With the increasing adoption of the cloud, companies are creating a growing number of cloud accounts to manage their operations. These accounts are often set up manually or through semi-automated processes, lacking a unified and strict governance framework. This lack of oversight can lead to uncontrolled spending, exceeding IT budgets and resulting in higher-than-expected cloud costs.

The Solution - Cloud Account Management (CAM):

Cloud Account Management (CAM) serves as a comprehensive, multi-cloud capability that offers a centralized platform for creating, managing, and decommissioning cloud accounts while ensuring compliance with governance policies. By implementing a structured approach, it helps organizations maintain control over their cloud environments, optimize costs, and achieve more efficient IT spending.

Target Audience:

ServiceNow documentation provides comprehensive and detailed guidance on setting up and performing various functions within Cloud Account Management (CAM). This document is specifically designed for IT architects, security professionals and product owners, offering in-depth technical insights to help them understand the product's capabilities and implementation process. It covers best practices, configuration steps, and security protocols, enabling professionals to efficiently deploy and manage CAM while ensuring compliance with organizational and industry standards.

Cloud Account Types Across Platforms:

Cloud Account Management (CAM) provides a streamlined wizard for creating and managing cloud accounts across multiple platforms. In AWS, these are referred to as Cloud Accounts; in Azure, they are known as Subscriptions; and in Google Cloud Platform (GCP), they are called Projects.

Key Features of CAM:

1. Account Creation: Streamlined process to create cloud accounts with automated workflows for quick and consistent setup.
2. Account Suspension/Locking: Ability to temporarily suspend or lock accounts based on compliance or security requirements.
3. Account Reactivation/Unlocking: Easily reactivate suspended accounts when necessary, ensuring smooth operations with minimal downtime.
4. Account Certification: Regular certification and auditing of accounts to ensure compliance with security and governance standards.
5. Visualization: Comprehensive visualization tools to track account usage, structure, and compliance status.
6. Policy-Based Rule Execution: Automated execution of rules and policies to enforce governance and security protocols across cloud environments, ensuring adherence to organizational guidelines.

CAM Building Blocks:

CAM is constructed using various ServiceNow components, along with third-party integrations to interact with cloud environments. Currently, it supports two primary integration methods: Terraform and Cloud Native Interface (CNI). Future releases aim to expand these options, offering greater flexibility and additional choices for customers. The following sections in this blog provide detailed descriptions of each component, explaining their functions and how they interact within the CAM framework.

Links to products:

1. CCM - Cloud Cost Management
2. CCG - Cloud Configuration Governance
3. PACE - Policy as Code Engine
4. Playbook
5. PAD - Process Automation Designer
6. UI Builder
7. CMDB Workspace - Data Manager
8. AWS Organizations
9. AWS IAM
10. AWS Billing

Initial Cloud Environment Setup:

Cloud Account Management (CAM) assumes that the customer has already set up a master or organization account, which requires a manual process involving a credit card and agreement setup with the cloud provider. To enable the CAM feature, a service account or an Identity and Access Management (IAM) user account with minimal permissions must be created to execute API actions. CAM is then responsible for creating member or subscription accounts. For consistency and clarity, the term "Subscription Account" will be used throughout the remainder of this document to refer to such accounts across all cloud providers.

Supported Integration Methods:

For AWS integration, CAM currently supports integration through Terraform and Cloud Native Interface (CNI) using Cloud Provider APIs. In an upcoming release, there are plans to integrate with AWS Control Tower. The figure below illustrates the various integration mechanisms used for the account creation process. However, for account suspension/locking and unlocking, CAM will utilize the CNI method, as there are no Terraform templates available for these specific use cases.

Terraform Integration Methods:

Terraform offers several integration methods for provisioning and managing resources at scale. Among these, the cloud and enterprise versions support web-based integrations by exposing various REST APIs, enabling seamless automation and management through a user-friendly interface. CAM supports both the cloud and enterprise versions of Terraform, providing flexibility in integrating with different environments and infrastructure setups.

Required API Permissions:

To perform API operations in AWS, CAM requires specific IAM permissions for various functionalities.

