Prepare for Oracle license audits in AWS using AWS Audit Manager and AWS License Manager
Many of our customers who run Oracle databases need help with managing their Oracle licenses on AWS and ensuring that they have not fallen out of compliance with Oracle’s licensing rules. They must be prepared to provide relevant evidence in an auditor-friendly format during an Oracle license audit.
Gathering evidence in a timely manner to support an Oracle audit event can be a significant challenge due to manual, error-prone, and sometimes distributed processes of managing and tracking license consumption. Organizations typically entrust license administrators (who are in IT or procurement departments) with the responsibility to manage licensing compliance across all their environments. Using AWS License Manager, administrators can create licensing rules to help track Oracle license consumption and provide organizations with visibility and control over their Oracle license usage.
AWS Audit Manager is a fully managed service that provides prebuilt frameworks for common industry standards and regulations. AWS Audit Manager automates the nearly continuous collection of evidence to help you prepare for an audit. This nearly continuous and automated gathering of evidence related to your AWS resource usage also helps simplify risk assessment and compliance with regulations and industry standards.
You can run Amazon RDS for Oracle under two different licensing options: License Included and Bring-Your-Own-License (BYOL). In the License Included option, you don’t need separately purchased Oracle licenses because the Oracle database software has been licensed by AWS. If you already own Oracle database licenses, you can use the BYOL option to run Oracle databases on Amazon RDS. The BYOL licensing option is designed for customers who prefer to use existing Oracle database licenses or purchase new licenses directly from Oracle.
In this blog post we provide an integration that combines the use of AWS Audit Manager with Oracle licensing rules configured in AWS License Manager. We demonstrate how this integration streamlines the gathering of evidence related to your Oracle license usage and helps you prepare for Oracle license audits.
We show you how to configure the setup for integrating AWS Audit Manager with AWS License Manager in two steps:
- Set up AWS Audit Manager: You will create an AWS Audit Manager assessment from AWS License Manager framework which is used to gather evidence.
- Set up AWS License Manager: You will configure AWS License Manager to track Oracle licenses used by database engine editions, options, and management packs used in Amazon RDS for Oracle.
Finally, we show you how to test our scenario by deploying Amazon RDS for Oracle. You’ll initially deploy the Oracle Database Enterprise Edition and then augment your deployment by adding a read replica to the Oracle database running on Amazon RDS. The read replica is configured in read-only mode so it requires an Active Data Guard license from Oracle. In this mode, Oracle Active Data Guard transmits and applies changes from the source database to all read replica databases. In both cases, we show the evidence gathered to prepare for an Oracle audit using an AWS Audit Manager assessment.
To complete the steps in this blog post, you need the following:
- An AWS account
- An IAM user/role that drives audit preparation and has full permissions over AWS Audit Manager resources
Step 1: Set up AWS Audit Manager
If this is your first time using AWS Audit Manager, check AWS Audit Manager documentation to set it up.
Create AWS Audit Manager Assessment
1. In the left navigation pane, choose Framework library. Under Standard frameworks, select AWS License Manager and then choose Create assessment from framework.
2. In Specify assessment details, under Assessment Details enter a name for the assessment (for example, Record License Configuration) and an optional description. Under Assessments reports destination, select an existing Amazon S3 bucket or create new one to store assessment reports and then choose Next.
3. If your account is in an organization created in AWS Organizations, choose the accounts you want to track.
4. Under AWS services, AWS License Manager will be selected by default. Choose Next.
5. In Specify audit owners, select users from the list.
6. On the Review and create page, choose Create assessment.
The assessment is an implementation of the AWS Audit Manager framework. It collects the evidence related to Oracle license consumption, converts it into an auditor-friendly format, and attaches the evidence to the custom license control in the framework.
You’ve now completed the AWS Audit Manager setup. Your assessment will start collecting evidence for your Oracle license consumption.
Step 2: Set up AWS License Manager
AWS License Manager performs automatic discovery of Oracle licenses, options, and packs used in Amazon RDS. Now, you will create license configurations in AWS License Manager to automatically track licenses of Amazon RDS for Oracle Enterprise Edition. Optionally, you can create another configuration to track licenses for the Oracle Active Data Guard.
1. In the AWS License Manager console, choose Self-managed licenses, and then choose Create self-managed license configuration.
2. Because you want AWS License Manager to track Oracle database licenses, under Product information, for Product name, choose Oracle database.
3. For Product type, choose Enterprise Edition.
4. For Resource type, choose Amazon RDS.
Now use the AWS License Manager console to create another customer managed license.
1. From the left navigation pane, choose Customer managed licenses, and then choose Create customer managed licenses.
2. Because you want AWS License Manager to track Oracle database option pack licenses, for Product name, choose Oracle database.
3. For Product type, choose Active Data Guard.
4. For Resource type, choose Amazon RDS, and then choose Submit.
On the Customer managed licenses page, the license configuration for Oracle Active Data Guard licenses should be displayed:
You are now ready to test your setup. Follow these steps to create an Amazon RDS for Oracle database. The database in this example has four vCPUs.
Review the Overview of Oracle replicas and then create a read replica for the Amazon RDS for Oracle database with the Active Data Guard option. It consumes an additional four vCPUs.
To create a read replica in the read-only mode for the Amazon RDS for Oracle database, you must use the Oracle Active Data Guard option.
Open the AWS License Manager console, and from the left navigation pane, choose Dashboard. You can see that you are now tracking Oracle Active Data Guard licenses.
AWS Audit Manager evidence recording
For AWS Audit Manager to record the evidence for your licenses, go to the self-managed licenses your created in AWS License Manager console and refresh. AWS Audit Manager may take up-to 24 – 48 hours to record evidence.
1. In the AWS Audit Manager console, from the left navigation pane, choose Assessments. Choose the Record License Configuration assessment.
2. Choose Controls tab, under Control sets you will see evidence collected by the assessment.
3. Select control 3.0.4. Under Evidence folders, select the evidence and choose Add to assessment report.
4. Navigate to Record License Configuration assessment, select Assessment report selection and then choose Generate Assessment Report.
You can now select and download the assessment report, which includes all your selected evidence. The report is available in your chosen S3 bucket as well.
To avoid ongoing charges, delete the Assessment you created. If you created Oracle Database or any read replica as a part of this exercise and if you do not need them, delete them.
There is no additional charge for using License Manager. You pay only for the AWS resources that are managed by License Manager, based on the AWS pricing of the resources.
In this blog post, we showed you how the combined use of AWS Audit Manager with custom Oracle licensing rules configured in AWS License Manager can help simplify audit preparation for an Oracle license audit. The setup described in this post uses AWS License Manager to automatically discover and track your Oracle license usage. It uses the integration between AWS License Manager and AWS Audit Manager to streamline the gathering of evidence in preparation for Oracle license audits. For more information on AWS Audit Manager, check the AWS Audit Manager documentation.