Cloud Configuration Governance policies

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Cloud Configuration Governance policies

    Cloud Configuration Governance policies in ServiceNow define non-compliant configurations for specific cloud resource types across various cloud platforms. These policies help you identify and manage security and compliance issues such as unencrypted AWS S3 buckets or insecure IAM accounts. The policies specify the cloud provider, resource type, non-compliant conditions, and the associated audit violation reports.

    Show full answer Show less

    Starting from version 1.3.7, the base system policies are delivered via the CCG Content Pack, which you must install to access standard Cloud Configuration Governance content.

    Key Features

    • Base system policies: ServiceNow provides predefined policies for AWS and Azure resources, covering areas like IAM user activity, S3 bucket encryption, VM hardware types, IP address validation, and monitoring state.
    • Policy creation methods: You can create custom policies using:
      • Condition builder – a graphical interface for defining conditions
      • Integration Hub flow – leveraging ServiceNow’s Integration Hub for flow-based policies
      • Script – for advanced, scripted policy definitions
    • Policy sets: Policies are grouped into policy sets. Each set can include multiple policies, enabling consolidated management and enforcement.

    Key Outcomes

    • Enable automated compliance checking of cloud resources against organizational security and configuration standards.
    • Leverage out-of-the-box policies to quickly start monitoring key AWS and Azure resource configurations.
    • Customize or extend policies to meet specific governance requirements using flexible creation methods.
    • Integrate compliance checks into broader governance workflows by organizing policies into sets.

    Cloud Configuration Governance policy defines the non-compliant configurations for a given cloud resource type.

    Each Cloud Configuration Governance policy contains the following information:

    • The cloud on which the resource is provisioned.
    • The cloud resource type.
    • Definition of the non-compliant configuration. For example, unencrypted Amazon Web Services (AWS) S3 buckets or insecure Identity and Access Management (IAM) accounts.
    • Definition of the audit violation (policy violation) report.
    Note:
    Starting with Cloud Configuration Governance version 1.3.7, the base system contents are moved to the CCG Content Pack. Install the CCG Content Pack to access the base system Cloud Configuration Governance contents.

    Cloud Configuration Governance provides several base system policies. You can either use these policies or create custom policies as per the needs of your organization. Depending on the need and your familiarity with the ServiceNow AI Platform, you can use any one of the following methods to create the policy:

    To use the policy, add the policy to a policy set. Each policy set can contain one or more policies. For more information on creating policy sets, see Create policy set.

    Table 1. Base system policies
    Name Type Description
    AWS IAM User Activity policy Condition builder Policy to check if the password is enabled for the AWS IAM user.
    To use this policy, ensure that the AWS IAM user account has the following permissions:
    • Iam:GetCredentialReport
    • Iam:GenerateCredentialReport
    AWS S3 Enforce Bucket encryption Condition builder Policy to check if the AWS S3 buckets are encrypted.
    AWS Sample flow policy Integration Hub flow Policy to illustrate an Integration Hub flow-based policy.
    AWS VM HardwareType Condition builder Policy to check if the deployed EC2 VMs are using only the approved hardware types.
    AWS VM IPAddress Script Policy to check if the IP address of the EC2 VM is matching with the Configuration Management Database (CMDB) record.
    AWS VM Monitoring State Condition builder Policy to check if detailed monitoring is enabled for the EC2 VM.
    Azure VM HardwareType Condition builder Policy to check if the deployed Azure VMs are using only the approved hardware types.
    Azure VM IP Address Script Policy to check if the IP address of the Azure VM is matching with the CMDB record.
    Azure VM Monitoring State Condition builder Policy to check if detailed monitoring is enabled for the Azure VM.