Create Account API Permissions

#	IAM Permission	Comments
1	organizations:CreateAccount	Required to create new AWS member account.
2	organizations:DescribeCreateAccountStatus	Required to retrieve the account creation status after the CreateAccount API is invoked.
3	organizations:MoveAccount	Required to move the account from root OU to desired OU location.
4	organizations:TagResource	Required to create Tags for the newly created account.
5	budgets:CreateBudgetAction	Required to create budget alert for the newly created account.

Account Management API Permissions

#	IAM Permission	Comments
1	sts:AssumeRole	Required to assume role in member account to get account level details like account alias, password policy, budget, tags etc.
2	organizations:DescribePolicy	Required to get Service Control policy set to lock/unlock an account.
3	organizations:DetachPolicy	Remove the account from the Service Control policy to unlock the account.
4	budgets:DescribeBudgetAction	Required to verify budget alert for the newly created account.
4	budgets:ListTagsForResource	Required for governance analysis.
5	budgets:UpdateBudget	Update budget
6	budgets:ViewBudget	Required for governance analysis.
7	iam:GetAccountPasswordPolicy	Required to evaluate the password policy.
8	iam:GetAccountSummary	Required to get account policy, policy quota details for vulnerability and governance analysis.
9	iam:GetRole	Retrieves information about the specified role. Required for governance analysis.
10	iam:ListAccountAliases	Required to ensure account is set with aliases for proper governance.
11	organizations:AttachPolicy	Add the account from the Service Control policy to lock the account.
12	organizations:ListAWSServiceAccessForOrganization	Required for governance analysis.

Discovery Permissions

#	IAM Permission	Comments
1	organizations:DescribeAccount	Retrieves AWS Organizations-related information about the specified account. Required to import account level information into CMDB.
2	organizations:DescribeOrganization	Retrieves information about the organization that the user's account belongs to. Required to import AWS organization information into CMDB.
3	organizations:DescribeOrganizationalUnit	Retrieves information about an organizational unit (OU). Required to import AWS Organizational unit information into CMDB.
4	organizations:ListAccounts	Lists all the accounts in the organization. Required to import member account details into CMDB.
5	organizations:ListOrganizationalUnitsForParent	Lists the accounts in an organization that are contained by the specified target root or organizational unit (OU). Required to populate the OU and account relationship in CMDB.
6	organizations:ListParents	Lists the root or organizational units (OUs) that serve as the immediate parent of the specified child OU or account. Required to populate the OU and account relationship in CMDB.
7	organizations:ListRoots	Lists the roots that are defined in the current organization. Required to populate the OU and account relationship in CMDB.
8	organizations:ListTagsForResource	Lists tags that are attached to the specified resource. Required to import AWS Account tag information of an account into CMDB.

Email Management for AWS Account Creation:

To create a new AWS account, a unique email address is required. Managing and maintaining thousands of such email addresses for a company with numerous accounts can be a significant challenge for AWS administrators. To streamline this process, it is highly recommended to create an email alias within your Microsoft Active Directory (AD) specifically for this purpose, such as aws-ccoe@mycompany.com.

Dynamic Email Alias Assignment:

When provisioning a new account, CAM (Cloud Account Management) dynamically appends a unique request ID (e.g., CAMSAREQ0000002) to the alias, resulting in an email format like aws-ccoe+CAMSAREQ0000002@mycompany.com. This approach enables AWS to send communications to these structured email addresses, which are directed to the central email account aws-ccoe@mycompany.com.

Post-Provisioning Setup:

After the account is provisioned, AWS sends necessary notifications to these dynamically generated email addresses, ensuring centralized receipt and tracking. Administrators can then manually configure the root credentials based on the company’s security policies, ensuring the account adheres to internal governance and security standards. This method simplifies email management while enhancing security and organization in large-scale AWS environments.

Cloud Account Management (CAM) User Roles Overview:

The CAM application is, by default, restricted from access by general ServiceNow users. CAM has predefined a set of roles and groups, each with specific functions to streamline and secure cloud account management processes.

1. Requester

• A person holding a team lead role or acting as a representative of the application.
• Responsibilities:
  
  • Initiates cloud account creation requests.

2. Approver

• Typically, a supervisor, manager, or finance approver.
• Responsibilities:
  
  • Reviews and evaluates requests for account actions.
    
  • Has the authority to approve or deny requests based on the organization’s policies.

