNow.sysId }} tableName: {{ $.vpc.metadata.serviceNow.tableName }}You can further extend this by adding relationships for log destination details (e.g., S3 Bucket, AWS CloudWatch log group):
- type: "Uses::Used by" parent: name: {{ $.vpc.turbot.title }} sysId: {{ $.vpc.metadata.serviceNow.sysId }} tableName: {{ $.vpc.metadata.serviceNow.tableName }}- type: "Feeds::Fed By" child: name: {{ $.logDestination.turbot.title }} sysId: {{ $.logDestination.metadata.serviceNow.sysId }} tableName: {{ $.logDestination.metadata.serviceNow.tableName }}With this level of flexibility, Guardrails allows you to customize and extend relationships to reflect your cloud architecture and business requirements.
Add business context to your ServiceNow relationships
In addition to syncing cloud infrastructure relationships, Guardrails allows you to relate cloud resources to any other CMDB CI table. Many organizations find it useful to associate their cloud resources with cost centers, applications, and business services. For example, a cloud account is often related to a Business Service.
Using the AWS > Account > ServiceNow > Relationships > Template Guardrails policy, you can relate the business service name and sysId to the cloud account, either directly inputting the information or dynamically deriving it through lookups:
- type: "Owns::Owned by" parent: name: "Supply Chain Orchestrator" sysId: "7d62102b83895210b30766d0deaad398" tableName: "cmdb_ci_business_app"Once applied, Guardrails automatically updates ServiceNow and continuously manages these relationship mappings, ensuring that business context—such as ownership of cloud resources—is always accurate. This automatic management is critical for tracking ownership, financial governance, cost allocation, and operational oversight.
See it in action
Watch this demo to see how Turbot Guardrails manages cloud resource relationships in ServiceNow CMDB, automating discovery, syncing, and maintaining relationships in real time:
Ready your ServiceNow CMDB with automated resource relationships
Turbot Guardrails provides ultimate flexibility in managing cloud CMDB CI relationships within ServiceNow. With real-time updates, customizable relationship policies, and continuous syncing, your CMDB will always have the most accurate and comprehensive view of your cloud resources—without manual intervention.
Get started with a 14-day free trial of Turbot Guardrails to experience automated discovery and sync your cloud resource relationships into your ServiceNow instance. Enjoy real-time, comprehensive visibility starting at just $0.05 per resource per month.