Microsoft Workloads on AWS

Automatically create self-managed licenses in multiple accounts using tags

In this blog post, we will demonstrate how you can set up self-managed licenses to be tracked automatically through tagging. Managing licenses for software running on Amazon Elastic Compute Cloud (Amazon EC2) is critical for compliance and auditing purposes. Amazon Web Services (AWS) provides a free tool, AWS License Manager, to help you manage your licenses. However, license tracking and visibility can become challenging in multi-account and multi-Region environments.

By deploying the AWS CloudFormation template provided, you can automatically find resources that are using self-managed licenses (such as in a Bring Your Own License solution) using tags, which can be discovered by an AWS Lambda function. Through License Manager’s Delegated Administrator feature, you will be shown the licenses within License Manager in one specified delegated account.

Solution overview

This solution uses the following AWS services:

As part of the solution, you will deploy two Lambda functions from the provided template. One Lambda function will 1/check for existing tags on resources within the Regions the StackSet is deployed in and 2/will add those resources to the license with matching tags. The other Lambda function will remove any resources that are added to a license with matching tags that no longer have the matching tags applied. You can control the frequency of these checks using a cron expression when deploying the StackSet.

The Lambda function within the CloudFormation template is only going to search for the tag key provided during deployment. For example, during the deployment of the CloudFormation template, you select “PO” as the TagKey. License Manager needs to have the tag key “PO” with the tag value “1234” attached to a self-managed license, as shown in Table 1. Any Amazon EC2 instance with a tag key “PO” and tag value “1234” will be automatically added to the self-managed license.

If you want to automatically populate another self-managed license, you could use tag key “PO” with a different value; for example, the tag value “5678”. All Amazon EC2 instances with the tag key “PO” and tag value “5678” will be added to that second self-managed license and captured by the same CloudFormation deployment.

If you want to use a different tag key—for example, “Purchase Order”—you will need to deploy the CloudFormation template for the new tag key and specify this TagKey during deployment.

 

tagKey/tagValue
Amazon EC2 PO/1234 Match Same Stack (Same tagKey)
Self-manged license PO/1234
Amazon EC2 PO/5678 Match
Self-manged license PO/5678
Amazon EC2 PurchaseOrder/0987 Match New Stack
Self-manged license PurchaseOrder/0987

Table 1: The relation between Cloudforamtion stack and tag key

Prerequisites

Walkthrough

There are two deployment options provided, depending on your use case. The first method is focused on gathering license information for a single account and all of its enabled Regions. The second method is for customers looking for organizational visibility into their license usage, as shown in Figure 1.

This image is an AWS service diagram showing the flow of the solution in a multi-account setup.

Figure 1: An overview of the solution deployed in a multi-account setup

Method 1 – Single account

In this scenario, the assumption is that you are only running a single account with AWS. In this single account, you will manage the licenses within the same account your Amazon EC2 instances are deployed in.

  1. Sign up for License Manager and create your self-managed license. There is no additional cost for License Manager, however, you have to enroll the account.
    1. Go the License Manager console and click on Start using AWS License Manager, as shown in Figure 2.

      This is an image of the initial console page when you access AWS License Manager. There is a button you can click on which is labeled "Start using AWS License Manager".

      Figure 2: Initial option to start using AWS License Manager

    2. You will be prompted to grant IAM License Manager permissions. Figure 3 shows where you can select the box to grant the permissions and click on Grant Permissions.

      This image shows the pop-up that will come up for users after clicking on Start using AWS License Manager. This window prompts for you to grantee permissions required. The checkbox for these permissions is selected in the picture.

      Figure 3: This window will pop up after you click Start using AWS License Manager. This will set up the permissions needed for License Manager to work.

    3. Once you are in the License Manager console, select Self-managed licenses, then Create self-managed license, as shown in Figure 4.

      This image shows the AWS License Manager console after granting permissions. Currently the self-managed licenses section is selected with the option to create a self-managed license shown.

      Figure 4: The AWs License Manager console, showing the Self-managed licenses section.

