Account and Subscription Vending

Article 8 of 12 in the Cloud Landing Zone Series

Introduction

Through working with large cloud environments, I've learned that manual account provisioning becomes a major bottleneck as organizations scale.

In enterprise environments with hundreds of accounts, I've seen the typical manual provisioning process:

Ticket-based requests going through multiple review cycles
Multi-week timelines for approvals (IT, security, finance)
Manual account creation and baseline configuration
Configuration mistakes and missing components
Back-and-forth debugging of access issues
Teams blocked waiting for infrastructure

This manual process creates significant friction - slowing down development teams and consuming operations time on repetitive tasks.

By implementing automated account vending systems, I've seen dramatic improvements:

Provisioning time reduced from weeks to minutes
Zero manual effort for standard account requests
Consistent baseline configurations with no errors
Self-service for development teams
Significantly higher account creation throughput

This article shares the account vending automation patterns I've built - covering self-service portals, approval workflows, automated baseline configuration, and how to safely enable teams to provision their own infrastructure.

What is Account Vending?

Account vending automates the complete lifecycle of cloud accounts/subscriptions:

Request: Self-service portal or API
Approval: Automated workflow (optional manual gates)
Provisioning: Automated account creation with baseline configuration
Access: Automated IAM role assignment
Monitoring: Account added to centralized logging, security services
Lifecycle: Automated updates, decommissioning

AWS Account Vending with Control Tower Account Factory

# Service Catalog Product for Account Vending
resource "aws_servicecatalog_product" "account_vending" {
  name  = "AWS Account Vending Machine"
  owner = "Cloud Platform Team"
  type  = "CLOUD_FORMATION_TEMPLATE"
  
  provisioning_artifact_parameters {
    name        = "v1.0"
    type        = "CLOUD_FORMATION_TEMPLATE"
    template_url = "s3://landing-zone-templates/account-vending-v1.yaml"
  }
}

# Control Tower Account Factory Integration
resource "aws_controltower_account" "vended_account" {
  name  = var.account_name
  email = var.account_email
  
  organizational_unit_name = var.organizational_unit
  
  # Baseline configuration
  sso_user_email       = var.sso_user_email
  sso_user_first_name  = var.sso_user_first_name
  sso_user_last_name   = var.sso_user_last_name
}

# Automated baseline configuration via EventBridge
resource "aws_cloudwatch_event_rule" "new_account" {
  name        = "new-account-created"
  description = "Triggered when new account created"
  
  event_pattern = jsonencode({
    source      = ["aws.controltower"]
    detail-type = ["AWS Service Event via CloudTrail"]
    detail = {
      eventName = ["CreateManagedAccount"]
    }
  })
}

resource "aws_cloudwatch_event_target" "configure_new_account" {
  rule      = aws_cloudwatch_event_rule.new_account.name
  target_id = "ConfigureNewAccount"
  arn       = aws_lambda_function.configure_account.arn
}

# Lambda: Configure new account
resource "aws_lambda_function" "configure_account" {
  filename         = "configure_account.zip"
  function_name    = "configure-new-account"
  role            = aws_iam_role.lambda_configure_account.arn
  handler         = "index.handler"
  runtime         = "python3.11"
  timeout         = 900  # 15 minutes
  
  environment {
    variables = {
      LOG_BUCKET           = aws_s3_bucket.central_logging.id
      TRANSIT_GATEWAY_ID   = var.transit_gateway_id
      CENTRAL_LOG_ACCOUNT  = var.log_archive_account_id
    }
  }
}

Lambda Function for Account Configuration:

import boto3
import json
import os

def handler(event, context):
    """Configure newly vended AWS account"""
    
    account_id = event['detail']['serviceEventDetails']['createManagedAccountStatus']['account']['accountId']
    account_name = event['detail']['serviceEventDetails']['createManagedAccountStatus']['account']['accountName']
    
    print(f"Configuring account: {account_name} ({account_id})")
    
    # Assume role in new account
    sts = boto3.client('sts')
    assumed_role = sts.assume_role(
        RoleArn=f'arn:aws:iam::{account_id}:role/AWSControlTowerExecution',
        RoleSessionName='AccountVendingConfiguration'
    )
    
    credentials = assumed_role['Credentials']
    