3. Admin

• A member of the Cloud Center of Excellence (CCoE) or the Site Reliability Engineering (SRE) team.
• Responsibilities:
  
  • Ensures CAM configurations are aligned with cloud and Terraform settings.
    
  • Customizes data certification policies as needed.
    
  • Manages the creation of accounts that fall outside the CAM application framework.

4. Certifier

• An individual tasked with entrusted with verifying the data validity of the cloud accounts.
• Responsibilities:
  
  • Performs audits to certify that cloud accounts ownership for better governance.

These roles ensure a well-structured governance model within CAM, promoting efficiency, security, and compliance across cloud environments.

CAM dashboard:

PAD/Playbook Integration:

ServiceNow's Process Automation Designer (PAD) and Playbook simplify and automate workflows by offering an intuitive and visual interface for designing, managing, and monitoring complex processes.

How CAM uses PAD:

Cloud Account Management (CAM) leverages this framework to automate various workflow tasks efficiently. PAD and Playbook offer high flexibility and customization, catering to diverse customer requirements. For instance, in the approval process, CAM's default setup includes general and finance approvals. However, customers can easily extend this to include additional approvals such as security or compliance, all without any coding. With PAD's no-code development capabilities, users can create and integrate new custom activities seamlessly, adapting the workflows to meet specific organizational needs and compliance standards.

CAM Approval & Assignment Workflow Process:

When a CAM requester submits a new cloud account request, it requires an approval process. By default, this process is manual. The CAM request contains details such as the cost center, business unit, and department information, which provide essential context to the request.

Once the request is approved, it is forwarded to the Cloud Center of Excellence (CCOE) or Site Reliability Engineering (SRE) team for cloud context assignment. Customers may have multiple cloud organizations for billing or legal purposes, and the CCOE/SRE team selects an appropriate organization to create the new account. In CAM, after approval, the CCOE/SRE admin assigns the cloud context and advances the workflow to account creation.

PACE Framework:

The ServiceNow PACE (Policy as Code Engine) framework consists of predefined rules and logic that dictate the expected behavior of an application or service.

CAM Integration with PACE Framework:

CAM integrates with PACE to automate both the approval and cloud context assignment processes. Out of the box, PACE rules are inactive, and the ServiceNow administrator must activate them for use.

Once enabled, the process becomes automated, with requests being auto-approved and cloud contexts auto-assigned without manual intervention. For instance, if a customer configures PACE to auto-approve requests meeting specific criteria—like a POC account with a $500 monthly budget—such requests bypass the manual approval step.

Customers may have multiple cloud organizations, and the CCOE/SRE team can use predefined rules within PACE to assign the appropriate cloud organization and unit based on the cost center or department.

With this configuration, once a request is submitted, the entire workflow can be executed within three minutes, leading to the swift creation of a new account.

Account Suspension (locking) / Reactivate (unlocking):

Accounts are allocated a budget on a monthly or yearly basis. If the budget limit is exceeded, AWS sends an email alert. To control costs, CAM can automatically lock the account using AWS Service Control Policies (SCP) to prevent users from creating new resources.

ServiceNow provides a customizable AWS CloudFormation Template (CFT) that can be tailored to meet specific requirements. When applied, this SCP ensures that users cannot provision new resources within the locked account.

If users need to unlock the account, they can submit a request to increase the budget limit. The unlocking process will remove the account from the SCP policy, allowing resource creation again.

For more details, refer to the CloudFormation Template (CFT) provided in the ServiceNow documentation.

Visualization:

The visualization dashboard offers a comprehensive overview of all cloud accounts and their compliance status. CAM integrates with the Cloud Config Governance product, pulling in compliance data to present a consolidated view in a visually intuitive dashboard. This snapshot provides detailed visibility into the state of all accounts, enabling users to quickly assess compliance and take necessary actions when needed. CAM also integrates with Cloud Cost Management (CCM) to get the budget allocated and usage details for each account.

Cloud Config Governance (CCG) application runs a daily job which scans the account vulnerabilities and reports. This report can be viewed in CAM for necessary actions.

Also, it reports if the account does not have a discovery schedule and account certification is not validated in a periodic manner.

Thank you for taking the time to read through this article on Cloud Account Management (CAM). We encourage you to explore further and see how CAM can be tailored to meet your specific business needs. Stay tuned for more updates and enhancements in upcoming releases.