Prepare for audits using AWS License Manager’s built-in integration with AWS CloudTrail
License administrators can use AWS License Manager’s built-in integration with AWS CloudTrail to prepare for a software license vendor audit. Organizations typically entrust license administrators (belonging to Central IT or procurement departments) to manage licensing compliance across all their environments. With License Manager, administrators can create custom licensing rules to help manage license usage centrally. License Manager gives organizations visibility and control over how software licenses are used, and helps prevent misuse before it happens.
The customized solutions built to perform internal audits reveal violations only after the fact, when it is too late to avoid penalties for non-compliance. License Manager’s built-in capabilities help you prevent expensive incidents from occurring in the first place. License Manager simplifies reporting with built-in dashboards showing license consumption and tracking resources, which consume licenses. With this improved visibility, you can also control overages and minimize the risk of penalties from licensing audits.
In this blog post, I show you how to prepare for software license audits with the help of License Manager and its integration with CloudTrail.
You’ll need these prerequisites to implement the solution discussed in this post:
- Enable CloudTrail if you want to view records of events that extend past 90 days. Refer to the documentation on Creating a Trail to get started.
- If you have existing Amazon Elastic Compute Cloud (Amazon EC2) instances or on-premises servers already consuming software licenses before you set up the license configuration to track, make sure that these instances are managed by AWS Systems Manager. Check the setting up AWS Systems Manager documentation to get started. License Manager uses Systems Manager inventory to discover such instances from its console. You then associate the license configuration to the auto-discovered instances so that License Manager can track the license usage. To learn how to set up auto discovery of resources, read Automated discovery of resource inventory in the documentation.
- A procured software license from a vendor for which you are aware of its counting model (vCPUs, cores, sockets, or instances).
License Manager’s integration with CloudTrail helps you prepare for the audit of software license usage. CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. CloudTrail logs ListUsageForLicenseConfiguration as one of the actions of the License Manager. A full list of supported License Manager actions logged by CloudTrail is documented in the License Manager API reference. In this post, we use the ListUsageForLicenseConfiguration action through the AWS Management Console, and the AWS Command Line Interface (AWS CLI) to audit the license consumption details by resources at a selected point in time.
Note: AWS does not participate in the audit process with software vendors. Customers are responsible for compliance and assume the responsibility of carefully understanding and capturing rules into License Manager based on their licensing agreements.
Let’s discuss the setup for this tutorial. I have a software license baked into my Amazon Machine Image (AMI). Next, I created a license configuration in License Manager and associate it to the AMI. From the license configuration console, I can then see how many licenses have been consumed when instances are launched using the AMI. The license configuration specifies how your licenses should be counted (for example, by vCPUs, or number of instances). My license configuration specifies vCPUs as the counting model for license usage. See Create a license configuration and Manually associating license configurations with AMI documentation to learn how to create the license configuration and associate it with the AMI.
Below is the screenshot of my license configuration from the console:
Note that License Manager tracks license usage only when the license configuration is associated with the AMI or with instances that are auto-discovered through Systems Manager Inventory. The prerequisite # 2 above will help you set up the latter approach.
Now that you know my setup, I will show you how to prepare for a vendor audit of software license usage at a specific point in time using License Manager’s built-in integration with CloudTrail.
- Open the CloudTrail console.
- Click on Event history in the left navigation pane.
- Filter by GetLicenseConfiguration event name in CloudTrail for the timestamp. Click on View event for one or more of the respective entries, locate the license configuration you’re interested in, and select the latest event. Check the GetLicenseConfiguration API documentation to learn more about the API call.
Comparing the sum of consumedLicenses and licenseCount boxes in the selected event, you can see whether the total number of resources that are actively consuming the software license exceeds the number of available licenses.
If you want to list all license usage records for the selected license configuration, you can filter by the ListUsageForLicenseConfiguration event of the specific license configuration in CloudTrail. Check the ListUsageForLicenseConfiguration API documentation to learn more about the API call. Note that the filter ListUsageForLicenseConfiguration is a paginated operation.
Using AWS CLI
You can also implement the preceding logic through AWS CLI. Here are the steps to get license consumption details using AWS CLI:
Search for the GetLicenseConfiguration event in CloudTrail for its timestamp. Locate the license configuration of interest in the available events, select the latest of available events, and store the output to a file. The lookup-events AWS CLI command looks up CloudTrail management events for the specified attributes and lists the license configuration of interest. Alternatively, you can use ListLicenseConfigurations, which is a paginated operation.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetLicenseConfiguration --start-time "06/17/2020, 23:15" --end-time "06/17/2020, 23:30" --query 'Events[*].CloudTrailEvent' | jq 'select (.requestParameters.licenseConfigurationArn=="arn:aws:license-manager:us-east-1:90*******930:license-configuration:lic-b8b9621d7683cc59925c0f4aaf80d37d")'
Search for consumedLicenses keys in the file and sum their values. This sum and the value of the licenseCount box of the selected event, shows whether the total number of resources actively consuming the software license exceed the number of available licenses. managedResourceSummaryList array provides the summary of the managed resources at the time.
Note: While you can get detailed information about a specific license configuration using the GetLicenseConfiguration event, you can use the ListUsageForLicenseConfiguration event to list all license usage records for that license configuration. The latter event displays license consumption details by resource at a selected point in time. This helps you to audit current license consumption for any license inventory and configuration.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ListUsageForLicenseConfiguration --start-time "06/17/2020, 23:15" --end-time "06/17/2020, 23:30" --query 'Events.CloudTrailEvent' | jq 'select (.requestParameters.licenseConfigurationArn=="arn:aws:license-manager:us-east-1:90*******930:license-configuration:lic-b8b9621d7683cc59925c0f4aaf80d37d")'
Correlate the sum of consumedLicenses keys against the licenseCount of the license configuration step (a) to see whether license usage was breached.
Now that you have learned how to see the license configuration and its usage, let’s take an example where you have a vendor audit of software license usage for a 15-minute window. You can use License Manager’s built-in integration with CloudTrail to manage the licensing audit. In the preceding AWS CLI example, as per the licensing agreement, we have a license configuration with vCPU as the counting type to track the usage of the license baked in to my AMI. SEE the license configuration parameters and rules documentation to learn about all available parameters and rules to use in the license configuration. However, by using the logic as outlined in step (b), I have clearly exceeded the agreement by allowing 52 vCPUs to consume the license. Such situations can be avoided by checking the enforce license limit check box in the license configuration. This feature prevents usage after available license types are exhausted: for example, an instance launch requiring this license type will be blocked to prevent overuse.
You can delete the license configuration using the Delete option from the Actions drop down in the console.
Note that you must disassociate all resources and AMI associations from the license configuration before attempting to delete. There is no additional charge for License Manager. You pay for the AWS resources managed by License Manager based on their AWS pricing.
In this blog post, I showed you how to use License Manager’s built-in integration with CloudTrail, via the console and using AWS CLI, to prepare for vendor audits. I encourage you to use what you have learned here and consider using License Manager in your own organization. You might begin by using license configuration in a small part of the organization to demonstrate a proof of concept to your peers.
License Manager AWS CLI reference: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/license-manager/index.html#cli-aws-license-manager
License Manager FAQs: https://aws.amazon.com/license-manager/faqs/
About the author
Shree Chinnasamy is a technical account manager at AWS. He focuses on driving operational excellence for his customers on AWS cloud. He is an avid reader and a 2019 Chicago Marathon finisher.