    # 1. Enable GuardDuty
    configure_guardduty(account_id, credentials)
    
    # 2. Enable Security Hub
    configure_security_hub(account_id, credentials)
    
    # 3. Enable AWS Config
    configure_config(account_id, credentials)
    
    # 4. Configure VPC
    configure_vpc(account_id, account_name, credentials)
    
    # 5. Attach to Transit Gateway
    attach_transit_gateway(account_id, credentials)
    
    # 6. Configure IAM roles
    configure_iam_roles(account_id, credentials)
    
    # 7. Enable default EBS encryption
    enable_ebs_encryption(account_id, credentials)
    
    # 8. Send notification
    notify_account_ready(account_name, account_id)
    
    return {
        'statusCode': 200,
        'body': json.dumps(f'Account {account_id} configured successfully')
    }

def configure_guardduty(account_id, credentials):
    """Enable GuardDuty in all regions"""
    guardduty = boto3.client(
        'guardduty',
        aws_access_key_id=credentials['AccessKeyId'],
        aws_secret_access_key=credentials['SecretAccessKey'],
        aws_session_token=credentials['SessionToken']
    )
    
    detector = guardduty.create_detector(
        Enable=True,
        DataSources={
            'S3Logs': {'Enable': True},
            'Kubernetes': {
                'AuditLogs': {'Enable': True}
            }
        }
    )
    
    print(f"GuardDuty enabled: {detector['DetectorId']}")

def configure_vpc(account_id, account_name, credentials):
    """Create standard VPC with public/private subnets"""
    ec2 = boto3.client(
        'ec2',
        aws_access_key_id=credentials['AccessKeyId'],
        aws_secret_access_key=credentials['SecretAccessKey'],
        aws_session_token=credentials['SessionToken'],
        region_name='us-east-1'
    )
    
    # Allocate VPC CIDR from IPAM pool
    cidr = allocate_cidr_from_ipam(account_id)
    
    # Create VPC
    vpc = ec2.create_vpc(CidrBlock=cidr)
    vpc_id = vpc['Vpc']['VpcId']
    
    # Tag VPC
    ec2.create_tags(
        Resources=[vpc_id],
        Tags=[
            {'Key': 'Name', 'Value': f'{account_name}-vpc'},
            {'Key': 'ManagedBy', 'Value': 'AccountVending'},
            {'Key': 'Account', 'Value': account_id}
        ]
    )
    
    # Enable VPC Flow Logs
    ec2.create_flow_logs(
        ResourceType='VPC',
        ResourceIds=[vpc_id],
        TrafficType='ALL',
        LogDestinationType='s3',
        LogDestination=f'arn:aws:s3:::{os.environ["LOG_BUCKET"]}/vpc-flow-logs/{account_id}/'
    )
    
    print(f"VPC created: {vpc_id}")
    return vpc_id

def notify_account_ready(account_name, account_id):
    """Notify requestor that account is ready"""
    sns = boto3.client('sns')
    
    message = f"""
    Your AWS account is ready!
    
    Account Name: {account_name}
    Account ID: {account_id}
    
    Access: https://mycompany.awsapps.com/start
    
    Your account has been configured with:
    ✅ GuardDuty enabled
    ✅ Security Hub enabled  
    ✅ AWS Config enabled
    ✅ VPC created with Transit Gateway attachment
    ✅ IAM roles configured
    ✅ EBS encryption enabled by default
    ✅ CloudTrail logging to central account
    
    Documentation: https://wiki.company.com/aws-account-guide
    """
    
    sns.publish(
        TopicArn=os.environ['SNS_TOPIC_ARN'],
        Subject=f'AWS Account Ready: {account_name}',
        Message=message
    )

Azure Subscription Vending

# Azure Subscription Vending via Management Group
resource "azurerm_subscription" "vended" {
  subscription_name = var.subscription_name
  billing_scope_id  = var.billing_account_id
  workload          = "Production"  # or "DevTest"
}

# Move to appropriate Management Group
resource "azurerm_management_group_subscription_association" "vended" {
  management_group_id = var.management_group_id
  subscription_id     = azurerm_subscription.vended.id
}

# Apply baseline policies
resource "azurerm_subscription_policy_assignment" "security_baseline" {
  name                 = "security-baseline"
  subscription_id      = azurerm_subscription.vended.id
  policy_definition_id = var.security_baseline_policy_id
}

# Create baseline resources
module "subscription_baseline" {
  source = "./modules/subscription-baseline"
  
  subscription_id = azurerm_subscription.vended.id
  environment     = var.environment
  cost_center     = var.cost_center
  
  # Networking
  vnet_cidr       = var.vnet_cidr
  hub_vnet_id     = var.hub_vnet_id
  
  # Logging
  log_analytics_workspace_id = var.central_log_analytics_id
}

Self-Service Portal with Service Catalog

Service Catalog Configuration

# Service Catalog Portfolio
resource "aws_servicecatalog_portfolio" "landing_zone" {
  name          = "Landing Zone Products"
  description   = "Self-service cloud accounts and resources"
  provider_name = "Cloud Platform Team"
}

# Account Vending Product
resource "aws_servicecatalog_product" "account" {
  name  = "AWS Account"
  owner = "Cloud Platform Team"
  type  = "CLOUD_FORMATION_TEMPLATE"
  
  description = "Request a new AWS account with baseline configuration"
  
  provisioning_artifact_parameters {
    name                        = "v2.0"
    description                 = "Latest account vending template"
    type                        = "CLOUD_FORMATION_TEMPLATE"
    template_url                = "s3://templates/account-vending-v2.yaml"
    disable_template_validation = false
  }
}

# Associate product with portfolio
resource "aws_servicecatalog_product_portfolio_association" "account" {
  portfolio_id = aws_servicecatalog_portfolio.landing_zone.id
  product_id   = aws_servicecatalog_product.account.id
}

# Grant access to developers
resource "aws_servicecatalog_principal_portfolio_association" "developers" {
  portfolio_id  = aws_servicecatalog_portfolio.landing_zone.id
  principal_arn = "arn:aws:iam::123456789012:role/Developers"
}

# Launch constraint (role for provisioning)
resource "aws_servicecatalog_constraint" "account_launch" {
  portfolio_id = aws_servicecatalog_portfolio.landing_zone.id
  product_id   = aws_servicecatalog_product.account.id
  type         = "LAUNCH"
  
  parameters = jsonencode({
    RoleArn = aws_iam_role.service_catalog_launch.arn
  })
}

CloudFormation Template for Account Vending

# account-vending-template.yaml
AWSTemplateFormatVersion: '2010-09-09'
Description: 'AWS Account Vending Machine'

Parameters:
  AccountName:
    Type: String
    Description: Name of the new AWS account
    AllowedPattern: '^[a-zA-Z0-9-]{3,50}$'
  
  AccountEmail:
    Type: String
    Description: Email address for the account
    AllowedPattern: '^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
  
  OrganizationalUnit:
    Type: String
    Description: OU to place the account in
    AllowedValues:
      - Production
      - Development
      - Staging
      - Sandbox
  
  Environment:
    Type: String
    Description: Environment type
    AllowedValues:
      - production
      - development
      - staging
      - sandbox
  
  CostCenter:
    Type: String
    Description: Cost center for billing
    AllowedPattern: '^CC-[0-9]{4}$'
  
  ProjectName:
    Type: String
    Description: Project or application name
  
  TeamOwner:
    Type: String
    Description: Team owner email

Resources:
  ManagedAccount:
    Type: AWS::ControlTower::ManagedAccount
    Properties:
      AccountName: !Ref AccountName
      AccountEmail: !Ref AccountEmail
      OrganizationalUnitName: !Ref OrganizationalUnit
      SSOUserEmail: !Ref TeamOwner
      Tags:
        - Key: Environment
          Value: !Ref Environment
        - Key: CostCenter
          Value: !Ref CostCenter
        - Key: Project
          Value: !Ref ProjectName
        - Key: Owner
          Value: !Ref TeamOwner
        - Key: ManagedBy
          Value: ServiceCatalog

Outputs:
  AccountId:
    Description: ID of the newly created account
    Value: !GetAtt ManagedAccount.AccountId
  
  SSOUrl:
    Description: AWS SSO login URL
    Value: https://mycompany.awsapps.com/start

Approval Workflows

ServiceNow Integration

# lambda/account_vending_approval.py
import boto3
import requests
import json
import os

def handler(event, context):
    """Create ServiceNow approval ticket for account request"""
    
    # Extract request details from Service Catalog
    request_id = event['detail']['requestId']
    product_id = event['detail']['productId']
    
    sc = boto3.client('servicecatalog')
    
