Enabling AWS Config and creating an Aggregator

IT Asset Management (Cloud)

To use this method, you need to enable AWS Config on all the accounts that you want to collect resource data from. In order to retrieve data from those accounts, the aggregator has to be created and given permission.

This method is configured in AWS and is very simple. Administrators need to enable AWS Config on selected or all accounts. In one of those accounts (possibly the Management account), you need to create an aggregator to pull the data into a single account. An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from multiple accounts and regions into a single account and region. When creating the aggregator, you have the option to provide a comma separated list of account IDs to retrieve the data, or you can add your entire organisation. Adding the entire organisation will pull data from every single account that belongs to your organisation.

Note: AWS Config is a paid option provided by Amazon Web Services.

Please refer to Amazon's documentation for steps on how to enable AWS Config on all accounts, and how to set up an aggregator to collect data and consolidate it into a single account:

IT Asset Management and AWS Config integration architecture overview

  • AWS Config integration provided as an 'inventory adapter' which runs on the customer beacon
  • Uses AWS PowerShell SDK to query an AWS Config aggregator to retrieve required information
  • Writes the collected AWS data into a zip file which is uploaded to IT Asset Management in Flexera One Cloud
  • IT Asset Management runs the SQL reader to stage the data into the product database
  • Lastly, the data is normalised and displayed to users through the UI.

AWS Config permission policy

In order for the inventory beacon to connect to the aggregator, an administrator is required to configure a permissions policy in AWS. The policy is required for the account you want to use for querying the aggregator, and specifies the level of access the inventory beacon needs for connecting to the AWS account.

The following permissions are required:
  • AWS Config permissions:
    • Under Actions:
      • List:DescribeConfigurationAggregators
      • Read:SelectAggregateResourceConfig
    • Under Resources:
      • Either grant permission to the aggregator ARN or any in this account. ARN is a unique identifier for a resource in AWS.
  • Organization permissions: These permissions are optional.
    • List:ListAccounts. Note: If this permission is not provided, only the account ID will be available and Account friendly names will be unavailable.
  • STS permissions:
    • Under Actions:
      • Read:GetCallerIdentity
After creating the permissions policy, complete one of the following actions:
  • Assign the policy to an IAM User if an Access key and Secret key is used for connection to AWS
    Important: If the inventory beacon is not running on an EC2 instance, the Access key and Secret key must be provided for an IAM user which is in the same account as the aggregator.
  • Assign the policy to a role on an EC2 instance running the inventory beacon.
    Important: If running the inventory beacon on an EC2 instance, a role must be assigned to the instance granting the required permissions as documented, and the instance must be in the same account as the AWS Config aggregator. The Access key and Secret key are ignored when running on an EC2 instance.

AWS Config adapter setup

Once AWS Config is enabled, and an aggregater is set up, use the following procedure to create a connection to AWS on the inventory beacon. The inventory beacon is responsible for uploading the data to the central operations databases of IT Asset Management.

To create the AWS Config connection in the FlexNet Beacon UI:

  1. Log into your selected inventory beacon.
    Tip: Starting the FlexNet Beacon interface requires that you are logged in with administrator privileges.
  2. In the navigation pane on the left, select the Inventory systems page. To create a new connection, click the down arrow on the right of the New split button, and choose Powershell.
    The Create PowerShell Source Connection dialog appears.
    Tip: The New... button defaults to creating a connection for Microsoft SQL Server. If you use the down arrow on the split button, you can choose between SQL Server, Spreadsheet, PowerShell, and Other connections. However, while you are creating a connection to a Microsoft SQL Server database (regardless of the Source Type of the connection), use only the SQL Server option.
  3. Complete the values in the dialog, as follows:
    Control Comments

    Connection Name

    		 A descriptive name for this connection, such as AWS Config Resource Data. The name may contain alphanumeric characters, underscores or spaces, but must start with either a letter or a number. When the data import through this connection is executed, the data import task name is same as the connection name.

