Enabling AWS Config and creating an Aggregator
To use this method, you need to enable AWS Config on all the accounts that you want to collect resource data from. In order to retrieve data from those accounts, the aggregator has to be created and given permission.
This method is configured in AWS and is very simple. Administrators need to enable AWS Config on selected or all accounts. In one of those accounts (possibly the Management account), you need to create an aggregator to pull the data into a single account. An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from multiple accounts and regions into a single account and region. When creating the aggregator, you have the option to provide a comma separated list of account IDs to retrieve the data, or you can add your entire organisation. Adding the entire organisation will pull data from every single account that belongs to your organisation.
Please refer to Amazon's documentation for steps on how to enable AWS Config on all accounts, and how to set up an aggregator to collect data and consolidate it into a single account:
IT Asset Management and AWS Config integration architecture overview
- AWS Config integration provided as an 'inventory adapter' which runs on the customer beacon
- Uses AWS PowerShell SDK to query an AWS Config aggregator to retrieve required information
- Writes the collected AWS data into a zip file which is uploaded to IT Asset Management in Flexera One Cloud
- IT Asset Management runs the SQL reader to stage the data into the product database
- Lastly, the data is normalised and displayed to users through the UI.
AWS Config permission policy
In order for the inventory beacon to connect to the aggregator, an administrator is required to configure a permissions policy in AWS. The policy is required for the account you want to use for querying the aggregator, and specifies the level of access the inventory beacon needs for connecting to the AWS account.
- AWS Config permissions:
- Under Actions:
- List:DescribeConfigurationAggregators
- Read:SelectAggregateResourceConfig
- Under Resources:
- Either grant permission to the aggregator ARN or any in this account. ARN is a unique identifier for a resource in AWS.
- Under Actions:
- Organization permissions:
These permissions are optional.
- List:ListAccounts. Note: If this permission is not provided, only the account ID will be available and Account friendly names will be unavailable.
- STS permissions:
- Under Actions:
- Read:GetCallerIdentity
- Under Actions:
- Assign the policy to an IAM User if an Access key and Secret key is used for
connection to AWSImportant: If the inventory beacon is not running on an EC2 instance, the Access key and Secret key must be provided for an IAM user which is in the same account as the aggregator.
- Assign the policy to a role on an EC2 instance running the inventory beacon.Important: If running the inventory beacon on an EC2 instance, a role must be assigned to the instance granting the required permissions as documented, and the instance must be in the same account as the AWS Config aggregator. The Access key and Secret key are ignored when running on an EC2 instance.
AWS Config adapter setup
Once AWS Config is enabled, and an aggregater is set up, use the following procedure to create a connection to AWS on the inventory beacon. The inventory beacon is responsible for uploading the data to the central operations databases of IT Asset Management.
To create the AWS Config connection in the FlexNet Beacon UI:
IT Asset Management (Cloud)
Current