Cloud Account Management (CAM)

Murali Reddy1 · ‎10-17-2024

With the increasing adoption of the cloud, companies are creating a growing number of cloud accounts to manage their operations. These accounts are often set up manually or through semi-automated processes, lacking a unified and strict governance framework. This lack of oversight can lead to uncontrolled spending, exceeding IT budgets and resulting in higher-than-expected cloud costs.

The Solution - Cloud Account Management (CAM):

Cloud Account Management (CAM) serves as a comprehensive, multi-cloud capability that offers a centralized platform for creating, managing, and decommissioning cloud accounts while ensuring compliance with governance policies. By implementing a structured approach, it helps organizations maintain control over their cloud environments, optimize costs, and achieve more efficient IT spending.

Target Audience:

ServiceNow documentation provides comprehensive and detailed guidance on setting up and performing various functions within Cloud Account Management (CAM). This document is specifically designed for IT architects, security professionals and product owners, offering in-depth technical insights to help them understand the product's capabilities and implementation process. It covers best practices, configuration steps, and security protocols, enabling professionals to efficiently deploy and manage CAM while ensuring compliance with organizational and industry standards.

Cloud Account Types Across Platforms:

Cloud Account Management (CAM) provides a streamlined wizard for creating and managing cloud accounts across multiple platforms. In AWS, these are referred to as Cloud Accounts; in Azure, they are known as Subscriptions; and in Google Cloud Platform (GCP), they are called Projects.

Subscription Account Lifecycle:

Key Features of CAM:

Account Creation: Streamlined process to create cloud accounts with automated workflows for quick and consistent setup.
Account Suspension/Locking: Ability to temporarily suspend or lock accounts based on compliance or security requirements.
Account Reactivation/Unlocking: Easily reactivate suspended accounts when necessary, ensuring smooth operations with minimal downtime.
Account Certification: Regular certification and auditing of accounts to ensure compliance with security and governance standards.
Visualization: Comprehensive visualization tools to track account usage, structure, and compliance status.
Policy-Based Rule Execution: Automated execution of rules and policies to enforce governance and security protocols across cloud environments, ensuring adherence to organizational guidelines.

CAM Building Blocks:

CAM is constructed using various ServiceNow components, along with third-party integrations to interact with cloud environments. Currently, it supports two primary integration methods: Terraform and Cloud Native Interface (CNI). Future releases aim to expand these options, offering greater flexibility and additional choices for customers. The following sections in this blog provide detailed descriptions of each component, explaining their functions and how they interact within the CAM framework.

Cloud Workspace - GA1.png

Links to products:

Initial Cloud Environment Setup:

Cloud Account Management (CAM) assumes that the customer has already set up a master or organization account, which requires a manual process involving a credit card and agreement setup with the cloud provider. To enable the CAM feature, a service account or an Identity and Access Management (IAM) user account with minimal permissions must be created to execute API actions. CAM is then responsible for creating member or subscription accounts. For consistency and clarity, the term "Subscription Account" will be used throughout the remainder of this document to refer to such accounts across all cloud providers.

Supported Integration Methods:

For AWS integration, CAM currently supports integration through Terraform and Cloud Native Interface (CNI) using Cloud Provider APIs. In an upcoming release, there are plans to integrate with AWS Control Tower. The figure below illustrates the various integration mechanisms used for the account creation process. However, for account suspension/locking and unlocking, CAM will utilize the CNI method, as there are no Terraform templates available for these specific use cases.

Cloud Native Interface (CNI):

CAM uses Clound Native APIs for subscription management. CAM supports both AWS and Azure API integrations.

Terraform Integration Methods:

Terraform offers several integration methods for provisioning and managing resources at scale. Among these, the cloud and enterprise versions support web-based integrations by exposing various REST APIs, enabling seamless automation and management through a user-friendly interface. CAM supports both the cloud and enterprise versions of Terraform, providing flexibility in integrating with different environments and infrastructure setups. Currently Terraform is supported only for AWS environment.