    Source Type

    		 Select Amazon Web Services from the list.
    Use Proxy

    Optionally, if you use a proxy server to enable Internet access, complete (or modify) the values in the Proxy Settings section of the dialog box in order to configure the proxy server connection.
    Proxy Server

    Enter the address of the proxy server using HTTP, HTTPS, or an IP address. Use the format https://ProxyServerURL:PortNumber, http://ProxyServerURL:PortNumber, or IPAddress:PortNumber). This field is enabled when the Use Proxy check box is selected.
    Username and Password

    If your enterprise is using an authenticated proxy, specify the username and password of an account that has credentials to access the proxy server that is specified in the Proxy Server field. These fields are enabled when the Use Proxy check box is selected.
    Adapter type Defaults to AWS Config. For this method, leave the adapter type as the default value. Do not select Direct. Direct connects directly to each account to return inventory and is used for the other 3 methods described on the Managing AWS Connections page.
    Access key The Access key for the account that the aggregator exists in and is used to connect to an IAM user. The IAM user requires the relevant permission to query the specified name and region in the account that the Access key has been provided for.

    If the customer is running the inventory beacon on an EC2 instance, then the Access key is optional. An administrator can assign a role to the EC2 instance, allowing them to only specify an aggregator region and name.
    Secret key The Secret key for the account that the aggregator exists in and is used to connect to an IAM user. The IAM user requires the relevant permission to query the specified name and region in the account that the Secret key has been provided for.

    If the customer is running the inventory beacon on an EC2 instance, then the Secret key is optional. An administrator can assign a role to the EC2 instance, allowing them to only specify an aggregator region and name.
    Aggregator region The region from which you want to aggregate data. One region or multiple regions are configured when creating an aggregator in AWS.
    Aggregator name The name of the aggregator that you want to collect AWS Config configuration and compliance data from multiple accounts and regions into a single account and region.

    Connection is in test mode (do not import results)

    Controls the uploading and importing of data from this connection:

    • When this check box is clear, the connection is in production mode, and data collected through this adapter is uploaded to the central server and (in due course) imported into the database there.
    • When the check box is set:
      • The adapter for this connection is exercised, with data written to the intermediate file in the staging folder on the inventory beacon (%CommonAppData%\Flexera Software\Beacon\IntermediateData)
      • The immediate upload that normally follows data collection is suppressed, so that you can inspect the contents of the file
      • The catch-up process that retries stalled uploads, normally scheduled overnight, runs as usual and uploads the file to the central server
      • At the central server, the file contents are discarded (and not imported into the central database).
    Overlapping Inventory Filter

    This control does not apply to the AWS Config adapter, and you may leave it at the default setting.
  4. Click Test Connection
    This will make sure that you can successfully establish a connection to the accounts either with an Access key or Secret key, or without the keys if the accounts are on an EC2 instance.
    Note: To determine if the inventory beacon is running on an EC2 instance, a service called AmazonSSMAgent must be present. If a service with this name exists, it is assumed that the inventory beacon is running on an EC2 instance and the Access key and Secret key are ignored.
    • If the connection is successful, click OK to close the message. Click Save to complete the addition. The connection is added to (or updated in) the list.
    • If the connection is unsuccessful, the appropriate error message will display. Click OK to close the message. Edit the connection details and retest the connection.

      You cannot save the connection details if the connection test fails. If you cannot get the connection test to succeed, click Cancel to cancel the addition of these connection details.

  5. In the FlexNet Beacon PowerShell Source Connection dialog, click Save to save the connection.
  6. Select your new connection from the displayed list, and click Schedule....
  7. In the dialog that appears, select the name of your chosen schedule for inventory collection through this connection, and click OK. Note: The default schedule for the AWS Config adapter is 30 minutes. The aggregator returns active resources only, meaning the resource has to exist in order to be returned. If a resource was created after one run of the adapter, and then deleted prior to the adapter running again, that resource will not be imported.
  8. At the bottom of the FlexNet Beacon interface, click Save, and if you are done, also click Exit.
After a successful data import: EC2 instances, dedicated hosts, Oracle RDS databases and account details with account names are visible in the appropriate pages of IT Asset Management. Note: Reserved instances are not retrieved by the AWS Config adapter.
Note: To know more about the operations available on the Inventory Systems page of FlexNet Beacon, see the Inventory Systems Page in the online help. For scheduling data imports through this connection, see Scheduling a Connection, also in the online help.

IT Asset Management (Cloud)

Current