Managing AWS EC2 Connections

FlexNet Manager Suite 2019 R1 (On-Premises Edition)
Connections to Amazon Web Services Elastic Compute Cloud require four elements:
  • Within AWS, you must create a policy that allows access to your EC2 service
  • Similarly, you must create a policy allowing access to an Identity and Access Management (IAM) entity
  • Still within AWS, you must create the IAM user account with minimum privileges that makes the connection to AWS APIs and imports the available data
  • Finally, on the inventory beacon that is to make the connection to AWS, you must specify the connection (which is automatically scheduled for you).
All four parts of the process are included below. You may conveniently complete all parts of the process using a web browser on your chosen inventory beacon.
Tip: If you have some reason to connect to AWS from more that one inventory beacon, you may re-use the same policies, and do not need to create these multiple times. It would also be possible to reuse the same account name on a different inventory beacon, but since recommended practice is to schedule frequent connections (for example, to collect data on terminated instances, which has a very limited life on AWS), it may be advisable to create separate user accounts for each accessing inventory beacon, and avoid possible collisions.
Important: While you are planning to collect data from AWS EC2, also plan to configure start-up scripts in your base image to modify preferences for FlexNet inventory agent when your VMs are instantiated. These changed preferences ensure that each instance reports a distinct computer name (or perhaps domain name). If this is not done, instances take a common device name from the base image, and typically report from the same domain name. With matching names, the resulting records are assumed to come from a single device, and are merged into a single device record in FlexNet Manager Suite. For more information, see Common: Ensuring Distinct Inventory in the Gathering FlexNet Inventory PDF, available through the title page of online help.

Prerequisites

To complete this process, your chosen inventory beacon must meet the following requirements, some of which should have been fulfilled when the FlexNet Beacon software was installed:
  • PowerShell 3.0 or later is running on Windows Server 2008 R2 SP1 or later, or Windows 7 SP1 or later; with the PowerShell execution policy set to RemoteSigned.
  • The FlexNet Beacon software installed on the inventory beacon must be release 13.1.1 (shipped with FlexNet Manager Suite 2018 R2) or later.
  • A web browser is installed and enabled on the inventory beacon.
  • You must log onto the inventory beacon, and run FlexNet Beacon, using an account with administrator privileges.
  • You must have downloaded AWS Tools for Windows PowerShell from https://aws.amazon.com/powershell/, and installed them on the inventory beacon. The minimum required version of these tools is 3.3.283.0. To check the version installed on your inventory beacon, run AWS Tools for Windows PowerShell, and execute the Get-AWSPowerShellVersion cmdlet.
    Note: The permissible values for Instance region are currently hard-coded in the AWS Tools for Windows PowerShell. This means that if AWS provision additional regions, and you want to have instances in one of the new regions, you will need to update AWS Tools for Windows PowerShell at that time.
The connection to AWS supports optional use of a proxy.

To configure an initial data connection to your AWS EC2 service:

  1. Using the email address saved by your AWS account owner for your AWS account, sign into AWS and open the IAM console at https://console.aws.amazon.com/iam.
    You will create both policies and the user account through this console.
  2. Create the policy to access your EC2 service:
    1. In the navigation pane on the left, choose Policies.
    2. Click Create policy.
    3. Click Choose a service, and select EC2.
    4. In the Actions section, expand the List access level.
    5. Select the following access levels to allow collection of inventory data from AWS:
      • DescribeInstances
      • DescribeHosts
      • DescribeReservedInstances.
    6. Click Review policy, and give this policy a suitable and unique Name (for example, ListEC2ForFNMS). Optionally, you may also add a Description to assist with future maintenance.
    7. Click Create policy.
  3. Create the policy to access your IAM service:
    1. Once, again, in the navigation pane on the left, choose Policies.
    2. Click Create policy.
    3. Click Choose a service, and select IAM.
    4. In the Actions section, expand the Read access level.
    5. Select the GetUser access level, which will be used to validate the connection to AWS.
    6. Again in the Actions section, expand the List access level, and select the ListAccountAliases access level, allowing collection of the AWS account name in inventory.
    7. For Resources, choose All resources.
    8. Click Review policy, and give this policy a suitable and unique Name (for example, ReadUserForFNMS). Optionally, you may also add a Description to assist with future maintenance.
    9. Click Create policy.
  4. Create the IAM account that will collect data on schedule:
    1. In the navigation pane on the left, click Users, and then click Add user.
    2. In the User Name field, create a name for the account (for example, FNMSUser).
    3. For the Access type, select Programmatic access.
    4. In the Permissions section, click Attach existing policies directly.
    5. Search, and select the policies you created in the previous steps (the suggested names were ListEC2ForFNMS and ReadUserForFNMS).
    6. Click Review, and validate your settings.
    7. Click Create User.
      The AWS management console displays a Success status, and displays the Access key ID and the Secret access key for the account. It also provides a link to download these critical details in a .csv file.
      Warning: Be sure to secure the credentials for future use. Once you leave the window, you will not be able to access the Secret access key again. Copy them from this page and save for the rest of this procedure; but also preserve the .csv file.
    8. Download the .csv file containing the Access key ID and the Secret access key for the account, and save in a secure location.
  5. Log into FlexNet Beacon as administrator, and confirm the schedule for data collection from AWS.
    Some data on AWS is ephemeral: for example, a terminated instance disappears within an hour of you implementing that decision. As well, some licenses (such as IBM PVU) require that you monitor peak consumption not more than 30 minutes apart. For reasons like these, recommended best practice is to schedule data collection from AWS every 30 minutes. A default schedule AWS imports exists in the Data collection > Scheduling page of FlexNet Beacon for this purpose. If you have reason to modify this default, it is convenient to modify the schedule before setting up the connection. See Modifying a Schedule if you need assistance.
    Tip: Don't change the name of the schedule, so that it can be automatically linked to your AWS EC2 connection. (If you make the mistake of changing the name of this schedule, the default schedule is automatically restored with the default name at the next policy check.)
  6. Configure the connection to AWS:
    1. In the FlexNet Beacon interface, select the Inventory Systems page.
    2. To create a new connection, click the down arrow on the right of the New split button, and choose PowerShell.
      Tip: You can also edit a connection you have defined previously, by selecting it from the list of connections and clicking Edit....
    3. In the dialog that appears, complete (or modify) the following required fields:
      • Connection Name: The name you give this inventory connection is also used in the web interface of FlexNet Manager Suite to name the data import task.
      • Source Type: Select Amazon Web Services from this list.
      • Access Key: Copy this value from the credentials .csv file you downloaded from AWS.
      • Secret Access Key: Similarly, copy and paste this value from the downloaded .csv file.
    4. If a proxy server is in use between the inventory beacon and AWS, also select the Use Proxy check box, and complete the following additional details:
      • Proxy Server: Enter the address of the proxy server using HTTP, HTTPS, or an IP address. Use the format https://ProxyServerURL:PortNumber, http://ProxyServerURL:PortNumber, or IPAddress:PortNumber). If the protocol is omitted, it defaults to http:. If the port number is omitted, it defaults to :80 for http, or 443 for https.
      • Username and Password: If your enterprise is using an authenticated proxy, specify the credentials to access the proxy server you just identified.
    5. Click Test Connection.
      • If a Test connection failed message displays, click OK to close the message, review and correct the connection details, and retest the connection. You cannot save the connection details if the connection test fails. If you cannot get the connection test to succeed, click Cancel to cancel the addition of these connection details, and seek further assistance.
      • If, instead, the inventory beacon can successfully access the AWS APIs using the details supplied, a Test connection succeeded message displays. Click OK to close the message. Click Save to add the connection to (or update it in) the list.
Your saved connection is also automatically linked to the AWS imports schedule (editable in the Scheduling page in the Data collection group), and the Next run column shows when the next import from AWS EC2 is due.