A detailed, in-depth approach for AWS and Azure is described in the child article.

Cloud Account Management (CAM) User Roles Overview:

The CAM application is, by default, restricted from access by general ServiceNow users. CAM has predefined a set of roles and groups, each with specific functions to streamline and secure cloud account management processes.

1. Requester

A person holding a team lead role or acting as a representative of the application.

Responsibilities:
- Initiates cloud account creation requests.

2. Approver

Typically, a supervisor, manager, or finance approver.

Responsibilities:
- Reviews and evaluates requests for account actions.
- Has the authority to approve or deny requests based on the organization’s policies.

3. Admin

A member of the Cloud Center of Excellence (CCoE) or the Site Reliability Engineering (SRE) team.

Responsibilities:
- Ensures CAM configurations are aligned with cloud and Terraform settings.
- Customizes data certification policies as needed.
- Manages the creation of accounts that fall outside the CAM application framework.

4. Certifier

An individual tasked with entrusted with verifying the data validity of the cloud accounts.

Responsibilities:
- Performs audits to certify that cloud accounts ownership for better governance.

These roles ensure a well-structured governance model within CAM, promoting efficiency, security, and compliance across cloud environments.

CAM dashboard:

CAM Dashboard.png

PAD/Playbook Integration:

ServiceNow's Process Automation Designer (PAD) and Playbook simplify and automate workflows by offering an intuitive and visual interface for designing, managing, and monitoring complex processes.

How CAM uses PAD:

Cloud Account Management (CAM) leverages this framework to automate various workflow tasks efficiently. PAD and Playbook offer high flexibility and customization, catering to diverse customer requirements. For instance, in the approval process, CAM's default setup includes general and finance approvals. However, customers can easily extend this to include additional approvals such as security or compliance, all without any coding. With PAD's no-code development capabilities, users can create and integrate new custom activities seamlessly, adapting the workflows to meet specific organizational needs and compliance standards.

CAM Create Account PAD.png

CAM Approval & Assignment Workflow Process:

When a CAM requester submits a new cloud account request, it requires an approval process. By default, this process is manual. The CAM request contains details such as the cost center, business unit, and department information, which provide essential context to the request.

Once the request is approved, it is forwarded to the Cloud Center of Excellence (CCOE) or Site Reliability Engineering (SRE) team for cloud context assignment. Customers may have multiple cloud organizations for billing or legal purposes, and the CCOE/SRE team selects an appropriate organization to create the new account. In CAM, after approval, the CCOE/SRE admin assigns the cloud context and advances the workflow to account creation.

PACE Framework:

The ServiceNow PACE (Policy as Code Engine) framework consists of predefined rules and logic that dictate the expected behavior of an application or service. A detailed setup and customization is described in this article.

CAM Integration with PACE Framework:

CAM integrates with PACE to automate both the approval and cloud context assignment processes. Out of the box, PACE rules are inactive, and the ServiceNow administrator must activate them for use.

Once enabled, the process becomes automated, with requests being auto-approved and cloud contexts auto-assigned without manual intervention. For instance, if a customer configures PACE to auto-approve requests meeting specific criteria—like a POC account with a $500 monthly budget—such requests bypass the manual approval step.

Customers may have multiple cloud organizations, and the CCOE/SRE team can use predefined rules within PACE to assign the appropriate cloud organization and unit based on the cost center or department.

With this configuration, once a request is submitted, the entire workflow can be executed within three minutes, leading to the swift creation of a new account.

Account Suspension (locking) / Reactivate (unlocking):

Accounts are allocated a budget on a monthly or yearly basis. If the budget limit is exceeded, AWS sends an email alert. To control costs, CAM can automatically lock the account using AWS Service Control Policies (SCP) to prevent users from creating new resources.

