Murali Reddy1
ServiceNow Employee
ServiceNow Employee

 

Cloud Account Management (CAM) for AWS:

Cloud Account Management (CAM) is a one stop landing zone for multi-cloud to create, manage and decommission accounts with strict governance structure. While ServiceNow provides a structured approach to managing cloud accounts, AWS offers powerful native tools and integrations that enhance visibility, automation, and compliance. In this article, we will explore how AWS services and best practices can be leveraged for efficient cloud account management.
 

Different Ways to Create a Cloud Account in AWS

AWS offers multiple methods for creating a new account within an AWS Organization, each designed for varying levels of automation, governance, and scalability. Below are the primary approaches:
  • AWS Management Console – Administrators can manually create AWS accounts via the AWS Organizations console, ensuring direct control over configurations.
  • AWS APIs & SDKs – Developers can automate account creation using AWS Organizations APIs, seamlessly integrating with external applications and workflows.
  • Terraform – Infrastructure-as-Code (IaC) tools like Terraform (Open Source & Enterprise) enable programmatic account provisioning with predefined configurations, enhancing scalability and compliance.
  • AWS Service Catalog / AWS Control Tower – These services provide automated, governed account creation while enforcing security, compliance, and best practices for landing zones.

Currently, CAM supports account creation using AWS APIs (aka. Cloud Native API) and Terraform. Future releases will introduce AWS Control Tower integration for streamlined landing zone deployment. Additionally, there are plans to extend support to AWS GovCloud.

 

CAM Solution for AWSOverview

The following figure outlines the key components or building blocks of CAM

 

CAM-AWS.png

Required API Permissions: 

To perform API operations in AWS, CAM requires specific IAM permissions for various functionalities. 

 

Create Account API Permissions 

# 

IAM Permission 

Comments 

1 

organizations:CreateAccount 

Required to create new AWS member account. 

2 

organizations:DescribeCreateAccountStatus 

Required to retrieve the account creation status after the CreateAccount API is invoked.  

3 

organizations:MoveAccount 

Required to move the account from root OU to desired OU location.  

4 

organizations:TagResource 

Required to create Tags for the newly created account.  

5 

budgets:CreateBudgetAction 

Required to create budget alert for the newly created account. 

 

Account Management API Permissions 

# 

IAM Permission 

Comments 

1 

sts:AssumeRole 

Required to assume role in member account to get account level details like account alias, password policy, budget, tags etc.  

2 

organizations:DescribePolicy 

Required to get Service Control policy set to lock/unlock an account.  

3 

organizations:DetachPolicy 

Remove the account from the Service Control policy to unlock the account.  

4

budgets:DescribeBudgetAction 

Required to verify budget alert for the newly created account. 

4 

budgets:ListTagsForResource 

Required for governance analysis. 

5 

budgets:UpdateBudget 

Update budget  

6 

budgets:ViewBudget 

Required for governance analysis. 

7 

iam:GetAccountPasswordPolicy 

Required to evaluate the password policy.  

8 

iam:GetAccountSummary 

Required to get account policy, policy quota details for vulnerability and governance analysis.  

9 

iam:GetRole 

Retrieves information about the specified role. Required for governance analysis. 

10 

iam:ListAccountAliases 

Required to ensure account is set with aliases for proper governance.  

11 

organizations:AttachPolicy 

Add the account from the Service Control policy to lock the account. 

12 

organizations:ListAWSServiceAccessForOrganization 

 

Required for governance analysis. 

 

 

Discovery Permissions 

# 

IAM Permission 

Comments 

1 

organizations:DescribeAccount 

Retrieves AWS Organizations-related information about the specified account. Required to import account level information into CMDB.  

2 

organizations:DescribeOrganization 

Retrieves information about the organization that the user's account belongs to. Required to import AWS organization information into CMDB.  

3 

organizations:DescribeOrganizationalUnit 

Retrieves information about an organizational unit (OU). Required to import AWS Organizational unit information into CMDB.  

4 

organizations:ListAccounts 

Lists all the accounts in the organization. Required to import member account details into CMDB.  

5 

organizations:ListOrganizationalUnitsForParent 

Lists the accounts in an organization that are contained by the specified target root or organizational unit (OU).  Required to populate the OU and account relationship in CMDB. 

6 

organizations:ListParents 

Lists the root or organizational units (OUs) that serve as the immediate parent of the specified child OU or account. Required to populate the OU and account relationship in CMDB. 

7 

organizations:ListRoots 

Lists the roots that are defined in the current organization. Required to populate the OU and account relationship in CMDB. 

8 

organizations:ListTagsForResource 

Lists tags that are attached to the specified resource.

Required to import AWS Account tag information of an account into CMDB. 

 

CAM requires several setup steps in the customer environment. Below are the high-level tasks:

  1. Configure the IAM Role and ServiceNow user in the AWS Cloud.

  2. Set up an email alias for new account creation and notification delivery.

  3. Configure Service Control Policies (SCPs) to lock and unlock accounts as needed.

  4. (Optional) Set up Terraform and Git integration if you plan to use a Terraform-based environment.

  5. Share the necessary credentials and configuration details with the ServiceNow administrator for CAM integration.

ServiceNow documentation has detailed steps to perform these configurations in the section "Setting up AWS Cloud". The documentation provides AWS Cloud Formation Template (CFT) to setup the IAM permissions and create ServiceNow user. 

 

Email Management for AWS Account Creation: 

To create a new AWS account, a unique email address is required. Managing and maintaining thousands of such email addresses for a company with numerous accounts can be a significant challenge for AWS administrators. To streamline this process, it is highly recommended to create an email alias within your Microsoft Active Directory (AD) specifically for this purpose, such as aws-ccoe@mycompany.com. 

  

Dynamic Email Alias Assignment: 

When provisioning a new account, CAM (Cloud Account Management) dynamically appends a unique request ID (e.g., CAMSAREQ0000002) to the alias, resulting in an email format like aws-ccoe+CAMSAREQ0000002@mycompany.com. This approach enables AWS to send communications to these structured email addresses, which are directed to the central email account aws-ccoe@mycompany.com. 

  

Post-Provisioning Setup: 

After the account is provisioned, AWS sends necessary notifications to these dynamically generated email addresses, ensuring centralized receipt and tracking. Administrators can then manually configure the root credentials based on the company’s security policies, ensuring the account adheres to internal governance and security standards. This method simplifies email management while enhancing security and organization in large-scale AWS environments. 

 

<< Back to to main article 

Version history
Last update:
‎05-02-2025 02:33 PM
Updated by:
Contributors