Configuring Connections to AWS EC2 (FlexNet Beacon Installed on EC2 instance) using IAM Roles

FlexNet Manager Suite 2019 R2 (On-Premises Edition)

Before you begin

Ensure you read the background information and prerequisites before beginning this task. See Managing AWS EC2 Connections

To configure an initial data connection to your AWS EC2 service using role-base access:

  1. Using the email address saved by your AWS account owner for your AWS account, sign in to AWS Management Console at https://console.aws.amazon.com/iam.
    You will create both policies and the role through this console.
  2. In the Security, Identity & Compliance section, click IAM.
  3. Create the policy to access your EC2 service:
    1. In the navigation pane, choose Policies.
    2. Click Create policy.
      The Create policy visual editor displays.
    3. Click Choose a service and click EC2.
    4. In the Actions section, click Select actions
    5. In the Access level groups section, expand the List and select the following access levels which enable collection of inventory data from AWS:
      • DescribeInstances
      • DescribeHosts
      • DescribeReservedInstances
    6. Click Add additional permissions.
    7. Click Choose a service and select IAM.
    8. In the Actions section, expand the List access level and select ListAccountAliases.
      This policy grants the access needed to collect the inventory.
    9. Click Review policy.
    10. In the Name text box, enter a suitable and unique policy name, for example ListEC2ForFNMS.
    11. You can optionally choose to enter a description into the Description text box to assist with future maintenance.
    12. Review your permission and then click Create policy.
  4. Create the policy to access your IAM service:
    1. In the navigation pane, choose Policies.
    2. Click Create policy.
    3. Click Choose a service and select IAM.
    4. In the Actions section, expand the Read access level and select the following access levels, which are used to retrieve details of the roles which can be assumed (if configuring cross-account access), and to test the connection.
      • GetRole
      • GetPolicy
      • GetPolicyVersion
    5. In the Actions section, expand the List access level and select the ListAttachedRolePolicies policy.
    6. If you want to configure roles on other accounts to collect inventory from multiple accounts using the one connection, complete the remaining steps:
      1. Click Choose a service and select STS.
      2. In the Actions section, expand the Write access level and select the AssumeRole policy.
      3. Expand the Resources section and select Add ARN.
      4. Enter the Account number and the role name and click Add. Repeat for each role you will configure on other accounts to allow collection of inventory from these accounts using one connection. (The roles are created in Step 5 & Step 6 and the suggested name will be ListEC2ForFNMSRole).
        Note: Do not select the All Resources option.
      5. Click Review policy.
      6. In the Name text box, enter a unique policy name (for example, ReadRoleForFNMS).
      7. In the Description text box, optionally enter a description for this policy to assist with future maintenance.
      8. Click Create policy.
  5. Create a role to be assumed by an EC2 instance:
    1. Navigate to the IAM service.
    2. In the navigation pane, click Roles and then click Create role.
    3. Click AWS service.
    4. From the Choose the service that will use this role list, select EC2.
    5. Click Next: Permissions.
    6. Search and select the following policies:
      • Select the first policy you created (the suggested name was ListEC2ForFNMS).
      • Select the second policy you created (the suggested name was ReadRoleForFNMS)

    7. Click Next: Tags and assign any tags according to your needs.
    8. Click Next: Review and give this role a suitable and unique Name (such as ListEC2ForFNMSRole) Optionally, you may also add a Description to assist with future maintenance.
    9. Click Create role.
  6. If you want to collect inventory from multiple accounts using a single connection, complete the following steps on every account that you want to collect inventory from.
    1. Repeat Step 3 - Create the policy to access your EC2 service as documented above.
    2. Next, create a role to be assumed by an EC2 instance as follows:
      1. Navigate to the IAM service.
      2. In the navigation pane, click Roles and then click Create role.
      3. Click Another AWS account.
      4. In the Account ID text box, enter the account ID for the account where the first role was created.
      5. Optionally, for increased security, select the Require external ID check box and enter an external ID into the External ID text box.
        Note: If you are creating the role on multiple accounts, ensure you use the same external ID each time.
      6. Click Next: Permissions.
      7. On the Attached permissions policy page, search for and select the policy you created above (the suggested name was ListEC2ForFNMS).
      8. Click Next: Tags and assign any tags according to your needs.
      9. Click Next: Review and give this role a suitable and unique Name (such as ListEC2ForFNMSRole) Optionally, you may also add a Description to assist with future maintenance.
      10. Click Create role.
  7. Assign an IAM Role to an EC2 instance:
    1. Log back into the original account where steps 1-5 were followed.
    2. Navigate to the EC2 service.
    3. In the navigation pane on the left, click Instances and then click the EC2 instance with a beacon installed on it.
    4. Click Actions located above your instances, navigate to Instance Settings and then Attach/Replace IAM Role.
    5. Select the Role you previously created (suggested name was ListEC2ForFNMSRole) from the combo box next to IAM role.
    6. Click Apply and then click Close.
  8. Log into FlexNet Beacon as administrator, and confirm the schedule for data collection from AWS.
    Some data on AWS is ephemeral: for example, a terminated instance disappears within an hour of you implementing that decision. As well, some licenses (such as IBM PVU) require that you monitor peak consumption not more than 30 minutes apart. For reasons like these, recommended best practice is to schedule data collection from AWS every 30 minutes. A default schedule AWS imports exists in the Data collection > Scheduling page of FlexNet Beacon for this purpose. If you have reason to modify this default, it is convenient to modify the schedule before setting up the connection. See Modifying a Schedule if you need assistance.
    Tip: Don't change the name of the schedule, so that it can be automatically linked to your AWS EC2 connection. (If you make the mistake of changing the name of this schedule, the default schedule is automatically restored with the default name at the next policy check.)
  9. Configure the connection to AWS:
    1. In the FlexNet Beacon interface, select the Inventory Systems page.
    2. To create a new connection, click the down arrow on the right of the New split button and choose PowerShell.
      Tip: You can also edit a connection you have defined previously, by selecting it from the list of connections and clicking Edit....
    3. In the dialog that appears, complete (or modify) the following required fields:
      • In the Connection Name text box, enter a name for this inventory connection. This will be the name of this data import task in FlexNet Manager Suite.
      • From the Source Type list, select Amazon Web Services.
      • In the External ID text box, if you entered an external ID when creating roles to access multiple accounts, then copy and paste the External ID here.
        Note: The same External ID must be used across every account where a role is assumed. For example, if you have one master account and two sub-accounts with roles that require the External ID 12345, you must specify 12345 in the beacon as well as when create the role for each sub-account. A separate connection is needed for different External IDs.
      • Leave the Access Key and Secret Access Key fields blank as they are not required for this method.
    4. Click Test Connection.
      • If a Test connection failed message displays, click OK to close the message, review and correct the connection details, and retest the connection. You cannot save the connection details if the connection test fails. If you cannot get the connection test to succeed, click Cancel to cancel the addition of these connection details, and seek further assistance.
      • If, instead, the inventory beacon can successfully access the AWS APIs using the details supplied, a Test connection succeeded message displays. Click OK to close the message and click Save to add the connection to (or update it in) the list.
Your saved connection is also automatically linked to the AWS imports schedule (editable in the Scheduling page in the Data collection group), and the Next run column shows when the next import from AWS EC2 is due.