Managing AWS Connections

IT Asset Management (Cloud)

Choice of methods

There are four methods available for establishing a connection to Amazon Web Services Elastic Compute Cloud (AWS EC2) and Amazon Relational Database Service (RDS), and all require several prerequisites. Before you begin, you must choose the most suitable method for your business, complete the associated prerequisites, and then configure the connection. Summaries of each method are listed below:

Enabling AWS Config and creating an AWS Aggregator — This method allows you to create an integration to query your AWS resources by means of an AWS aggregator.

When enabled, AWS Config stores configuration data for your resources in AWS. The aggregator is then created to pull the data from selected or all AWS accounts into a single account. From this single account, the inventory beacon will query the aggregator and import the data into IT Asset Management.
This method requires you to:
- Enable AWS Config
- Create an AWS aggregator.
To use this method, complete the below prerequisites and then complete the steps detailed in Enabling AWS Config and creating an Aggregator.
Configuring Connections to AWS (FlexNet Beacon Installed on EC2 instance) using IAM Roles — This method enhances the role-based method (listed below) by installing FlexNet Beacon directly on an EC2 instance, which eliminates the need for users to enter any credentials to verify their identity. This method follows Amazon's best practice guidelines which recommends minimizing the use of long-term access keys for increased security. As always, your chosen inventory beacon (in this case, on an EC2 instance) must have access to the Internet so that it can connect with the central application server for IT Asset Management to upload inventory and download beacon and device policy. In addition, this method requires you to:
- Create security policies
- Create an Identity and Access Management (IAM) role (which will be assigned to an EC2 instance with FlexNet Beacon installed on it)
- Then create further IAM roles on any other accounts to allow FlexNet Beacon to collect inventory from more than one account.
To use this method, complete the below prerequisites, and then complete Configuring Connections to AWS (FlexNet Beacon Installed on EC2 instance) using IAM Roles
Note: During the configuration process, your AWS Systems Manager Agent (SSM Agent) processes requests from the Systems Manager service in the AWS Cloud, and then runs them as specified in the request. SSM Agent then sends status and execution information back to the Systems Manager service by using the Amazon Message Delivery Service (service prefix: ec2messages). If the configuration process fails, you must use the script InitializeInstance.ps1 which is provided by Amazon and is installed by default on each EC2 instance. The metadata is retrieved from IP address 169.254.169.254.
Configuring Connections to AWS using IAM Roles — This method uses IAM roles, which enable you to collect inventory from multiple accounts using a temporary security credentials which include a security token that indicates when the credentials expire. This increases security by reducing the need for long-term access keys which must be manually revoked and require a security policy to be attached to each user who must in turn be granted the necessary permissions. This method requires you to:
- Create security policies
- Policies are then assigned to users, groups and roles, and those policies may define other roles which can be assumed.
To use this method, complete the below prerequisites and then complete Configuring Connections to AWS using IAM Roles
Note:
- For information on cross-account access using IAM roles, see https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
- For information on Amazon's recommended best practices, see https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html.
Configuring Connections to AWS using IAM Users — This method requires you to:
- Create security policies
- Create an IAM user
- Then assign the security policies directly to the user.
This method, which was available prior to IT Asset Management 2019 R2, uses long-term credentials which Amazon now recommends against. If you already have this method in place, you do not need to change. To use this method, complete the below prerequisites and then complete Configuring Connections to AWS using IAM Users.

Tip: If you have some reason to connect to AWS from more than one inventory beacon, you may re-use the same policies, and do not need to create these multiple times. It would also be possible to reuse the same account name on a different inventory beacon, but since recommended practice is to schedule frequent connections (for example, to collect data on terminated instances, which has a very limited life on AWS), it may be advisable to create separate user accounts for each accessing inventory beacon and avoid possible collisions.

