Self-service Account Provisioning Using AWS Service Management Connector for ServiceNow

Many customers are looking to adopt a multi-account strategy within their AWS environment. This allows customers to isolate their workloads into different environments including test, dev, and production in addition to separating workloads based on regulatory requirements. As customers scale their multi-account environments, one strategy to increase agility is to offer business units their own sandbox accounts for experimental and testing purposes. To do so rapidly, business teams want the ability to self-serve provisioning of their own accounts and resources.

For organizations that have adopted ServiceNow, IT operations teams can offer business teams the ability to self-service provisioning of accounts through a familiar interface. This is accomplished by connecting AWS Control Tower and AWS Service Catalog into ServiceNow using the AWS Service Management Connector which enables ServiceNow end users to provision, manage, and operate AWS resources natively through ServiceNow. AWS Control Tower enables customers to set up and govern a multi-account environment at scale. For guidance building a well-structured foundation and isolating AWS services by function and team, customers can reference the Security Reference Architecture.

In this blog post, we’ll demonstrate how to set up an environment that allows end users the ability to self-serve provisioning of accounts through ServiceNow. By the end of this hands-on session, you should be able to:

• Integrate AWS Service Catalog (AWS Control Tower Account Factory Portfolio) with ServiceNow ITSM Portal using AWS Service Management Connector to enhance Cloud Management.
• Order and provision an AWS Account as an end user from ServiceNow Portal in a standardized, secure, and governed fashion.

Prerequisites

AWS

• Obtain/use a clean AWS account with admin credentials. Although we’re using admin privileges for the purpose of this blog, it is security best practice to apply least-privilege permissions and grant only the permissions required to perform a task.
• Create Landing Zone using AWS Control Tower.

ServiceNow

• Obtain ServiceNow Personal Developer Instance or use clean ServiceNow Developer Environment. You will need an Account that has admin privileges to perform the configuration steps in ServiceNow.

Part 1: AWS Configuration

This section describes the configuration required on AWS. At a high-level, the following steps will be performed:

1. Verify AWS Control Tower Landing Zone is set up.
2. Verify AWS Service Catalog Portfolio Product is active.
3. Create two IAM Users for AWS Service Management Connector:
   SCSyncUser
   SCEndUser
4. Create two IAM Policies:
   Demo-ControlTower-FullAccess
   Demo-SSO-FullAccess
5. Create an IAM Role Demo-Role-For-LaunchConstraint and attach required policies.
6. Create AWS Service Catalog Launch Constraint and assign the role Demo-Role-For-LaunchConstraint.
7. Grant access to the Service Catalog portfolio to users: SCSyncUser and SCEndUser.

Step 1: In your AWS Console, verify AWS Control Tower is setup in the US East (N. Virginia) region.

Step 2: Verify that the status of AWS Control Tower Account Factory Portfolio version is Active from the AWS Service Catalog service in your AWS Console.

Step 3: Create IAM Users

For each AWS account, the Connector for ServiceNow requires two IAM users:

• AWS Sync User: An IAM user to sync AWS resources (such as potfolios and products) to ServiceNow.
• AWS End User: An IAM user who can provision products as an end user, execute requests, and view resources that ServiceNow exposes. This role includes any required roles to provision and execute.

After creating each user, make a note of the access keys details as you would need them when configuring the new AWS Account in ServiceNow.

To add the users, Navigate to the Identity and Access Management (IAM) service.

Step 3.1: Create User 1

1. Create the first user SCSyncUser, assign Permissions and create Access key (Programmatic Access) as shown in the screenshots.
2. Select “Users” from the left-hand menu and then choose “Add users” button.
3. Enter “SCSyncUser” for the user name. Since this user will only require programmatic access, leave the box unchecked for access to the AWS Management Console.
4. Choose ‘Next’.
5. Select the permissions option ‘Attach policies directly’ and search for the policy “AWSServiceCatalogAdminReadOnlyAccess”. Select the check-box against the policy name.
6. Choose ‘Next’, Review the details and choose ‘Create User’ to complete the User Creation.
7. To create an access key for this user, select “Users” from the left-hand menu and then choose SCSyncUser.
8. Select the ‘Security credentials’ tab.                                                                                                                                                       
9. Scroll down to the section for ‘Access keys’ and select ‘Create access key’.
10. Select the radio button option for ‘Third-party service’, check the box at the bottom and choose ‘Next’.
11. On the next page, choose ‘Create access key’.
12. To Retrieve the access keys, choose ‘Download .csv file’ to save the access key and then choose ‘Done’.

