AWS Management & Governance Blog

Prepare for Oracle license audits in AWS using AWS Audit Manager and AWS License Manager

Many of our customers who run Oracle databases need help with managing their Oracle licenses on AWS and ensuring that they have not fallen out of compliance with Oracle’s licensing rules. They must be prepared to provide relevant evidence in an auditor-friendly format during an Oracle license audit.

Gathering evidence in a timely manner to support an Oracle audit event can be a significant challenge due to manual, error-prone, and sometimes distributed processes of managing and tracking license consumption. Organizations typically entrust license administrators (who are in IT or procurement departments) with the responsibility to manage licensing compliance across all their environments. Using AWS License Manager, administrators can create custom licensing rules to help track Oracle license consumption and provide organizations with visibility and control over their Oracle license usage.

AWS Audit Manager is a fully managed service that provides prebuilt frameworks for common industry standards and regulations. AWS Audit Manager automates the nearly continuous collection of evidence to help you prepare for an audit. This nearly continuous and automated gathering of evidence related to your AWS resource usage also helps simplify risk assessment and compliance with regulations and industry standards.

You can run Amazon RDS for Oracle under two different licensing options: License Included and Bring-Your-Own-License (BYOL). In the License Included option, you don’t need separately purchased Oracle licenses because the Oracle database software has been licensed by AWS. If you already own Oracle database licenses, you can use the BYOL option to run Oracle databases on Amazon RDS. The BYOL licensing option is designed for customers who prefer to use existing Oracle database licenses or purchase new licenses directly from Oracle.

In this blog post we provide an integration that combines the use of AWS Audit Manager with custom Oracle licensing rules configured in AWS License Manager. We demonstrate how this integration streamlines the gathering of evidence related to your Oracle license usage (with the BYOL licensing option) and helps you prepare for Oracle license audits.

Overview

We show you how to configure the setup for integrating AWS Audit Manager with AWS License Manager in two steps:

  1. Set up AWS Audit Manager: You will configure a custom control in AWS Audit Manager that tracks Oracle license consumption using the GetLicenseConfiguration API in AWS License Manager. The custom control is associated with an AWS Audit Manager framework, which is used to gather evidence as part of an AWS Audit Manager assessment.
  2. Set up AWS License Manager: You will configure AWS License Manager to track Oracle licenses used by database engine editions, options, and management packs used in Amazon RDS for Oracle.

Finally, we show you how to test our scenario by deploying Amazon RDS for Oracle with the BYOL licensing option. You’ll initially deploy the Oracle Database Enterprise Edition and then augment your deployment by adding a read replica to the Oracle database running on Amazon RDS. The read replica is configured in read-only mode so it requires an Active Data Guard license from Oracle. In this mode, Oracle Active Data Guard transmits and applies changes from the source database to all read replica databases.  In both cases, we show the evidence gathered to prepare for an Oracle audit using an AWS Audit Manager assessment.

Prerequisites

To complete the steps in this blog post, you need the following:

  • An AWS account
  • Oracle licenses to record
  • An IAM user/role that drives audit preparation and has full permissions over AWS Audit Manager resources

Walkthrough

Step 1: Set up AWS Audit Manager

If this is your first time using AWS Audit Manager, check AWS Audit Manager documentation to set it up.

Create Custom Control

1. Open the AWS Audit Manager console and from the left navigation pane, choose Control library, and then choose Create custom control.

The Control library page has two tabs: Standard controls and Custom controls. It also has two buttons: Customize existing control and Create custom control.

Figure 1: Control library

2. In Control name, enter a name (for example, License Configuration) and an optional description and then choose Next.

The Specify control details page provides fields for control name and description and a Testing information section.

Figure 2: Specify control details

3. In Configure data sources for this control, choose Automated evidence.

4. Under Select an evidence type by mapping to a data source, choose User activity logs from AWS CloudTrail.

5. In Specify an AWS CloudTrail Keyword, choose license-manager_GetLicenseConfiguration.

The fields for Data source 1 are completed as described in the body of the post.

Figure 3: Configure data sources for this control

6. On the Review and create page, choose Create custom control.

Figure 4 shows the License Configuration control displayed in the Control library:

In Control library, under Custom controls, the License Configuration control is displayed. Its data source is AWS CloudTrail.

Figure 4: License Configuration control

Create Custom Framework

Custom frameworks allow you to organize controls into control sets in a way that suits your unique requirements. Follow these steps to create a custom framework using the custom control you created in the previous section.

1. In the left navigation pane, choose Framework library, and then choose Create custom framework.

The Framework library page has tabs for Standard frameworks and Custom frameworks. The Create custom framework option is selected.

Figure 5: Framework library

2. In Specify framework details, enter a name for the framework (for example, Record License Configuration). Enter an optional compliance type and description, and then choose Next.

