Cloud Account Management (CAM) manages the lifecycle of subscription accounts at various stages and integrates with multiple cloud providers. Companies often have more than one cloud provider and organization and need to create new cloud subscriptions based on business units or cost centers. This process requires multiple connection configurations and other parameters to create, suspend, reactivate, or close accounts.
CAM configuration serves as a central location where ServiceNow administrators can define connection parameters.
The CAM workflow internally refers to these configurations at runtime to execute various workflows. Below are the key parameters for configuration:
Key Configuration Parameters:
- Cloud Provider
- Configuration Type
- Provision mode
- Credentials
- Cloud Organization
| # | Config Parameter | Description |
| 1 | Cloud Provider | As CAM integrates with multiple cloud providers, this parameter defines the context for other parameters. Currently, CAM supports AWS and Azure providers. |
| 2 | Configuration Type |
CAM provides various lifecycle capabilities such as creating accounts, suspending accounts, and scanning accounts. Based on the selection, administrators are prompted to provide additional parameters. Currently supports 1.Create -- to create new accounts 2. Suspend / Reactivate - to lock / unlock accounts 3. Scan Accounts - to scan compliance configuration |
| 3 | Provision Mode |
CAM supports different cloud integration mechanisms, including Cloud Native Interface, Terraform, and, in the future, Landing Zone. Based on this configuration, the CAM workflow executes the appropriate process to complete the task.
Currently CAM supports these provision modes based on providers 1. AWS - Cloud Native Interface, Terraform 2. Azure - Cloud Native Interface |
| 4 | Credentials |
To integrate with a cloud provider, CAM requires a Service Principal credential for authentication. These credentials are stored in a Password2 field, which is encrypted using a two-way encryption mechanism. The CAM workflow dynamically retrieves the credentials and sends them in API calls. More details can be found in the ServiceNow documentation docs. |
| 5 | Cloud Organization |
Since companies may have multiple cloud organizations, each with its own Service Principal credentials, separate configurations are required for each cloud organization. This maps credentials to the Cloud Organization CI ( This data is a prerequisite for creating a new configuration.
|
| 6 |
Email notifications are sent to relevant stakeholders once a workflow completes its execution.
In the case of AWS, this email is used as a template for generating a new root email, which is required to create a new AWS account. |
| # | Cloud Provider | Configuration Type | Parameter | Description |
| 1 | AWS | Suspend Account | Suspension SCP Policy Id | AWS Service Control Policy (SCP) ID used to lock the account. |
| 2 | Azure | Suspend Account | Azure Suspension Policy ID | Azure Suspension Policy ID used to lock the account. |
| 3 | AWS, Azure, GCP | Scan Accounts | CCG Scan Configuration ID | Scan configuration ID created in the Cloud Compliance Governance (CCG) application. |