Important: While you are planning to collect data from AWS EC2, also plan to configure start-up scripts in your base image to modify preferences for FlexNet inventory agent when your VMs are instantiated. These changed preferences ensure that each instance reports a distinct computer name (or perhaps domain name). If this is not done, instances take a common device name from the base image, and typically report from the same domain name. With matching names, the resulting records are assumed to come from a single device and are merged into a single device record in IT Asset Management. For more information, see Common: Ensuring Distinct Inventory in Gathering FlexNet Inventory.

Prerequisites

To complete this process, your chosen inventory beacon must meet the following requirements, some of which should have been fulfilled when the FlexNet Beacon software was installed:

PowerShell 3.0 or later is running on Windows Server 2008 R2 SP1 or later, or Windows 7 SP1 or later; with the PowerShell execution policy set to RemoteSigned.
Note: If you choose to install AWS.Tools.Common, which is the modular collection where you can install individual AWS Tools for PowerShell, the minimum version is increased to PowerShell 5.1 or later.
.NET Framework 4.7.2 or newer is required.
The FlexNet Beacon software installed on the inventory beacon must be release 13.1.1 (shipped with IT Asset Management 2018 R2) or later.
The inventory beacon must have Internet access to the central application server for IT Asset Management, so that it can upload inventories and download policies.
A web browser is installed and enabled on the inventory beacon.
You must log onto the inventory beacon, and run FlexNet Beacon, using an account with administrator privileges.
You must have downloaded AWS Tools for PowerShell from https://aws.amazon.com/powershell/, and installed them on the inventory beacon. The minimum required version of these tools is 3.3.283.0.
Tip: To check the version installed on your inventory beacon:
1. As administrator, run PowerShell.
2. Execute the Get-AWSPowerShellVersion cmdlet.
New versions are available for download from https://aws.amazon.com/powershell/.
Note: The permissible values for Instance region are currently hard coded in the AWS Tools for PowerShell. This means that if AWS create additional regions, and you want to have instances in one of the new regions, you will need to update AWS Tools for PowerShell at that time.
From release 2.0.0 of the PowerShellGet cmdlet (which allows you to Install-Module), the Scope option defaults to CurrentUser. Unless you are installing the modules using the account that normally runs your FlexNet Beacon and triggers the AWS connector, you must specify the non-default value of AllUsers, such that the inventory beacon's operating account (typically SYSTEM) can run the connector. Example command lines for installation are:
- For the modular AWS Tools for PowerShell (requires PowerShell 5.1 or later):
```
PS> Install-Module -Name AWS.Tools.moduleName -Scope AllUsers
```
  Tip: Repeat this instruction amended for each of the required modules. The modules needed to run the connector include:
  - AWS.Tools.Common
  - AWS.Tools.ConfigService
  - AWS.Tools.EC2
  - AWS.Tools.IdentityManagement
  - AWS.Tools.Organizations
  - AWS.Tools.RDS
  - AWS.Tools.S3
  - AWS.Tools.SecurityToken.
- For the bundled, legacy AWS Tools for PowerShell (requires PowerShell 3.0 or later):
```
PS> Install-Module -Name AWSPowerShell -Scope AllUsers
```
After installation, the tools are found in one of the paths listed in the preference PSModulePath, such as C:\Program Files\WindowsPowerShell\Modules (check the preference value on your inventory beacon).

On the AWS side, you must first create:

A policy allowing access to your EC2 service
A policy allowing access to an Identity and Access Management (IAM) entity
The IAM roles to grant access to AWS resources (not required when using the Configuring Connections to AWS EC2 using IAM Users method)
The IAM user account (still within AWS) with minimum privileges that makes the connection to AWS APIs and imports the available data (only required for the Configuring Connections to AWS EC2 using IAM Roles without FlexNet Beacon installed on EC2 instance only).

Finally, on the inventory beacon that is to make the connection to AWS, you must specify the connection (which is automatically scheduled for you).

Tip: Whichever method you choose, if the imported results are not as expected, see Troubleshooting Your AWS Connection.

IT Asset Management (Cloud)

Current