    # Get provisioning parameters
    parameters = sc.describe_provisioning_parameters(
        ProductId=product_id
    )
    
    # Create ServiceNow ticket
    ticket = create_servicenow_ticket(
        summary=f"AWS Account Request: {parameters['AccountName']}",
        description=f"""
        New AWS account requested via Service Catalog
        
        Account Name: {parameters['AccountName']}
        Environment: {parameters['Environment']}
        Cost Center: {parameters['CostCenter']}
        Requestor: {event['detail']['principalId']}
        
        Request ID: {request_id}
        """,
        assignment_group="Cloud Governance Team"
    )
    
    # Store ticket ID for later correlation
    ssm = boto3.client('ssm')
    ssm.put_parameter(
        Name=f'/account-vending/requests/{request_id}/ticket',
        Value=ticket['sys_id'],
        Type='String'
    )
    
    return {
        'statusCode': 200,
        'ticketId': ticket['sys_id']
    }

def create_servicenow_ticket(summary, description, assignment_group):
    """Create approval ticket in ServiceNow"""
    
    url = f"{os.environ['SERVICENOW_URL']}/api/now/table/change_request"
    
    headers = {
        'Content-Type': 'application/json',
        'Accept': 'application/json'
    }
    
    data = {
        'short_description': summary,
        'description': description,
        'assignment_group': assignment_group,
        'priority': '3',
        'impact': '2',
        'urgency': '2'
    }
    
    response = requests.post(
        url,
        auth=(os.environ['SERVICENOW_USER'], os.environ['SERVICENOW_PASSWORD']),
        headers=headers,
        json=data
    )
    
    return response.json()['result']

# Webhook handler for ServiceNow approval
def approval_handler(event, context):
    """Process ServiceNow approval/rejection"""
    
    body = json.loads(event['body'])
    ticket_id = body['sys_id']
    approval_status = body['approval']  # approved or rejected
    
    # Find corresponding account request
    ssm = boto3.client('ssm')
    request_id = ssm.get_parameters_by_path(
        Path='/account-vending/requests/',
        Recursive=True
    )
    
    # Continue or cancel provisioning
    sc = boto3.client('servicecatalog')
    
    if approval_status == 'approved':
        sc.execute_provisioned_product_plan(RequestId=request_id)
    else:
        sc.terminate_provisioned_product(ProvisionedProductId=request_id)
    
    return {'statusCode': 200}

Slack Approval Workflow

# lambda/slack_approval.py
from slack_sdk import WebClient
from slack_sdk.signature import SignatureVerifier
import json
import boto3
import os

slack_client = WebClient(token=os.environ['SLACK_TOKEN'])
sc = boto3.client('servicecatalog')

def request_approval(event, context):
    """Send account request to Slack for approval"""
    
    request_id = event['detail']['requestId']
    parameters = event['detail']['provisioningParameters']
    requestor = event['detail']['principalId']
    
    # Send message to #cloud-governance channel
    response = slack_client.chat_postMessage(
        channel='#cloud-governance',
        text=f'New AWS account request from {requestor}',
        blocks=[
            {
                "type": "header",
                "text": {
                    "type": "plain_text",
                    "text": "🆕 New AWS Account Request"
                }
            },
            {
                "type": "section",
                "fields": [
                    {"type": "mrkdwn", "text": f"*Account Name:*\n{parameters['AccountName']}"},
                    {"type": "mrkdwn", "text": f"*Environment:*\n{parameters['Environment']}"},
                    {"type": "mrkdwn", "text": f"*Cost Center:*\n{parameters['CostCenter']}"},
                    {"type": "mrkdwn", "text": f"*Requestor:*\n{requestor}"}
                ]
            },
            {
                "type": "actions",
                "elements": [
                    {
                        "type": "button",
                        "text": {"type": "plain_text", "text": "Approve"},
                        "style": "primary",
                        "value": request_id,
                        "action_id": "approve_account"
                    },
                    {
                        "type": "button",
                        "text": {"type": "plain_text", "text": "Reject"},
                        "style": "danger",
                        "value": request_id,
                        "action_id": "reject_account"
                    }
                ]
            }
        ]
    )

def handle_approval_action(event, context):
    """Handle Slack button click (approve/reject)"""
    
