Cloud Account Management (CAM) - Setup Service Control Policy (SCP) in AWSPurpose: When an account owner wants to prevent the creation of new resources in the cloud, they can request this action through CAM (Cloud Account Manager). CAM will then make an API call to the AWS Organizations Service Control Policy (SCP) to add the account number to the relevant policy. This addition restricts users from creating new resources within that account, helping to avoid budget overspending. However, existing resources will continue to function as usual. Here's how it works: As part of the setup process, a Service Control Policy (SCP) is created within the management account. We have provided the list of resources as part of the CFT script. This SCP includes a list of resources commonly created by most customers. You can easily customize this list by adding additional resource types to suit your specific needs.The SCP ID is then shared with the ServiceNow administrator for registration during the CAM configuration process.When an application owner initiates a suspension request, the CAM application triggers an API call to the AWS Organizations Attach Policy API, including the account number. This action enforces the SCP, preventing users from creating new resources within that account. CAM SCP Policy: This pre-configured SCP Policy serves as a foundation. You can easily tailor it to your specific requirements by adding additional resource types. AWSTemplateFormatVersion: 2010-09-09 Description: SCP policy for Servicenow Cloud Account Management to restrict creation of new resources. Resources: PolicyTestTemplate: Type: AWS::Organizations::Policy Properties: Type: SERVICE_CONTROL_POLICY Name: CAM_SCP_SuspendAccount_Policy Content: Version: 2012-10-17 Statement: - Sid: CAMSCPSuspendAccountPolicy Effect: Deny Action: - 'ec2:RunInstances' - 'ec2:CreateVolume' - 'ec2:CreateSnapshot' - 'ec2:CreateImage' - 's3:CreateBucket' - 'iam:CreateUser' - 'iam:CreateRole' - 'iam:CreatePolicy' - 'dynamodb:CreateTable' - 'sqs:CreateQueue' - 'sns:CreateTopic' - 'lambda:CreateFunction' - 'ec2:CreateVpc' - 'ec2:CreateSubnet' - 'ec2:CreateInternetGateway' - 'ec2:CreateRoute' - 'rds:CreateDBInstance' - 'redshift:CreateCluster' Resource: '*' Required Role: AWS Administrator Procedure: Steps to create IAM User: Access the AWS Management Console: Login to the AWS Management Console and navigate to the CloudFormation service. You can search for "CloudFormation" in the search bar at the top of the console.Click "Create Stack": On the CloudFormation console homepage, click the orange "Create Stack" button.Specify Template Source : Click "Upload a template file" and choose your CloudFormation template file saved locally on your computer which you downloaded from the guided setup.Stack Name: Enter a unique name for your CloudFormation stack in the "Stack name" field. This name will identify your stack within your AWS account.Specify Parameters: Enter desired username for the CAM Service Account user. Configure Advanced Options (Optional): There are various advanced options you can configure, but you can skip for this setup. Review and Create: Once you've uploaded the CFT template, specified a stack name, and provided values for parameters, review all the details on the screen. If everything looks correct, scroll down, acknowledge the form and click the "Submit" button. Output of this setup: Once the CloudFormation Template (CFT) creates the policy, it will be assigned a unique Amazon Resource Name (ARN). This ARN typically follows the format:- arn:aws:organizations::1234567890:policy/o-99t3h155el/service_control_policy/p-328wg3yb arn:aws:organizations::1234567890:policy/o-99t3h155el/service_control_policy/p-328wg3yb The key element you need to provide to the ServiceNow administrator is the policy element, which in this example is: p-328wg3yb. Back to main KB - Cloud Account Management (CAM) - Setup (KB1641505)