Step 3.2: Create User 2

1. Create the second user SCEndUser, assign Permissions and create Access key (Programmatic Access) as shown in the screenshots.
2. Select “Users” from the left-hand menu and then choose  “Add users” button.
3. Enter “SCEndUser” for the user name. Since this user will only require programmatic access, leave the box unchecked for access to the AWS Management Console.
4. Choose ‘Next’.
5. Select the permissions option ‘Attach policies directly’ and search for the policy AWSServiceCatalogEndUserFullAccess”. Select the check-box against the policy name.
6. Choose ‘Next’, Review the details and select ‘Create User’ to complete the User Creation.
7. To create access key for this user, select “Users” from the left-hand menu and then choose SCEndUser.
8. Select the ‘Security credentials’ tab.                                                                     
9. Scroll down to the section for ‘Access keys’ and choose ‘Create access key’.
10. Select the radio button option for ‘Third-party service’, check the box at the bottom and choose ‘Next’.
11. On the next page, choose ‘Create access key’.
12. To Retrieve the access keys, select ‘Download .csv file’ to save the access key and then choose ‘Done’.It is best practice to rotate AWS Access keys periodically and sync updated keys programmatically in ServiceNow.

Step 4: Create IAM Policies

Before creating a launch constraint to which we attach an IAM role that Service Catalog assumes when an end user launches a product, the following policies with necessary permissions need to be created and subsequently attached to the IAM Role.

Navigate to the Identity and Access Management (IAM) service.

Step 4.1: Create a policy called Demo-ControlTower-FullAccess. This policy allows full access to the AWS Control Tower Service to provision new accounts.

1. In the left navigation pane, choose “Policies” and then select the “Create policy” button.
2. On the “Create policy” page, select the “JSON” and replace the default policy document with the following:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "VisualEditor0",
               "Effect": "Allow",
               "Action": "controltower:*",
               "Resource": "*"
           }
       ]
   }

3. When you are finished, choose Next: Tags and then choose Next: Review on the following page.
4. On the Review policy page, type the Name “Demo-ControlTower-FullAccess”.
5. Review your policy and choose “Create policy” to save it.

Step 4.2: Create another policy called Demo-SSO-FullAccess. This policy allows access to AWS IAM Identify Center (successor to AWS Single Sing-on) service to create the IAM Identity Center Users (for the accounts provisioned using AWS Service Catalog – AWS Control Tower Account Factory Portfolio).

1. In the left navigation pane, choose “Policies” and then choose the “Create policy” button.
2. On the “Create policy” page, select the “JSON” and replace the default policy document with the following:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "VisualEditor0",
               "Effect": "Allow",
               "Action": "sso-directory:*",
               "Resource": "*"
           },
           {
               "Effect": "Allow",
               "Action": "sso:*",
               "Resource": "*"
           }
       ]
   }

3. When you are finished, choose Next: Tags and then choose Next: Review on the following page.
4. On the Review policy page, type the Name “Demo-SSO-FullAccess”.
5. Review your policy and choose “Create policy” to save it.

Step 5: Create IAM Role

1. Navigate to the Identity and Access Management (IAM) service.
2. In the left navigation menu, select “Roles“.
3. Choose the “Create role” button.
4. Select “AWS service” for the Trusted entity type and “Service Catalog” for the service.                                                                                                          
5. When you are finished, choose Next.
6. Select the following permission policies to attach to the role:

   AWSCloudFormationFullAccess AmazonS3FullAccess Demo-SSO-FullAccess Demo-ControlTower-FullAccess 

7. When you are finished, choose Next.
8. Enter the name “Demo-Role-For-LaunchConstraint” for the role and choose the “Create role” button.

Step 6: Create Service Catalog Launch Constraint

1. Navigate to the Service Catalog service.
2. In the left navigation menu, select “Portfolios” and select the portfolio named ‘AWS Control Tower Account Factory Portfolio’.
3. On the next page, select the tab “Constraints” and choose the “Create constraint” button.
4. Select ‘AWS Control Tower Account Factory Portfolio’ for Product and ‘Launch’ for the Constraint type.
5. For the Launch Constraint Method, choose “Select IAM role” and select the IAM role Demo-Role-For-LaunchConstraint from the drop-down.
6. Choose “Create”.

