Microsoft Workloads on AWS
License enforcement and tracking for multiple accounts with AWS organizations based on AMI
Have you been tasked with tracking the licenses for all Amazon Elastic Compute Cloud (Amazon EC2) instances created from a custom Amazon Machine Images (AMI) such as Microsoft Windows Server or SQL Server in your organization? If you need to track and enforcing license usage per account from a centralized location, then this solution is for you!
Introduction
There are many reasons why your organization might need to limit the number of Amazon EC2 instances created from a specific AMI. Perhaps you are working on a cost optimization and compliance initiative, considering Bring Your Own License (BYOL) scenarios for applications such as Windows Server and SQL Server, or gathering a multi-region, multi-account inventory of running instances.
In this blog post, we will guide you through using a no-cost service, AWS License Manager, to set up self-managed licenses that automatically track and enforce usage based on your AMIs. Managing licenses for software running on Amazon EC2 instances is critical for compliance and auditing purposes.
The solution we present in this post provides benefits such as:
- Centralized Visibility: Gain a comprehensive view of license usage across all your accounts for your custom AMIs.
- Enforced Compliance: Set license limits and prevent instances from launching if they exceed these limits.
- Licensing Agreement Compliance: Ensure adherence to your licensing agreements.
- Team-Specific Control: Allocate specific license quotas to individual teams using separate self-managed licenses.
- Simplified Management: Manage licenses from a single location, eliminating the need for manual tracking across accounts.
Solution overview
This solution uses AWS Organizations, AWS License Manager, and AWS Resource Access Manager (AWS RAM) to provide a framework for managing licenses across multiple accounts. License Manager can be used to track licenses based on an associated AMI, monitoring their usage, and enforcing license limits across various accounts, with the flexibility to set different limits for each account.
You can associate AMIs to a self-managed license in one of two ways:
- Associate across accounts: Tracks the usage of the AMI across all AWS accounts within the organization.
- Associate with only this account: Tracks the usage of the AMI exclusively within the same account.
To demonstrate the functionality of our solution, we will use three AWS accounts. They are:
- Account A: The License Manager delegated account, responsible for managing licenses across all accounts.
- Account B: Designated for Team 1’s workloads.
- Account C: Designated for Team 2’s workloads.
Within Account A, we create three self-managed licenses:
- Lic-Main: This represents the maximum number of licenses that can be used across all accounts in your organization.
- Lic-Team1: This is a self-managed license specifically for Account B, reflecting the allowed limit for Team 1.
- Lic-Team2: This is a self-managed license specifically for Account C, reflecting the allowed limit for Team 2.
![](https://d2908q01vomqb2.cloudfront.net/8effee409c625e1a2d8f5033631840e6ce1dcb64/2024/12/26/AMI-License-Trackingv3.drawio.png)
Figure 1: The outcomes of the setup
As shown in figure 1, the target AMI will be associated with multiple self-managed licenses with a set limit in the License Manager configuration created in Account A.
For the main account (Account A), there is one license configuration (Lic-Main) to track and limit the total number of used licenses across all accounts within the organization. Additionally, there is one self-managed license per account (Account B, Account C, …), to track and limit usage for that account. The child account can never use more than what has been allocated to it, while the total number used by that AMI can will never exceed what has been allocated for the entire organization.
For each account, two self-managed licenses are shared through AWS RAM. One self-managed license tracks the overall usage (Lic-Main). The other self-managed license (Lic-Team1 for account B or Lic-Team2 for account C) tracks the usage in the account that it is shared to, helping you comply with the team’s assigned limit. To launch an instance with that AMI, both self-managed licenses are needed. If you run out of either of the two licenses that are shared with that account, the instance launch will fail, and the team cannot the launch instance from that AMI.
In this example, using resource shares with AWS RAM, only Lic-Main and Lic-Team1 are shared with Account B, and Lic-Main and Lic-Team2 are shared with Account C. If a team has multiple accounts, then each can be associated with the self-managed license’s resource share, so the combined usage of all the accounts is tracked. The team must accept the resource share just once in order to launch an instance from the shared AMI.
Prerequisites
To use this solution in your own environment, the following need to be in place:
- License Manager needs to be onboarded for each account.
- From the organization management account, you need to Link AWS Organizations accounts, Register a delegated License Manager administrator, and Enabling trusted access with AWS RAM
Walkthrough
Create your self-managed license
- In the delegated admin account, go to the License Manager console, choose Self-managed licenses, then choose Create self-managed license, as shown in Figure 2.