    # Verify Slack signature
    verifier = SignatureVerifier(os.environ['SLACK_SIGNING_SECRET'])
    
    body = json.loads(event['body'])
    action = body['actions'][0]
    request_id = action['value']
    
    if action['action_id'] == 'approve_account':
        # Proceed with provisioning
        sc.execute_provisioned_product_plan(RequestId=request_id)
        
        slack_client.chat_update(
            channel=body['channel']['id'],
            ts=body['message']['ts'],
            text='Account request approved ✅',
            blocks=body['message']['blocks'] + [
                {
                    "type": "context",
                    "elements": [
                        {
                            "type": "mrkdwn",
                            "text": f"✅ Approved by {body['user']['name']}"
                        }
                    ]
                }
            ]
        )
    else:
        # Cancel provisioning
        sc.terminate_provisioned_product(ProvisionedProductId=request_id)
        
        slack_client.chat_update(
            channel=body['channel']['id'],
            ts=body['message']['ts'],
            text='Account request rejected ❌',
            blocks=body['message']['blocks'] + [
                {
                    "type": "context",
                    "elements": [
                        {
                            "type": "mrkdwn",
                            "text": f"❌ Rejected by {body['user']['name']}"
                        }
                    ]
                }
            ]
        )
    
    return {'statusCode': 200}

Account Lifecycle Management

Account Decommissioning

def decommission_account(account_id, reason):
    """Safely decommission an AWS account"""
    
    print(f"Decommissioning account {account_id}")
    print(f"Reason: {reason}")
    
    # 1. Backup all data
    backup_account_data(account_id)
    
    # 2. Export CloudTrail logs
    export_cloudtrail_logs(account_id)
    
    # 3. Snapshot all EBS volumes
    snapshot_all_volumes(account_id)
    
    # 4. Export RDS snapshots
    export_rds_snapshots(account_id)
    
    # 5. Terminate all resources (reverse order)
    terminate_compute_resources(account_id)  # EC2, Lambda, ECS
    terminate_database_resources(account_id)  # RDS, DynamoDB
    terminate_storage_resources(account_id)   # S3, EBS
    terminate_network_resources(account_id)   # VPC, subnets, TGW attachments
    
    # 6. Move to "Suspended" OU (with restrictive SCPs)
    move_to_suspended_ou(account_id)
    
    # 7. Schedule for deletion in 90 days
    schedule_account_deletion(account_id, days=90)
    
    # 8. Notify stakeholders
    notify_decommission(account_id, reason)
    
    print(f"Account {account_id} decommissioned successfully")

What I Learned About Account Vending

Lesson 1: Self-Service Accelerates Teams

22-day wait time → 15-minute automated provisioning = massive velocity gain.

Action: Service Catalog, automated workflows, self-service portal.

Lesson 2: Standardization Prevents Configuration Drift

Manually configured accounts = snowflakes. Automated vending = consistency.

Action: Baseline configuration as code, automated via Lambda/EventBridge.

Lesson 3: Approval Workflows Enable Governance

Complete self-service without approvals = ungoverned sprawl.

Action: Automated approval workflows (Slack, ServiceNow), policy-based auto-approval where appropriate.

Lesson 4: Lifecycle Management Matters

Account creation is just the beginning. Updates, decommissioning equally important.

Action: Automated baseline updates, safe decommissioning procedures, data retention policies.

Next: Multi-Environment Management - Dev/staging/prod separation, workload isolation, promotion workflows.

PreviousInfrastructure as Code for Landing Zones NextMulti-Environment Management

Last updated 1 month ago

hashtagIntroduction

hashtagWhat is Account Vending?

hashtagAWS Account Vending with Control Tower Account Factory

hashtagAzure Subscription Vending

hashtagSelf-Service Portal with Service Catalog

hashtagService Catalog Configuration

hashtagCloudFormation Template for Account Vending

hashtagApproval Workflows

hashtagServiceNow Integration

hashtagSlack Approval Workflow

hashtagAccount Lifecycle Management

hashtagAccount Decommissioning

hashtagWhat I Learned About Account Vending

hashtagLesson 1: Self-Service Accelerates Teams

hashtagLesson 2: Standardization Prevents Configuration Drift

hashtagLesson 3: Approval Workflows Enable Governance

hashtagLesson 4: Lifecycle Management Matters