Cloud Account Management (CAM) - AWS
New article articles in ServiceNow Community
·
May 02, 2025
·
article
Cloud Account Management (CAM) for AWS:
Cloud Account Management (CAM) is a one stop landing zone for multi-cloud to create, manage and decommission accounts with strict governance structure. While ServiceNow provides a structured approach to managing cloud accounts, AWS offers powerful native tools and integrations that enhance visibility, automation, and compliance. In this article, we will explore how AWS services and best practices can be leveraged for efficient cloud account management.
Different Ways to Create a Cloud Account in AWS
AWS offers multiple methods for creating a new account within an AWS Organization, each designed for varying levels of automation, governance, and scalability. Below are the primary approaches:
- AWS Management Console – Administrators can manually create AWS accounts via the AWS Organizations console, ensuring direct control over configurations.
- AWS APIs & SDKs – Developers can automate account creation using AWS Organizations APIs, seamlessly integrating with external applications and workflows.
- Terraform – Infrastructure-as-Code (IaC) tools like Terraform (Open Source & Enterprise) enable programmatic account provisioning with predefined configurations, enhancing scalability and compliance.
- AWS Service Catalog / AWS Control Tower – These services provide automated, governed account creation while enforcing security, compliance, and best practices for landing zones.
Currently, CAM supports account creation using AWS APIs (aka. Cloud Native API) and Terraform. Future releases will introduce AWS Control Tower integration for streamlined landing zone deployment. Additionally, there are plans to extend support to AWS GovCloud.
CAM Solution for AWSOverview
The following figure outlines the key components or building blocks of CAM:
Required API Permissions:
To perform API operations in AWS, CAM requires specific IAM permissions for various functionalities.
Create Account API Permissions
| # | IAM Permission | Comments |
|---|---|---|
| 1 | organizations:CreateAccount | Required to create new AWS member account. |
| 2 | organizations:DescribeCreateAccountStatus | Required to retrieve the account creation status after the CreateAccount API is invoked. |
| 3 | organizations:MoveAccount | Required to move the account from root OU to desired OU location. |
| 4 | organizations:TagResource | Required to create Tags for the newly created account. |
| 5 | budgets:CreateBudgetAction | Required to create budget alert for the newly created account. |
Account Management API Permissions
| # | IAM Permission | Comments |
|---|---|---|
| 1 | sts:AssumeRole | Required to assume role in member account to get account level details like account alias, password policy, budget, tags etc. |
| 2 | organizations:DescribePolicy | Required to get Service Control policy set to lock/unlock an account. |
| 3 | organizations:DetachPolicy | Remove the account from the Service Control policy to unlock the account. |
| 4 | budgets:DescribeBudgetAction | Required to verify budget alert for the newly created account. |
| 4 | budgets:ListTagsForResource | Required for governance analysis. |
| 5 | budgets:UpdateBudget | Update budget |
| 6 | budgets:ViewBudget | Required for governance analysis. |
| 7 | iam:GetAccountPasswordPolicy | Required to evaluate the password policy. |
| 8 | iam:GetAccountSummary | Required to get account policy, policy quota details for vulnerability and governance analysis. |
| 9 | iam:GetRole | Retrieves information about the specified role. Required for governance analysis. |
| 10 | iam:ListAccountAliases | Required to ensure account is set with aliases for proper governance. |
| 11 | organizations:AttachPolicy | Add the account from the Service Control policy to lock the account. |
| 12 | organizations:ListAWSServiceAccessForOrganization | Required for governance analysis. |
Discovery Permissions
| # | IAM Permission | Comments |
|---|---|---|
| 1 | organizations:DescribeAccount | Retrieves AWS Organizations-related information about the specified account. Required to import account level information into CMDB. |
| 2 | organizations:DescribeOrganization | Retrieves information about the organization that the user's account belongs to. Required to import AWS organization information into CMDB. |
| 3 | organizations:DescribeOrganizationalUnit | Retrieves information about an organizational unit (OU). Required to import AWS Organizational unit information into CMDB. |
| 4 | organizations:ListAccounts | Lists all the accounts in the organization. Required to import member account details into CMDB. |
| 5 | organizations:ListOrganizationalUnitsForParent | Lists the accounts in an organization that are contained by the specified target root or organizational unit (OU). Required to populate the OU and account relationship in CMDB. |
| 6 | organizations:ListParents | Lists the root or organizational units (OUs) that serve as the immediate parent of the specified child OU or account. Required to populate the OU and account relationship in CMDB. |
| 7 | organizations:ListRoots | Lists the roots that are defined in the current organization. Required to populate the OU and account relationship in CMDB. |
| 8 | organizations:ListTagsForResource | Lists tags that are attached to the specified resource. Required to import AWS Account tag information of an account into CMDB. |
CAM requires several setup steps in the customer environment. Below are the high-level tasks:
- Configure the IAM Role and ServiceNow user in the AWS Cloud.
- Set up an email alias for new account creation and notification delivery.
- Configure Service Control Policies (SCPs) to lock and unlock accounts as needed.
- (Optional) Set up Terraform and Git integration if you plan to use a Terraform-based environment.
- Share the necessary credentials and configuration details with the ServiceNow administrator for CAM integration.
ServiceNow documentation has detailed steps to perform these configurations in the section "Setting up AWS Cloud". The documentation provides AWS Cloud Formation Template (CFT) to setup the IAM permissions and create ServiceNow user.
Email Management for AWS Account Creation:
To create a new AWS account, a unique email address is required. Managing and maintaining thousands of such email addresses for a company with numerous accounts can be a significant challenge for AWS administrators. To streamline this process, it is highly recommended to create an email alias within your Microsoft Active Directory (AD) specifically for this purpose, such as aws-ccoe@mycompany.com.
Dynamic Email Alias Assignment:
When provisioning a new account, CAM (Cloud Account Management) dynamically appends a unique request ID (e.g., CAMSAREQ0000002) to the alias, resulting in an email format like aws-ccoe+CAMSAREQ0000002@mycompany.com. This approach enables AWS to send communications to these structured email addresses, which are directed to the central email account aws-ccoe@mycompany.com.
Post-Provisioning Setup:
After the account is provisioned, AWS sends necessary notifications to these dynamically generated email addresses, ensuring centralized receipt and tracking. Administrators can then manually configure the root credentials based on the company’s security policies, ensuring the account adheres to internal governance and security standards. This method simplifies email management while enhancing security and organization in large-scale AWS environments.
https://www.servicenow.com/community/itom-articles/cloud-account-management-cam-aws/ta-p/3253481