Figure 2: The AWS License Manager console, showing the Self-managed licenses section.
- In the Configuration Details section, as shown in Figure 3. You will need to provide the name and the license type (for example, if your license is per vCPU, select vCPU). Select Enforce license limit. This will not allow any other resource to use that license if the number for license type is exceeded.
Figure 3: The AWS License Manager console, showing the creation of a self-managed license.
- Choose Submit.
- After creating, select the license you just created. Select Associated AMIs then Associate AMI. Select the AMI that you would like to track, then choose Associate. A pop-up will allow you to choose the type of association, as shown in Figure 4.
- For Lic-Main, select Associate across accounts.
Figure 4: The AWS License Manager console, showing the association of an AMI with a self-managed license.
- For Lic-Team1 and Lic-Team2, select Associate with only this account.
Figure 5: The AWS License Manager console, showing the association of an AMI with a self-managed license.
- After this setup, you will have licenses as shown in Figure 6.
Figure 6: The AWS License Manager console, showing the Self-managed licenses section.
Share license using AWS RAM
Next, you can share Lic-Main with all target accounts creating a new Resource Share (Figure 7) in AWS RAM. You will share Lic-Team1 and Lic-Team2 with the designated accounts only.
- Navigate to the AWS RAM console, and choose Create a resource share.
Figure 7: The AWS Resource Access Manager console, showing the option to create a resource share.
- On the Specify resource share details page, select a name for the share and select Lic-Main and Lic-Team1 (Figure 8), choose Next.
Figure 8: The AWS Resource Access Manager console, showing licenses to be shared when creating a resource share.
- On the Associate managed permissions page, keep the default values, choose Next.
- On the Grant access to principals page, select Allow sharing only within your organization, then Organization as a principal type. Provide the AWS Organization ID and choose Add (Figure 9). Choose Next.
Figure 8: The AWS Resource Access Manager console, showing licenses to be shared when creating a resource share.
- Review the settings, and choose Create resource share.
Repeat steps 1-5 For Team2, using Lic-Main and Lic-Team2 as the resources to share, as shown in Figure 10 for step 2.Figure 10: The AWS Resource Access Manager console, showing licenses to be shared when creating a resource share.
- After this setup, you will have resource shares as shown in Figure 11.
Figure 11: The AWS Resource Access Manager console, showing Resources shares section under Shared by me.
The licenses you shared are visible to accounts in their respective AWS License Manager consoles. The accounts only have read access to self-managed licenses shared with them. Because of the scope, Lic-Team1 only tracks the usage of Team 1, and Lic-Team2 only tracks the usage of Team 2. Therefore, teams can launch instances from the specified AMI just like any other instance.
Each instance will be associated with two self-managed licenses. For instance, EC2 instances launched in Account B will be associated with Lic-Main and Lic-Team1. If a RunInstances (EC2 instance launch) request tries would exceed either of the two license limits, then the instance launch would fail and prevent the launch.
Cleanup
To clean up resources related to License Manager and AWS RAM, please note the following:
- Cost: There is no additional charge for using License Manager or AWS RAM. You pay only for the AWS resources managed by License Manager, based on the AWS pricing of those resources.
- Resource Sharing: If you have created a resource share in AWS RAM for a self-managed license, you can delete the resource share when it is no longer needed.
- Self-Managed Licenses: For self-managed licenses, you have the option to deactivate or delete them as per your requirements.
By following these steps, you can effectively clean up and manage the resources created in this solution that are associated with License Manager and AWS RAM.
Conclusion
This blog post provides a centralized approach to track and enforce license usage for instances launched from custom AMIs across multiple accounts. By using AWS License Manager, AWS Organizations, and AWS Resource Access Manager (RAM), we’ve introduced an automated method to manage license tracking based on AMIs.
Our solution offers several key benefits, including centralized visibility of license usage across all accounts, enforced compliance by automatically enforcing license limits, and the ability to allocate and monitor license quotas specifically for different teams. Additionally, it simplifies management by allowing you to oversee licenses from a single location, eliminating the need for manual tracking across accounts. If you are trying to track licenses based on tagging, review Automatically create self-managed licenses in multiple accounts using tags.
AWS has significantly more services, and more features within those services, than any other cloud provider, making it faster, easier, and more cost effective to move your existing applications to the cloud and build nearly anything you can imagine. Give your Microsoft applications the infrastructure they need to drive the business outcomes you want. Visit our .NET on AWS and AWS Database blogs for additional guidance and options for your Microsoft workloads. Contact us to start your migration and modernization journey today.