Configuring Connections to AWS using IAM Users

FlexNet Manager Suite 2024 R2 (On-Premises)
The following table lists the required permissions / access levels for configuring connections to AWS using IAM Users. Configuration step-by-step instructions are provided in the subsequent sections.
Configuration step Required permission(s) / Access levels Description
Create the policy to access your EC2 and RDS services

DescribeInstances

DescribeHosts

DescribeReservedInstances

 Required to allow collection of inventory data from AWS.
ListAccountAliases Required to allow collection of inventory data from IAM.
DescribeDBInstances Required to allow collection of inventory data from RDS.
Create the policy to access your IAM service GetUser Required to validate the connection to AWS.
ListAccountAliases Required to allow collection of the AWS account name in inventory.
Create the IAM account that will collect data on schedule Attach existing policies directly Required to attach the EC2 and RDS access policy, and IAM service access policy to the IAM account.

Before you begin

Ensure you read the background information and prerequisites before beginning this task. See Managing AWS Connections

To configure an initial data connection to your AWS services:

  1. Using the email address saved by your AWS account owner for your AWS account, sign into AWS and open the IAM console at https://console.aws.amazon.com/iam.
    You will create both policies and the user account through this console.
  2. Create the policy to access your EC2 and RDS services:
    1. In the navigation pane on the left, choose Policies.
    2. Click Create policy.
    3. Click Choose a service and select EC2.
    4. In the Actions section, expand the List access level.
    5. Select the following access levels to allow collection of inventory data from AWS:
      • DescribeInstances
      • DescribeHosts
      • DescribeReservedInstances.
    6. Click Add additional permissions.
    7. Click Choose a service and select IAM.
    8. In the Actions section, expand the List access level.
    9. Select the following access levels to allow collection of inventory data from IAM:
      • ListAccountAliases
    10. Click Add additional permissions.
    11. Click Choose a service and select RDS.
    12. In the Actions section, expand the List access level.
    13. Select the following access levels to allow collection of inventory data from RDS:
      • DescribeDBInstances
    14. Against the Resources heading, click Specify db resource ARN for the DescribeDBInstances action.
    15. In the Create policy page, in the Visual editor > RDS > Resources section, click Add ARN to open the Add ARN(s) dialog.
    16. Choose the regions, accounts, and instance names needed to include any Oracle Database instances running in Amazon RDS that need to be discovered to allow inventory collection. Finally, click Add to save your specification.
    17. Click Next: Tags to expose the Add tags (Optional) page. While these tags are not required for inventory gathering by FlexNet Manager Suite, you may add any tags that assist you in managing your AWS services.
    18. Click Next: Review and give this policy a suitable and unique Name (for example, ListInventoryForFNMS). Optionally, you may also add a Description to assist with future maintenance.
    19. Click Create policy.
  3. Create the policy to access your IAM service:
    1. In the navigation pane, choose Policies.
    2. Click Create policy.
    3. Click Choose a service and select IAM.
    4. In the Actions section, expand the Read access level.
    5. Select the GetUser access level, which will be used to validate the connection to AWS.
    6. Again in the Actions section, expand the List access level, and select the ListAccountAliases access level, allowing collection of the AWS account name in inventory.
    7. For Resources, choose All resources.
    8. Click Next: Tags to expose the Add tags (Optional) page. While these tags are not required for inventory gathering by FlexNet Manager Suite, you may add any tags that assist you in managing your AWS services.
    9. Click Next: Review, and give this policy a suitable and unique Name (for example, ReadUserForFNMS). Optionally, you may also add a Description to assist with future maintenance.
    10. Click Create policy.
  4. Create the IAM account that will collect data on schedule:
    1. In the navigation pane on the left, click Users, and then click Add user.
    2. In the User Name field, create a name for the account (for example, FNMSUser).
    3. For the Access type, select Programmatic access.
    4. In the Permissions section, click Attach existing policies directly.
      Important: Be sure to click only the Attach existing policies directly button. Do not click the Add inline policy link. Inline policies are not supported for the connector, and if you choose this inline option, no inventory can be collected.
