Managing AWS EC2 Connections
FlexNet Manager Suite
2019 R2
(On-Premises Edition)
There are three methods available for establishing a connection to Amazon Web Services Elastic Compute Cloud (AWSEC2) and all require several prerequisites. Before you begin you must choose the most suitable method for your business, complete the associated prerequisites, and then configure the connection. A summary of each method and the required prerequisites are listed below:
Connection methods- Configuring Connections to AWS EC2 (FlexNet Beacon Installed on EC2 instance) using IAM Roles —This method enhances the role-based method (listed below) by installing FlexNet Beacon directly on an EC2 instance which eliminates the need for users to enter any credentials to verify their identity. This method follows Amazon's best practice guidelines which recommends minimizing the use of long-term access keys for increased security. This method requires you to create security policies; create an Identity and Access Management (IAM) role (which will be assigned to an EC2 instance with FlexNet Beacon installed on it); and then create further IAM roles on any other accounts to allow FlexNet Beacon to collect inventory from more than one account. To use this method, complete the below prerequisites and then complete Configuring Connections to AWS EC2 (FlexNet Beacon Installed on EC2 instance) using IAM Roles
- Configuring Connections to AWS EC2 using IAM
Roles — This method uses IAM roles which enable you to collect
inventory from multiple accounts using a temporary security credentials
which includes a security token that indicates when the credentials
expire. This increases security by reducing the need for long-term
access keys which must be manually revoked and require a security policy
to be attached to each user who must in turn be granted the necessary
permissions. This method requires you to create security policies;
create an IAM user; and then create an IAM role to which multiple users
can be assigned to collect inventory from one or more accounts. To use
this method, complete the below prerequisites and then complete Configuring Connections to AWS EC2 using IAM RolesNote:
- For information on cross-account access using IAM roles, see https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
- For information on Amazon's recommended best practices, see https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html.
- Configuring Connections to AWS EC2 using IAM Users — This method requires you to create security policies; create an IAM user; and then assign the security policies directly to the user. This method, which was available prior to FlexNet Manager Suite 2019 R2, uses long-term credentials which Amazon recommends against. If you already have this method in place you do not need to change. To use this method, complete the below prerequisites and then complete Configuring Connections to AWS EC2 using IAM Users
Tip: If you have some reason to connect to AWS from more than one
inventory beacon, you may re-use the same policies, and do not
need to create these multiple times. It would also be possible to reuse the
same account name on a different inventory beacon, but since
recommended practice is to schedule frequent connections (for example, to
collect data on terminated instances, which has a very limited life on AWS),
it may be advisable to create separate user accounts for each accessing
inventory beacon and avoid possible collisions.
Important: While you are planning to collect data from AWS EC2, also
plan to configure start-up scripts in your base image to modify preferences
for FlexNet inventory agent when your VMs are instantiated. These changed
preferences ensure that each instance reports a distinct computer name (or
perhaps domain name). If this is not done, instances take a common device
name from the base image, and typically report from the same domain name.
With matching names, the resulting records are assumed to come from a single
device and are merged into a single device record in FlexNet Manager Suite. For more information, see Common: Ensuring Distinct Inventory in the Gathering FlexNet Inventory PDF, available through the title page of online help.
Prerequisites
To complete this process, your chosen inventory beacon must meet the
following requirements, some of which should have been fulfilled when the
FlexNet Beacon software was installed:
- PowerShell 3.0 or later is running on Windows Server 2008 R2 SP1 or later, or Windows 7 SP1 or later; with the PowerShell execution policy set to RemoteSigned.
- The FlexNet Beacon software installed on the inventory beacon must be release 13.1.1 (shipped with FlexNet Manager Suite 2018 R2) or later.
- A web browser is installed and enabled on the inventory beacon.
- You must log onto the inventory beacon, and run FlexNet Beacon, using an account with administrator privileges.
- You must have downloaded AWS Tools for Windows PowerShell from https://aws.amazon.com/powershell/, and
installed them on the inventory beacon. The minimum required
version of these tools is 3.3.283.0. Tip: To check the version installed on your inventory beacon:
- As administrator, run AWS Tools for Windows PowerShell.
- Execute the
Get-AWSPowerShellVersion
cmdlet.
Note: The permissible values for Instance region are currently hard coded in the AWS Tools for Windows PowerShell. This means that if AWS create additional regions, and you want to have instances in one of the new regions, you will need to update AWS Tools for Windows PowerShell at that time.
On the AWS side, you must first create: