Prepare for Oracle license audits in AWS using AWS Audit Manager and AWS License Manager
Many of our customers who run Oracle databases need help with managing their Oracle licenses on AWS and ensuring that they have not fallen out of compliance with Oracle’s licensing rules. They must be prepared to provide relevant evidence in an auditor-friendly format during an Oracle license audit.
Gathering evidence in a timely manner to support an Oracle audit event can be a significant challenge due to manual, error-prone, and sometimes distributed processes of managing and tracking license consumption. Organizations typically entrust license administrators (who are in IT or procurement departments) with the responsibility to manage licensing compliance across all their environments. Using AWS License Manager, administrators can create custom licensing rules to help track Oracle license consumption and provide organizations with visibility and control over their Oracle license usage.
AWS Audit Manager is a fully managed service that provides prebuilt frameworks for common industry standards and regulations. AWS Audit Manager automates the nearly continuous collection of evidence to help you prepare for an audit. This nearly continuous and automated gathering of evidence related to your AWS resource usage also helps simplify risk assessment and compliance with regulations and industry standards.
You can run Amazon RDS for Oracle under two different licensing options: License Included and Bring-Your-Own-License (BYOL). In the License Included option, you don’t need separately purchased Oracle licenses because the Oracle database software has been licensed by AWS. If you already own Oracle database licenses, you can use the BYOL option to run Oracle databases on Amazon RDS. The BYOL licensing option is designed for customers who prefer to use existing Oracle database licenses or purchase new licenses directly from Oracle.
In this blog post we provide an integration that combines the use of AWS Audit Manager with custom Oracle licensing rules configured in AWS License Manager. We demonstrate how this integration streamlines the gathering of evidence related to your Oracle license usage (with the BYOL licensing option) and helps you prepare for Oracle license audits.
We show you how to configure the setup for integrating AWS Audit Manager with AWS License Manager in two steps:
- Set up AWS Audit Manager: You will configure a custom control in AWS Audit Manager that tracks Oracle license consumption using the GetLicenseConfiguration API in AWS License Manager. The custom control is associated with an AWS Audit Manager framework, which is used to gather evidence as part of an AWS Audit Manager assessment.
- Set up AWS License Manager: You will configure AWS License Manager to track Oracle licenses used by database engine editions, options, and management packs used in Amazon RDS for Oracle.
Finally, we show you how to test our scenario by deploying Amazon RDS for Oracle with the BYOL licensing option. You’ll initially deploy the Oracle Database Enterprise Edition and then augment your deployment by adding a read replica to the Oracle database running on Amazon RDS. The read replica is configured in read-only mode so it requires an Active Data Guard license from Oracle. In this mode, Oracle Active Data Guard transmits and applies changes from the source database to all read replica databases. In both cases, we show the evidence gathered to prepare for an Oracle audit using an AWS Audit Manager assessment.
To complete the steps in this blog post, you need the following:
- An AWS account
- Oracle licenses to record
- An IAM user/role that drives audit preparation and has full permissions over AWS Audit Manager resources
Step 1: Set up AWS Audit Manager
If this is your first time using AWS Audit Manager, check AWS Audit Manager documentation to set it up.
Create Custom Control
1. Open the AWS Audit Manager console and from the left navigation pane, choose Control library, and then choose Create custom control.
2. In Control name, enter a name (for example, License Configuration) and an optional description and then choose Next.
3. In Configure data sources for this control, choose Automated evidence.
4. Under Select an evidence type by mapping to a data source, choose User activity logs from AWS CloudTrail.
5. In Specify an AWS CloudTrail Keyword, choose license-manager_GetLicenseConfiguration.
6. On the Review and create page, choose Create custom control.
Figure 4 shows the License Configuration control displayed in the Control library:
Create Custom Framework
Custom frameworks allow you to organize controls into control sets in a way that suits your unique requirements. Follow these steps to create a custom framework using the custom control you created in the previous section.
1. In the left navigation pane, choose Framework library, and then choose Create custom framework.
2. In Specify framework details, enter a name for the framework (for example, Record License Configuration). Enter an optional compliance type and description, and then choose Next.
3. On Specify the controls in the control set, in Control set name, enter a name for the control set (for example, License Control).
4. Under Select control type, choose Custom controls, and then choose Add to control set. The custom control you created earlier should be displayed under Selected controls.
5. On the Review and create page, choose Create custom framework.
Figure 8 shows the custom framework, which consists of the custom license control that tracks Oracle licenses.
Now create an assessment using the custom framework to start collecting evidence for your license consumption.
Create AWS Audit Manager Assessment
1. From the left navigation pane, choose Assessments, and then choose Create assessment.
2. In Specify assessment details, under Assessment Details enter a name for the assessment (for example, Record License Configuration) and an optional description. Under Assessments reports destination, select an existing Amazon S3 bucket or create new one to store assessment reports. Under Frameworks, choose the Record License Configuration framework and then choose Next.
3. If your account is in an organization created in AWS Organizations, choose the accounts you want to track.
4. Under AWS services, select AWS CloudTrail and then choose Next.
5. In Specify audit owners, select users from the list.
6. On the Review and create page, choose Create assessment.
The assessment is an implementation of the AWS Audit Manager framework. It collects the evidence related to Oracle license consumption, converts it into an auditor-friendly format, and attaches the evidence to the custom license control in the framework.
You’ve now completed the AWS Audit Manager setup. Your assessment will start collecting evidence for your Oracle license consumption.
Step 2: Set up AWS License Manager
AWS License Manager performs automatic discovery of Oracle licenses, options, and packs used in Amazon RDS. Now, you will create license configurations in AWS License Manager to automatically track licenses of Amazon RDS for Oracle Enterprise Edition. Optionally, you can create another configuration to track licenses for the Oracle Active Data Guard.
1. In the AWS License Manager console, choose Customer managed licenses, and then choose Create license configuration.
2. Because you want AWS License Manager to track Oracle database licenses, under Product information, for Product name, choose Oracle database.
3. For Product type, choose Enterprise Edition.
4. For Resource type, choose Amazon RDS.
Now use the AWS License Manager console to create another customer managed license.
1. From the left navigation pane, choose Customer managed licenses, and then choose Create customer managed licenses.
2. Because you want AWS License Manager to track Oracle database option pack licenses, for Product name, choose Oracle database.
3. For Product type, choose Active Data Guard.
4. For Resource type, choose Amazon RDS, and then choose Submit.
On the Customer managed licenses page, the license configuration for Oracle Active Data Guard licenses should be displayed:
You are now ready to test your setup. Follow these steps to create an Amazon RDS for Oracle database. The database in this example has four vCPUs.
Review the Overview of Oracle replicas and then create a read replica for the Amazon RDS for Oracle database with the Active Data Guard option. It consumes an additional four vCPUs.
To create a read replica in the read-only mode for the Amazon RDS for Oracle database, you must use the Oracle Active Data Guard option.
Open the AWS License Manager console, and from the left navigation pane, choose Dashboard. You can see that you are now tracking Oracle Active Data Guard licenses.
Every time you refresh the customer managed license configuration that you created in AWS License Manager, AWS Audit Manager performs a GetLicenseConfiguration API call. This activity is recorded in AWS CloudTrail, as shown in Figure 20. It might take 5 to 15 minutes before this API call is reflected in AWS CloudTrail. For your production environment, we recommend you to create a mechanism to perform this refresh automatically at your desired interval and test it thoroughly.
AWS Audit Manager evidence recording
For AWS Audit Manager to record the evidence for your licenses, go to your customer managed license configuration and refresh it.
The GetLicenseConfiguration API calls are being collected as evidence in AWS Audit Manager through the assessment you created earlier.
1. In the AWS Audit Manager console, from the left navigation pane, choose Assessments. Choose the Record License Configuration assessment.
2. In Control sets, choose the License Configuration custom control you created earlier.
3. On the Evidence tab, you should see the evidence collection. Choose an Evidence Folder.
4. In the Evidence list, you should see that AWS Audit Manager has collected the GetLicenseConfiguration API calls that were displayed in the AWS CloudTrail console.
In Figure 21, under the Time column in Evidence if you select one of the times (such as 8:47:18 PM UTC), the evidence description is displayed.
Choose View JSON next to responseElements to view the evidence.
In the AWS Audit Manager console, go back to the Evidence list. To generate an assessment report, select the evidence, and then choose Add to assessment report. Figure 24 shows the Generate assessment report page.
You can now select and download the assessment report, which includes all your selected evidence.
Figure 26 shows how the assessment report looks in the Amazon S3 folder.
If you open the evidence folder you downloaded, you should see the following:
Evidence for Oracle Enterprise license
Evidence for Oracle Active Data Guard
To avoid ongoing charges, delete the Assessment you created. If you created Oracle Database or any read replica as a part of this exercise and if you do not need them, delete them.
There is no additional charge for using License Manager. You pay only for the AWS resources that are managed by License Manager, based on the AWS pricing of the resources.
In this blog post, we showed you how the combined use of AWS Audit Manager with custom Oracle licensing rules configured in AWS License Manager can help simplify audit preparation for an Oracle license audit. The setup described in this post uses AWS License Manager to automatically discover and track your Oracle license usage. It uses the integration between AWS License Manager and AWS Audit Manager to streamline the gathering of evidence in preparation for Oracle license audits. For more information on AWS Audit Manager, check the AWS Audit Manager documentation.