Managing AWS Connections
Choice of methods
There are four methods available for establishing a connection to Amazon Web Services Elastic Compute Cloud (AWS EC2) and Amazon Relational Database Service (RDS), and all require several prerequisites. Before you begin, you must choose the most suitable method for your business, complete the associated prerequisites, and then configure the connection. Summaries of each method are listed below:
Enabling AWS Config and creating an AWS Aggregator — This method allows you to create an integration to query your AWS resources by means of an AWS aggregator.
When enabled, AWS Config stores configuration data for your resources in AWS. The aggregator is then created to pull the data from selected or all AWS accounts into a single account. From this single account, the inventory beacon will query the aggregator and import the data into IT Asset Management.
This method requires you to:- Enable AWS Config
- Create an AWS aggregator.
To use this method, complete the below prerequisites and then complete the steps detailed in Enabling AWS Config and creating an Aggregator.
- Configuring Connections to AWS (FlexNet Beacon Installed on
EC2 instance) using IAM Roles — This method enhances the
role-based method (listed below) by installing FlexNet Beacon directly
on an EC2 instance, which eliminates the need for users to enter any credentials
to verify their identity. This method follows Amazon's best practice guidelines
which recommends minimizing the use of long-term access keys for increased
security. As always, your chosen inventory beacon (in this case, on an EC2
instance) must have access to the Internet so that it can connect with the
central application server for IT Asset Management to upload
inventory and download beacon and device policy. In addition, this method
requires you to:
- Create security policies
- Create an Identity and Access Management (IAM) role (which will be assigned to an EC2 instance with FlexNet Beacon installed on it)
- Then create further IAM roles on any other accounts to allow FlexNet Beacon to collect inventory from more than one account.
Note: During the configuration process, your AWS Systems Manager Agent (SSM Agent) processes requests from the Systems Manager service in the AWS Cloud, and then runs them as specified in the request. SSM Agent then sends status and execution information back to the Systems Manager service by using the Amazon Message Delivery Service (service prefix:ec2messages
). If the configuration process fails, you must use the scriptInitializeInstance.ps1
which is provided by Amazon and is installed by default on each EC2 instance. The metadata is retrieved from IP address 169.254.169.254. - Configuring Connections to AWS using IAM Roles —
This method uses IAM roles, which enable you to collect inventory from multiple
accounts using a temporary security credentials which include a security token
that indicates when the credentials expire. This increases security by reducing
the need for long-term access keys which must be manually revoked and require a
security policy to be attached to each user who must in turn be granted the
necessary permissions. This method requires you to:
- Create security policies
- Policies are then assigned to users, groups and roles, and those policies may define other roles which can be assumed.
Note:- For information on cross-account access using IAM roles, see https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
- For information on Amazon's recommended best practices, see https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html.
- Configuring Connections to AWS using IAM Users —
This method requires you to:
- Create security policies
- Create an IAM user
- Then assign the security policies directly to the user.
Prerequisites
To complete this process, your chosen inventory beacon must meet the following requirements, some of which should have been fulfilled when the FlexNet Beacon software was installed:
- PowerShell 3.0 or later is running on Windows Server 2008 R2 SP1 or later,
or Windows 7 SP1 or later; with the PowerShell execution policy set
to RemoteSigned.Note: If you choose to install
AWS.Tools.Common
, which is the modular collection where you can install individual AWS Tools for PowerShell, the minimum version is increased to PowerShell 5.1 or later. - .NET Framework 4.7.2 or newer is required.
- The FlexNet Beacon software installed on the inventory beacon must be release 13.1.1 (shipped with IT Asset Management 2018 R2) or later.
- The inventory beacon must have Internet access to the central application server for IT Asset Management, so that it can upload inventories and download policies.
- A web browser is installed and enabled on the inventory beacon.
- You must log onto the inventory beacon, and run FlexNet Beacon, using an account with administrator privileges.
- You must have downloaded AWS Tools for PowerShell from https://aws.amazon.com/powershell/, and installed them on the
inventory beacon. The minimum required version of these tools is
3.3.283.0. Tip: To check the version installed on your inventory beacon:
- As administrator, run PowerShell.
- Execute the
Get-AWSPowerShellVersion
cmdlet.
Note: The permissible values for Instance region are currently hard coded in the AWS Tools for PowerShell. This means that if AWS create additional regions, and you want to have instances in one of the new regions, you will need to update AWS Tools for PowerShell at that time.From release 2.0.0 of thePowerShellGet
cmdlet (which allows you toInstall-Module
), theScope
option defaults toCurrentUser
. Unless you are installing the modules using the account that normally runs your FlexNet Beacon and triggers the AWS connector, you must specify the non-default value ofAllUsers
, such that the inventory beacon's operating account (typicallySYSTEM
) can run the connector. Example command lines for installation are:- For the modular AWS Tools for PowerShell (requires PowerShell 5.1 or
later):
PS> Install-Module -Name AWS.Tools.moduleName -Scope AllUsers
Tip: Repeat this instruction amended for each of the required modules. The modules needed to run the connector include:AWS.Tools.Common
AWS.Tools.ConfigService
AWS.Tools.EC2
AWS.Tools.IdentityManagement
AWS.Tools.Organizations
AWS.Tools.RDS
AWS.Tools.S3
AWS.Tools.SecurityToken
.
- For the bundled, legacy AWS Tools for PowerShell (requires
PowerShell 3.0 or
later):
PS> Install-Module -Name AWSPowerShell -Scope AllUsers
PSModulePath
, such as C:\Program Files\WindowsPowerShell\Modules (check the preference value on your inventory beacon).
- A policy allowing access to your EC2 service
- A policy allowing access to an Identity and Access Management (IAM) entity
- The IAM roles to grant access to AWS resources (not required when using the Configuring Connections to AWS EC2 using IAM Users method)
- The IAM user account (still within AWS) with minimum privileges that makes the connection to AWS APIs and imports the available data (only required for the Configuring Connections to AWS EC2 using IAM Roles without FlexNet Beacon installed on EC2 instance only).
IT Asset Management (Cloud)
Current