For Framework name, Record License Configuration is displayed. The description says “This framework records any changes in License Configurations.”

Figure 6: Specify framework details

3. On Specify the controls in the control set, in Control set name, enter a name for the control set (for example, License Control).

4. Under Select control type, choose Custom controls, and then choose Add to control set. The custom control you created earlier should be displayed under Selected controls.

The fields are completed as described in the body of the post. The License Configuration control is displayed in a table with columns for Control name, Tags, Data source, Date created, and Last updated.

Figure 7: Specify the controls in the control sets

5. On the Review and create page, choose Create custom framework.

Figure 8 shows the custom framework, which consists of the custom license control that tracks Oracle licenses.

The framework named Record License Configuration is displayed in Framework details. Under Control sets, License Configuration is displayed.

Figure 8: Record License Configuration

Now create an assessment using the custom framework to start collecting evidence for your license consumption.

Create AWS Audit Manager Assessment

1. From the left navigation pane, choose Assessments, and then choose Create assessment.

The Assessments page includes a search field you can use to access past and current assessments. It also includes Edit, Delete, and Create assessment buttons.

Figure 9: Assessments page

2. In Specify assessment details, under Assessment Details enter a name for the assessment (for example, Record License Configuration) and an optional description. Under Assessments reports destination, select an existing Amazon S3 bucket or create new one to store assessment reports. Under Frameworks, choose the Record License Configuration framework and then choose Next.

The Specify assessment details page provides fields for name and description. It also includes sections for Assessment reports destination, Frameworks, and Tags.

Figure 10: Specify assessment details

3. If your account is in an organization created in AWS Organizations, choose the accounts you want to track.

The Specify AWS accounts in scope page provides a table where AWS accounts are organized by account ID, account name, and email.

Figure 11: Specify AWS accounts in scope

4. Under AWS services, select AWS CloudTrail and then choose Next.

In the AWS services list, AWS CloudTrail is selected. Its category is Management and governance.

Figure 12: AWS CloudTrail selected in the AWS services list

5. In Specify audit owners, select users from the list.

Use the Specify audit owners page to select an IAM user or role with permissions to access AWS Audit Manager resources.

Figure 13: Specify audit owners

6. On the Review and create page, choose Create assessment.

The assessment is an implementation of the AWS Audit Manager framework. It collects the evidence related to Oracle license consumption, converts it into an auditor-friendly format, and attaches the evidence to the custom license control in the framework.

The Record License Configuration is displayed with a status of Active.

Figure 14: Assessments page

You’ve now completed the AWS Audit Manager setup. Your assessment will start collecting evidence for your Oracle license consumption.

Step 2: Set up AWS License Manager

AWS License Manager performs automatic discovery of Oracle licenses, options, and packs used in Amazon RDS. Now, you will create license configurations in AWS License Manager to automatically track licenses of Amazon RDS for Oracle Enterprise Edition. Optionally, you can create another configuration to track licenses for the Oracle Active Data Guard.

1. In the AWS License Manager console, choose Customer managed licenses, and then choose Create license configuration.

2. Because you want AWS License Manager to track Oracle database licenses, under Product information, for Product name, choose Oracle database.

3. For Product type, choose Enterprise Edition.

4. For Resource type, choose Amazon RDS.

The Create license configuration page includes sections for Configuration details, Automated discovery rules, and Tags.

Figure 15: Create license configuration

Now use the AWS License Manager console to create another customer managed license.

1. From the left navigation pane, choose Customer managed licenses, and then choose Create customer managed licenses.

2. Because you want AWS License Manager to track Oracle database option pack licenses, for Product name, choose Oracle database.

3. For Product type, choose Active Data Guard.

4. For Resource type, choose Amazon RDS, and then choose Submit.

On the Customer managed licenses page, the license configuration for Oracle Active Data Guard licenses should be displayed:

Oracle Active Data Guard Licenses appears in the Customer managed licenses list. It has a status of Active. 0 of 30 licenses are consumed.

Figure 16: Oracle Active Data Guard license configuration

 

The dashboard displays fields for granted licenses (0), customer managed licenses (2), and seller issued licenses (0). There are usage sections on the dashboard.

Figure 17: AWS License Manager Dashboard

You are now ready to test your setup. Follow these steps to create an Amazon RDS for Oracle database. The database in this example has four vCPUs.

Review the Overview of Oracle replicas and then create a read replica for the Amazon RDS for Oracle database with the Active Data Guard option. It consumes an additional four vCPUs.

The Databases page displays a source database (database-1) and replica (database-1-readreplica).

Figure 18: Databases page in the Amazon RDS console

To create a read replica in the read-only mode for the Amazon RDS for Oracle database, you must use the Oracle Active Data Guard option.

Open the AWS License Manager console, and from the left navigation pane, choose Dashboard. You can see that you are now tracking Oracle Active Data Guard licenses.

