Tracking software usage across multiple AWS accounts using AWS License Manager
In a previous post Using AWS License Manager to track your Microsoft SQL Server licenses, you learned how to use AWS License Manager to help you manage your software licenses. In this post, I show you how to use License Manager to manage licenses for your entire organization or a select group of accounts.
There are two ways to manage licenses across multiple AWS accounts:
· Link License Manager to AWS Organizations to automatically link all your organization’s accounts.
· Use AWS Resource Access Manager to share license configurations between accounts.
I recommend the first option, as it allows for a shared inventory and a seamless transition when accounts are added or removed from the organization. However, the AWS RAM method provides maximum flexibility and allows you to share license configurations outside your organization.
Use one of the two options to enable the sharing of license configurations, then learn how to share a specific configuration. If you select the Organizations link, you can also see how to view inventory across accounts.
A. Linking License Manager to Organizations
This section describes how to use Organizations along with AWS Systems Manager to track licenses across accounts. You can use the AWS Management Console or the AWS SDKs and AWS CLI.
Make sure that you’re logged into the Organizations master account with sufficient permissions to modify you organization.
Enable Organizations features
To get started, make sure to enable all features of Organizations and to configure Systems Manager in all accounts where you want to manage licenses.
1. In the AWS Organizations console, choose Settings.
2. In the Organization details section, under Feature set, make sure that all features are enabled.
All features must be enabled to continue following these steps. For more information, see Enabling All Features in Your Organization. If you can’t enable all features, see the section about using AWS RAM.
Link License Manager
Launch AWS License Manager and link it to your AWS Organization
1. Launch License Manager
You can On the console, access AWS License Manager through the AWS Management Console under Management & Governance. On the toolbar, choose Go to Services and enter search for AWS License Manager, as shown in the following screenshot. (AlternatelyIn addition to the console, you could use the AWS SDKs and the AWS CLI to work with AWS License Manager.)
2. In the License Manager console, in the left navigation pane, choose Settings, Edit.
3. On the Settings page, in the Account management section:
a. Select the Link AWS Organizations accounts check box. At this time, you can’t reverse this operation. The changes apply to all accounts in your organization’s current and future accounts.
b. Select Cross account inventory search. This creates resources in your accounts that may incur costs that you cannot reverse at this time. To proceed, you must also confirm that you understand that you may be charged.
The Systems Manager inventory is used for multi-account software discovery. The SSM role must be configured on instances for discovery to work properly and enable SSM on your instances. For more information, see Working with SSM Agent.
4. To enable License Manager to integrate with your organization, on the SNS page, for SNS topic ARN, enter a topic to which to have License Manager send notifications and alerts (the topic must begin with “aws-license-manager-service-”). Choose Apply.
Verify that AWS License Manager is linked to Organizations
1. In the Organizations console, in the upper-right corner, choose Settings.
a. Scroll down and locate License Manager to verify that it’s enabled, as shown in the following screenshot. While it’s possible in Organizations to remove License Manager access to the organization by disabling access, this does not remove the resources that you created during the linking process.
2. Navigate back to License Manager and choose Search Inventory. Now you can see resources for different accounts in the search inventory. It may take up to 24 hours to see the resources of new accounts added to Organizations.
3. In the AWS RAM console, navigate to Resource Access Manager
a. You can access Resource Access Manager through the AWS Management Console under Security, Identity, & Compliance. Go to Services and search for Resource Access Manager. (Alternately, In addition to the console, you could use the AWS SDKs and the AWS CLI to work with Resource Access Manager.)
4. Choose Resource shares and review the created resource share.
5. To review the resource share from the main account, change to another AWS account in your organization. In the left navigation pane, under Shared with me, choose Resource shares, as shown in the following screenshot.
For more information, see the “Sharing License Configurations” section later in this post.
B. Using AWS RAM to share License Manager configurations
The second option you have to share resources with other AWS accounts is using AWS RAM. You need the AWS account numbers of the target accounts with which to share configurations, and access to the accounts to accept the shared resources. You can also use AWS RAM to share other AWS resources, such as VPC subnets, transit gateways, and Route 53 Resolver rules. For details, see What is AWS RAM.
1. In the AWS RAM console, choose Create a resource share.
2. On the Create resource share page:
a. For Name, enter a name for the resource share, such as “License Manager Share.”
b. Under Resources, add existing license configurations, or add them later.
c. Under Principals, add the target AWS accounts with which to share your configurations.
d. Under Tags, add the tags to use.
e. Choose Create resource share.
3. Note the ID and owner account number of the resource share that you created, as shown in the following screenshot.
4. Change AWS accounts and review the resource to what was shared. Note the ID and owner account number of the resource share to make sure that they match the ID and account number that you shared in the previous step. The status is pending so accept the resource share by choosing License Manager Share.
5. Make sure that all the resource share information is correct, and choose Accept resource share.
6. On the confirmation page, choose OK.
7. Verify that you successfully shared the resource.
Sharing License Manager configurations
After creating the resource access shares, share license configurations with other accounts using one of the following methods: Organizations or AWS RAM.
Method 1: Organizations
If you use the License Manager to Organizations link, you see the Associate license configuration dialog box when you create a new license configuration. To share your new configuration automatically with your entire organization, select Share license configuration with all my member accounts.
Method 2: AWS RAM
If you had already created license configurations before linking License Manager to Organizations or if you used the manual AWS RAM options, use AWS RAM to share them with other accounts. To create a new License Manager configuration, see the previous post on Using AWS License Manager to track your Microsoft SQL Server licenses.
1. In the AWS RAM console, in the Shared by me section, choose Resource shares. Select the resource share created automatically, and choose Modify.
2. In the Resources section, for Select resource type, choose License Configurations.
3. Select the license configurations to share with your other accounts, and choose Save changes.
4. Change to an AWS account with which you shared license configurations. In the left navigation pane, in the Shared with me section, choose Shared resources and verify that the license configurations were shared.
In this post, you learned how to use License Manager to manage licenses across different accounts, whether for your entire organization or for a select group of accounts. You walked through the two ways to manage licenses across multiple AWS accounts:
· Link License Manager to Organizations to automatically link all your organization’s accounts.
· Use AWS RAM to share license configurations between accounts.
About the Author
Chris Evilsizer is a senior solutions architect focused on helping customers run Microsoft Workloads in AWS. Chris has 20+ years of IT experience working with a wide range of technologies. He enjoys helping customers gain the benefits of running their workloads in the cloud.