ServiceNow provides a customizable AWS CloudFormation Template (CFT) that can be tailored to meet specific requirements. When applied, this SCP ensures that users cannot provision new resources within the locked account.

If users need to unlock the account, they can submit a request to increase the budget limit. The unlocking process will remove the account from the SCP policy, allowing resource creation again.

For more details, refer to the CloudFormation Template (CFT) provided in the ServiceNow documentation.

Visualization:

The visualization dashboard offers a comprehensive overview of all cloud accounts and their compliance status. CAM integrates with the Cloud Config Governance product, pulling in compliance data to present a consolidated view in a visually intuitive dashboard. This snapshot provides detailed visibility into the state of all accounts, enabling users to quickly assess compliance and take necessary actions when needed. CAM also integrates with Cloud Cost Management (CCM) to get the budget allocated and usage details for each account.

CAM Account Summary.png

CAM Account Summary2.png

Cloud Config Governance (CCG) application runs a daily job which scans the account vulnerabilities and reports. This report can be viewed in CAM for necessary actions.

CAM Violation demo.png

Also, it reports if the account does not have a discovery schedule and account certification is not validated in a periodic manner.

Thank you for taking the time to read through this article on Cloud Account Management (CAM). We encourage you to explore further and see how CAM can be tailored to meet your specific business needs. Stay tuned for more updates and enhancements in upcoming releases.

Related Articles:

CAM Configuration
PACE Integration
Customizing Playbook
Cloud Account Management (CAM) - AWS
Cloud Account Management (CAM) - Azure
Customizing Service Catalog (Cloud Account Request Form)

andreasicf · ‎10-20-2024

This is a wonderful article. Thank you for taking the time to write this all up. I think the only thing missing, at least from my perspective, is how to obtain the product. I’m sure it may be covered in the linked docs, but from an article perspective, just to be more holistic, is this currently something available in ServiceNow Store? And it’ll become part of the release in Yokohama?

Thanks!

-Allen

Murali Reddy1 · ‎10-20-2024

Hi @andreasicf, Currently its available as Lab release. The product will be available as GA in store in Nov 2024. Hope this helps. Thanks.

Gautham Raju · ‎11-19-2024

I am pleased to share insights into ServiceNow's recent advancements in cloud technology, particularly the introduction of the Cloud Account Management (CAM) application, which was recently unveiled in the Innovation Lab. Having had the opportunity to be among the initial testers of the Cloud Service Catalog (CSC) at its inception, I approached the CAM with similar enthusiasm.

The CAM represents another significant innovation by ServiceNow. The accompanying documentation was meticulously structured, providing clear and detailed instructions for setting up and utilizing the CAM effectively.

Key Features and Benefits of CAM:

The CAM application is designed to assist organizations in swiftly creating new cloud accounts while ensuring proper governance measures are in place. It notably simplifies and accelerates the process of cloud account management on platforms such as AWS, with future expansions planned for Azure and Google. The application reduces the typical duration of account setup from request to approval and manual configuration to approximately 2-3 minutes.

Primary Advantages of Implementing CAM Include:

Automated Account Creation: Streamlines the process of setting up new cloud accounts.

Account Suspension and Reactivation: Facilitates easy management of account statuses.

Data Certification of Account Ownership: Ensures clarity and security in account management.

Operational Capabilities of CAM:

Request and approve new cloud accounts.

Provision and cancel cloud account requests.

Certify, suspend, and reactivate cloud accounts.

Requirements:

Service account with necessary privileges on the AWS root account for creating new child accounts.

Terraform Cloud/Enterprise for infrastructure management.

GIT for accessing and managing Terraform templates.

Security and Efficiency:

The CAM application not only enhances security by minimizing the risk of unauthorized access and potential data breaches but also helps in reducing costs by avoiding expenditure on underutilized resources. It offers scalable solutions that are crucial for managing extensive and diverse cloud infrastructures efficiently.