    5. Search, and select the policies you created in the previous steps (the suggested names were ListInventoryForFNMS and ReadUserForFNMS).
    6. Click Next: Tags to expose the Add tags (Optional) page. While these tags are not required for inventory gathering by FlexNet Manager Suite, you may add any tags that assist you in managing your AWS services.
    7. Click Next: Review and validate your settings.
    8. Click Create User.
      The AWS management console displays a Success status and displays the Access key ID and the Secret access key for the account. It also provides a link to download these critical details in a .csv file.
      Warning: Be sure to secure the credentials for future use. Once you leave the window, you will not be able to access the Secret access key again. Copy them from this page and save for the rest of this procedure; but also preserve the .csv file.
    9. Download the .csv file containing the Access key ID and the Secret access key for the account and save in a secure location.
  5. Log into FlexNet Beacon as administrator, and confirm the schedule for data collection from AWS.
    Some data on AWS is ephemeral: for example, a terminated instance disappears within an hour of you implementing that decision. As well, some licenses (such as IBM PVU) require that you monitor peak consumption not more than 30 minutes apart. For reasons like these, recommended best practice is to schedule data collection from AWS every 30 minutes. A default schedule AWS imports exists in the Data collection > Scheduling page of FlexNet Beacon for this purpose. If you have reason to modify this default, it is convenient to modify the schedule before setting up the connection. See Modifying a Schedule if you need assistance.
    Tip: Don't change the name of the schedule, so that it can be automatically linked to your AWS EC2 connection. (If you make the mistake of changing the name of this schedule, the default schedule is automatically restored with the default name at the next policy check.)
  6. Configure the connection to AWS:
    1. In the FlexNet Beacon interface, select the Inventory Systems tab.
    2. To create a new connection, click the down arrow on the right of the New split button, and choose PowerShell.
      Tip: You can also edit a connection you have defined previously, by selecting it from the list of connections and clicking Edit....
    3. In the dialog that appears, complete (or modify) the following required fields:
      • In the Connection Name text box, enter a name for this inventory connection. This will be the name of this data import task in FlexNet Manager Suite.
      • From the Source Type list, select Amazon Web Services.
      • The Adapter Type defaults to AWS Config. For this method, select Direct as the adapter type. Direct connects directly to each account in AWS to return inventory.
      • In the Access Key text box, copy the Access key ID value from the credentials .csv file you downloaded from AWS and paste it here.
      • In the Secret Access Key text box, copy the Secret access key from the downloaded .csv file and paste it here.
    4. If a proxy server is in use between the inventory beacon and AWS, also select the Use Proxy check box, and complete the following additional details:
      • In the Proxy Server text box, enter the address of the proxy server using HTTP, HTTPS, or an IP address. Use the format https://ProxyServerURL:PortNumber, http://ProxyServerURL:PortNumber, or IPAddress:PortNumber). If the protocol is omitted, it defaults to http:. If the port number is omitted, it defaults to :80 for http, or 443 for https.
      • In the Username and Password text boxes, if your enterprise is using an authenticated proxy, then specify the credentials to access the proxy server you just identified.
    5. Click Test Connection.
      • If a Test connection failed message displays, click OK to close the message, review and correct the connection details, and retest the connection. You cannot save the connection details if the connection test fails. If you cannot get the connection test to succeed, click Cancel to cancel the addition of these connection details, and seek further assistance.
      • If, instead, the inventory beacon can successfully access the AWS APIs using the details supplied, a Test connection succeeded message displays. Click OK to close the message. Click Save to add the connection to (or update it in) the list.
Your saved connection is also automatically linked to the AWS imports schedule (editable in the Scheduling page in the Data collection group), and the Next run column shows when the next import from AWS EC2 is due.

If the subsequent import does not provide the expected results, see Troubleshooting Your AWS Connection.

FlexNet Manager Suite (On-Premises)

2024 R2