Step 7: Grant AWS Service Management Connector (SMC) Users access to portfolio

To grant Service Management Connector users SCSyncUser and SCEndUser:

1. Navigate to the Service Catalog service.
2. In the left navigation menu, select “Portfolios” and select the portfolio named ‘AWS Control Tower Account Factory Portfolio’.
3. On the next page, select the tab “Access” and choose “Grant access” button.
4. Select “IAM Principal” for the Access type and select the “Users” tab.
5. Select the users SCEndUser and SCSyncUser by checking the boxes.
6. Choose the “Grant access” button to grant access to the users.

This concludes the configuration required on AWS.

Part 2: ServiceNow Configuration

This section describes how to configure core components in ServiceNow.

Step 1: Configuring AWS Service Management Connector
AWS Service Management Connector requires a ServiceNow plugin, called User Criteria Scoped API (for AWS Service Catalog integration), that provides useful components to the integration features.

The following configuration steps, as detailed in the AWS Service Management Connector Administrator Guide, need to be performed:

1. Activating ServiceNow plugins
2. Installing ServiceNow Connector scoped application
3. Configuring Connector using Guided Setup
4. Platform system administrator components
5. ServiceNow permissions for administrators of the Connector scoped app
6. Configuring AWS Service Management Connector scoped application
7. Configuring AWS accounts to synchronize in the Connector
   • When choosing the visible AWS service integrations for this AWS account, select
     • ‘Integrate with AWS Service Catalog (including AppRegistry)‘ check-box option from the visible AWS service integrations for this AWS account.
8. Validating connectivity to AWS Regions
9. Manually syncing scheduled jobs
   • Choose the following job names to execute:
     • Synchronize AWS Service Catalog
     • Synchronize changes to all AWS accounts

Step 2: Adding the My AWS Products widget to the Service Portal view
The widget enables users to view their AWS product requests, view outputs, and perform post-operational actions such as update and terminate.

To include the My AWS Products widget on the Service Portal view, log in as system administrator in the ServiceNow standard user interface (Fulfiller view).

1. In the navigator panel, find Service Portal.
2. Choose Service Portal Configuration.
3. Choose Designer.
4. Search for Index in the filter. Choose the Home Page box with a house image and the word Index in the lower left corner.
5. In the left panel in Widgets, enter My AWS Products in the Filter Widget.
6. Drag the widget to the Service Portal edit view to your desired location.
7. Preview your changes.

Part 3: Provisioning an AWS Account from ServiceNow

This section describes an example of how to order and provision an AWS Account from ServiceNow.

1. In the navigator panel, find Service Portal.
2. Choose Service Portal Home.
3. Choose Catalog Menu on the top
4. Select the Browse by Categories link
5. Under the Categories section on the left, expand the AWS Service Catalog to view the available AWS products.
6. Chooseo AWS Control Tower Account Factory Portfolio [Service Catalog] and then select AWS Control Tower Factory product to provision.
7. Enter product request details including Product Name, Parameters and Tags (if any).
8. Choose Order Now to submit the ServiceNow request and provision the AWS Service Catalog product.
9. Choose Check Out to submit                                                                                                                                                                     

Once done, you will receive an order status acknowledging the submission. The request shows that the submissions and execution have been successful and outputs the information submitted to AWS.

Part 4: AWS validation of self-serve account provisioned from ServiceNow

In your AWS Console, navigate to AWS Control Tower

1. Choose Organization on the left panel.
2. Expand the Sandbox Organizational Unit (OU) on the right to verify that the account provisioned from ServiceNow is Enrolled.

This completes the final task in this hands-on session.

Part 5: Clean Up

To clean up AWS Configurations:

1. Remove access to AWS Control Tower Account Factory Portfolio for users: SCSyncUser and SCEndUser.
2. Delete the AWS Control Tower Account Factory Portfolio Launch Constraint.
3. Delete IAM Role Demo-Role-For-LaunchConstraint.
4. Delete the two IAM Policies:
   • Demo-ControlTower-FullAccess
   • Demo-SSO-FullAccess
5. Delete the two IAM Users:
   • SCSyncUser
   • SCEndUser

To clean up in ServiceNow, release the Personal Developer Instance provisioned for this Lab by following instructions in ServiceNow Documentation.

Conclusion

Customers using ServiceNow as their ITSM solution can leverage the AWS Service Management Connector to self-serve the vending of AWS Accounts natively from ServiceNow. In this blog post, we’ve shown how to implement steps to integrate AWS Service Catalog (AWS Control Tower Account Factory Portfolio) with ServiceNow ITSM using AWS Service Management Connector and raise a change request to provision an AWS Account through the ServiceNow Portal in a secure and standardized fashion. In doing so, customers can accelerate migration and AWS adoption at scale through oversight and governance in their declared operational tooling and system of record.

About the Author