Managing AWS Connections
IT Asset Management
(Cloud)
Choice of methods
There are three methods available for establishing a connection to Amazon Web Services Elastic Compute Cloud (AWS EC2) and Amazon Relational Database Service (RDS), and all require several prerequisites. Before you begin, you must choose the most suitable method for your business, complete the associated prerequisites, and then configure the connection. Summaries of each method are listed below:
- Configuring Connections to AWS (FlexNet Beacon Installed on
EC2 instance) using IAM Roles —This method enhances the role-based method (listed below) by
installing FlexNet Beacon directly on an EC2 instance, which eliminates
the need for users to enter any credentials to verify their identity. This
method follows Amazon's best practice guidelines which recommends minimizing the
use of long-term access keys for increased security. As always, your chosen
inventory beacon (in this case, on an EC2 instance) must have access
to the Internet so that it can connect with the central application server for IT Asset Management to upload inventory and download beacon and
device policy. In addition, this method requires you to:
- Create security policies
- Create an Identity and Access Management (IAM) role (which will be assigned to an EC2 instance with FlexNet Beacon installed on it)
- Then create further IAM roles on any other accounts to allow FlexNet Beacon to collect inventory from more than one account.
Note: During the configuration process, your AWS Systems Manager Agent (SSM Agent) processes requests from the Systems Manager service in the AWS Cloud, and then runs them as specified in the request. SSM Agent then sends status and execution information back to the Systems Manager service by using the Amazon Message Delivery Service (service prefix:ec2messages
). If the configuration process fails, you must use the scriptInitializeInstance.ps1
which is provided by Amazon and is installed by default on each EC2 instance. The metadata is retrieved from IP address 169.254.169.254. - Configuring Connections to AWS using IAM
Roles — This method uses IAM roles, which enable you to collect
inventory from multiple accounts using a temporary security credentials
which include a security token that indicates when the credentials
expire. This increases security by reducing the need for long-term
access keys which must be manually revoked and require a security policy
to be attached to each user who must in turn be granted the necessary
permissions. This method requires you to:
- Create security policies
- Policies are then assigned to users, groups and roles, and those policies may define other roles which can be assumed.
Note:- For information on cross-account access using IAM roles, see https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
- For information on Amazon's recommended best practices, see https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html.
- Configuring Connections to AWS using IAM Users — This method requires you to:
- Create security policies
- Create an IAM user
- Then assign the security policies directly to the user.
Tip: If you have some reason to connect to AWS from more than one
inventory beacon, you may re-use the same policies, and do not
need to create these multiple times. It would also be possible to reuse the
same account name on a different inventory beacon, but since
recommended practice is to schedule frequent connections (for example, to
collect data on terminated instances, which has a very limited life on AWS),
it may be advisable to create separate user accounts for each accessing
inventory beacon and avoid possible collisions.
Important: While you are planning to collect data from AWS EC2, also
plan to configure start-up scripts in your base image to modify preferences for
FlexNet inventory agent when your VMs are instantiated. These changed
preferences ensure that each instance reports a distinct computer name (or perhaps
domain name). If this is not done, instances take a common device name from the base
image, and typically report from the same domain name. With matching names, the
resulting records are assumed to come from a single device and are merged into a
single device record in IT Asset Management. For more information, see Common: Ensuring Distinct Inventory in Gathering FlexNet Inventory.
Prerequisites
To complete this process, your chosen inventory beacon must meet the following requirements, some of which should have been fulfilled when the FlexNet Beacon software was installed:
- PowerShell 3.0 or later is running on Windows Server 2008 R2 SP1 or later,
or Windows 7 SP1 or later; with the PowerShell execution policy set
to RemoteSigned.Note: If you choose to install
AWS.Tools.Common
, which is the modular collection where you can install individual AWS Tools for PowerShell, the minimum version is increased to PowerShell 5.1 or later. - .NET Framework 4.7.2 or newer is required.
- The FlexNet Beacon software installed on the inventory beacon must be release 13.1.1 (shipped with IT Asset Management 2018 R2) or later.
- The inventory beacon must have Internet access to the central application server for IT Asset Management, so that it can upload inventories and download policies.
- A web browser is installed and enabled on the inventory beacon.
- You must log onto the inventory beacon, and run FlexNet Beacon, using an account with administrator privileges.
- You must have downloaded AWS Tools for PowerShell from https://aws.amazon.com/powershell/, and installed them on the
inventory beacon. The minimum required version of these tools is
3.3.283.0. Tip: To check the version installed on your inventory beacon:
- As administrator, run PowerShell.
- Execute the
Get-AWSPowerShellVersion
cmdlet.
Note: The permissible values for Instance region are currently hard coded in the AWS Tools for PowerShell. This means that if AWS create additional regions, and you want to have instances in one of the new regions, you will need to update AWS Tools for PowerShell at that time.From release 2.0.0 of thePowerShellGet
cmdlet (which allows you toInstall-Module
), theScope
option defaults toCurrentUser
. Unless you are installing the modules using the account that normally runs your FlexNet Beacon and triggers the AWS connector, you must specify the non-default value ofAllUsers
, such that the inventory beacon's operating account (typicallySYSTEM
) can run the connector. Example command lines for installation are:- For the modular AWS Tools for PowerShell (requires PowerShell 5.1 or
later):
PS> Install-Module -Name AWS.Tools.moduleName -Scope AllUsers
Tip: Repeat this instruction amended for each of the required modules. The modules needed to run the connector include:AWS.Tools.Common
AWS.Tools.EC2
AWS.Tools.S3
AWS.Tools.SecurityToken
AWS.Tools.IdentityManagement
.
- For the bundled, legacy AWS Tools for PowerShell (requires
PowerShell 3.0 or
later):
PS> Install-Module -Name AWSPowerShell -Scope AllUsers
PSModulePath
, such as C:\Program Files\WindowsPowerShell\Modules (check the preference value on your inventory beacon).
- A policy allowing access to your EC2 service
- A policy allowing access to an Identity and Access Management (IAM) entity
- The IAM roles to grant access to AWS resources (not required when using the Configuring Connections to AWS EC2 using IAM Users method)
- The IAM user account (still within AWS) with minimum privileges that makes the connection to AWS APIs and imports the available data (only required for the Configuring Connections to AWS EC2 using IAM Roles without FlexNet Beacon installed on EC2 instance only).
Tip: Whichever method you choose, if the imported results are not as expected,
see Troubleshooting Your AWS Connection.
IT Asset Management (Cloud)
Current