Under Customer managed licenses usage, 8 of 30 Oracle Active Data Guard license are in use. 8 of 30 Oracle Enterprise licenses are in use.

Figure 19: AWS License Manager Dashboard

Every time you refresh the customer managed license configuration that you created in AWS License Manager, AWS Audit Manager performs a GetLicenseConfiguration API call. This activity is recorded in AWS CloudTrail, as shown in Figure 20. It might take 5 to 15 minutes before this API call is reflected in AWS CloudTrail. For your production environment, we recommend you to create a mechanism to perform this refresh automatically at your desired interval and test it thoroughly.

The Event history page in the CloudTrail console displays GetLicenseConfiguration events organized by event time, user name, event source, resource type, and resource name.

Figure 20: Event history in AWS CloudTrail console

AWS Audit Manager evidence recording

For AWS Audit Manager to record the evidence for your licenses, go to your customer managed license configuration and refresh it.

The GetLicenseConfiguration API calls are being collected as evidence in AWS Audit Manager through the assessment you created earlier.

1. In the AWS Audit Manager console, from the left navigation pane, choose Assessments. Choose the Record License Configuration assessment.

2. In Control sets, choose the License Configuration custom control you created earlier.

3. On the Evidence tab, you should see the evidence collection. Choose an Evidence Folder.

4. In the Evidence list, you should see that AWS Audit Manager has collected the GetLicenseConfiguration API calls that were displayed in the AWS CloudTrail console.

The Summary section includes evidence folder details and evidence by type. The Evidence table has columns for Time, Evidence by type, Compliance check, Data source, Event name, Resources, and Assessment report selection.

Figure 21: Summary for License Configuration

In Figure 21, under the Time column in Evidence if you select one of the times (such as 8:47:18 PM UTC), the evidence description is displayed.

The Evidence detail section includes entries for date and time, evidence folder name, control name (License Configuration), event source, event name (GetLicenseConfiguration), data source (AWS CloudTrail), evidence by type, and more.

Figure 22: Evidence detail

Choose View JSON next to responseElements to view the evidence.

Evidence description in JSON.

Figure 23: View JSON

In the AWS Audit Manager console, go back to the Evidence list. To generate an assessment report, select the evidence, and then choose Add to assessment report. Figure 24 shows the Generate assessment report page.

Generate assessment report includes fields for name and description. Under Assessment report details, Record License Configuration appears. A link to an S3 bucket is displayed under Assessment reports destination.

Figure 24: Generate assessment report

You can now select and download the assessment report, which includes all your selected evidence.

ALT TEXT: The Record_License_Configuration_Report is selected. It has a status of Generated.

Figure 25: Assessment reports

Figure 26 shows how the assessment report looks in the Amazon S3 folder.

The assessment report objects are displayed in the list. The table has columns for Name, Folder, Last modified, Size, and Storage class.

Figure 26: Objects list in the Amazon S3 console

If you open the evidence folder you downloaded, you should see the following:

Evidence for Oracle Enterprise license

Evidence PDF file includes details like control (License Configuration), author, description, event AWS account ID, and event name (GetLicenseConfiguration). It also includes an Attributes section.

Figure 27: Oracle Enterprise license

Evidence for Oracle Active Data Guard

Evidence PDF file includes details like control (License Configuration), author, description, event AWS account ID, and event name (GetLicenseConfiguration). It also includes an Attributes section.

Figure 28: Oracle Active Data Guard

Cleanup

To avoid ongoing charges, delete the Assessment you created. If you created Oracle Database or any read replica as a part of this exercise and if you do not need them, delete them.

There is no additional charge for using License Manager. You pay only for the AWS resources that are managed by License Manager, based on the AWS pricing of the resources.

Conclusion

In this blog post, we showed you how the combined use of AWS Audit Manager with custom Oracle licensing rules configured in AWS License Manager can help simplify audit preparation for an Oracle license audit. The setup described in this post uses AWS License Manager to automatically discover and track your Oracle license usage. It uses the integration between AWS License Manager and AWS Audit Manager to streamline the gathering of evidence in preparation for Oracle license audits. For more information on AWS Audit Manager, check the AWS Audit Manager documentation.

About the authors

About the author Kanishk Mahajan

Kanishk Mahajan

Kanishk Mahajan has been leading AWS cloud transformation, solution architecture and delivery teams for customers for several years. Currently at AWS, Kanishk specializes in the domains of management and governance, migrations and modernizations, and security and compliance. He is a Technical Field Community (TFC) member at AWS in each of those domains.

Author photograph - Pranjal Gururani

Pranjal Gururani

Pranjal Gururani is a Solutions Architect at AWS based out of Seattle. Pranjal works with various customers to architect cloud solutions that address their business challenges. He enjoys hiking, kayaking, skydiving, and spending time with family during his spare time.