I effectively activated the CAM plugin within my Personal Developer Instance (PDI) and utilized my personal AWS account, Terraform Cloud, and GIT for extensive testing. I am excited to delve deeper into the user-centric design and operational excellence of ServiceNow's Cloud Account Management (CAM) application. This innovative solution not only simplifies cloud account management but also incorporates robust governance features that are critical for efficient and secure cloud operations.

Enhanced User Interface and Reporting:

The CAM application boasts a well-designed homepage that provides immediate access to essential information, including high-level details of requests and basic graphical reports. These reports highlight the number of accounts created each month and the distribution of accounts across different environments. This visualization aids in quick assessment and decision-making.

Simplified Configuration and Account Management:

The configuration section of CAM is intuitively organized, allowing administrators to easily set up and manage the creation and suspension of accounts. The process for requesting a new account or suspending an existing one is streamlined, with forms that are straightforward and simple to completed by the requester (application team lead or representative from the application team).

Governance and Budget Control:

Addressing common concerns about cloud budget management, CAM includes a monthly budget limit on the request form, providing a robust framework for cost governance. Additionally, the ability to specify start and end dates for each account offers enhanced control over spending and restricts account usage to designated periods, further aligning with budgetary constraints and project timelines.

Approval Processes and Administrative Control:

Each account request undergoes an approval process, adding a layer of governance that prevents the creation of unnecessary or overly costly accounts, and ensures that production accounts are not suspended without scrutiny. This governance is bolstered by granting provision control to Cloud Administrators, such as SREs or members of a Cloud Center of Excellence (CCoE), who play a pivotal role in maintaining stringent controls over cloud resources.

Integration and Management of Pre-existing Accounts:

For organizations that have pre-existing cloud accounts created directly on cloud platforms, CAM offers a seamless integration solution. These accounts, once discovered in ServiceNow, can be certified, and managed directly through CAM, including the ability to suspend accounts as needed. This feature ensures that all cloud accounts, regardless of their origin, are brought under the same governance and management umbrella.

I am confident that CAM will significantly enhance the organization's ability to manage cloud accounts efficiently while ensuring compliance with governance standards.

I have identified several enhancements that could further improve its functionality and user experience. Below, I outline these suggestions for your consideration:

Introduce specific catalog items for requesting, suspending, and certifying cloud accounts to streamline these processes.
Replace the current method of identifying organizations and organizational units (OU) with display names. This change would enhance readability and reduce the likelihood of incorrect selections.
Incorporate additional reports that detail accounts along with their respective budgets and account validity periods.
Allow for the extension of validity periods for existing accounts, providing greater flexibility in account management.
Like other records in ServiceNow, include a 'Work Notes' field for each request record. This would facilitate easier access to detailed error logs, aiding in troubleshooting efforts.
Ensure the visibility of execution flows for all requests, particularly when details are not displaying as expected.
Improve the visibility of activities on request records, especially in instances where actions such as suspension requests fail.
Augment the account creation process with detailed success and failure messages for each step to provide clearer insights into the process, especially in cases of failed requests. Below is a sample screen shot.

makima · ‎06-24-2025

The VECTOR data type is currently not available in Snowflake trial accounts. This limitation is because VECTOR support is part of Snowflake Cortex, which is only accessible to accounts with specific enterprise-level features enabled.

To enable the VECTOR data type:

Upgrade Your Account
You’ll need to upgrade from a trial to a paid Snowflake account. VECTOR and other advanced AI features are typically available only on enterprise plans.
Contact Snowflake Support or Sales
Reach out to Snowflake support or sales and request access to Cortex features, including VECTOR. Mention the course you're following and explain your use case to help justify the request.
Check Region and Account Settings
Make sure your Snowflake account is hosted in a region where Cortex and VECTOR support are available.

Unfortunately, VECTOR cannot be enabled on a standard trial account without approval or an account upgrade. If you're serious about exploring Cortex and building RAG-based apps, upgrading or getting in touch with Snowflake support is the best path forward.