    4. In the Configuration Details, you will need to provide the name as well as the license type (for instance, if your license is per vCPU, select vCPU). You can also select Enforce license limit, which will not allow any other resource to use that license if the number for license type is exceeded.
    5. It is optional for you to select Expand the Tags. Provide the tag key and value you will use on the Amazon EC2 instances you wish to add to this license, as shown in Figure 5. The tag key value will also need to match the value provided when deploying the CloudFormation template.

      After creating a self-managed license, you are able to add custom tags to the license. This image shows the example tags from the post entered into the key-value pair of PO and 1234

      Figure 5: Tagging options when creating a self-managed license. As per the example, we are using the key-value pair PO and 1234.

    6. Select Submit.
  2. Deploy the automation for License Manager detection.
    1. Download CloudFormation template.
    2. If you want to deploy the StackSet across multiple Regions, you will need to ensure you grant self-managed permissions.
    3. Go to the CloudFormation console and select on StackSets on the left and click on Create StackSet on the right side, as shown in Figure 6.

      AWS CloudFormation console with the option to Create StackSet

      Figure 6: AWS CloudFormation console with the option to Create StackSet

    4. If you are deploying into multiple Regions, you will need to provide the IAM role you created in step 1. If you are not deploying into other Regions besides the Region you are currently using, you can skip this step.
    5. For Prepare Template, as shown in Figure 7, select Template is ready. For Specify template, select Upload a template file. Click on Choose file and browse to the path you downloaded the AutodiscoverLicensesBasedOnTag.yml file to. Click on Next.

      Stack creation with the options selected of Template is ready, upload a template file and select Choose file to specify the file provided. The optional field to provide an IAM admin role is optional and only required if you are deploying into other regions within the account.

      Figure 7: Stack creation with the options selected of Template is ready, upload a template file and select Choose file to specify the file provided. The optional field to provide an IAM admin role is optional and only required if you are deploying into other Regions within the account.

    6. Provide a StackSet name.
    7. Figure 8 shows EventBridgeRuleScheduleToAdd, which is a cron statement to control how frequently the automation will run to check for tags to add to License Manager. By default, it will run every Sunday at 12:00 AM.
    8. EventBridgeRuleScheduleToRemove is a cron statement to control how frequently the automation will run to check for resources that have had the tags removed. This will remove the resources from the license. By default, it will run every Sunday at 1 AM.
    9. TagKey is used by the solution to link the Amazon EC2 instance with the self-managed license. You can use PO as an example. Refer to Table 1 for more examples. Click on Next.

      Stack details screen, you must match the TagKey to the TagKey you are using for both the self-managed license as well as the EC2 instances.

      Figure 8: Stack details screen, you must match the TagKey to the tag key you are using for both the self-managed license as well as the EC2 instances.

    10. Leave Configure StackSet options as default. If your organization requires modifications to these options, they should not affect the functionality of the solution. Select Next.
    11. For Set deployment options, you will need to provide the account you are deploying this StackSet into. Since this should only be a single account deployment, you can copy the account number in the upper right of the console.
    12. As shown in Figure 9, you will also need to specify the Regions you are deploying the StackSet into. If you are deploying into another Region besides the current Region you are in, you will need to make sure you followed Step 1 above for multi-Region deployments. You can use the defaults for Deployment options.

      Within the Set deployment options screen, you will have the option to deploy the StackSet to multiple regions if selected.

      Figure 9: Within the Set deployment options screen, you will have the option to deploy the StackSet to multiple Regions if selected.

    13. Finally, review the stack details. If satisfied with the options, check the box for I acknowledge that AWS CloudFormation might create IAM resources with custom names. Select Submit.

Method 2 – AWS Organizations with multiple accounts

In this scenario, there will be multiple accounts. Account A will be the management account in AWS Organizations. A management account is the account you use to create an organization, invite other existing accounts to the organization, designate delegated administrator accounts, apply policies, and more.

The second account, Account B, will be our License Manager account. This account will be the delegated account to manage licenses in all accounts that are part of the organization.

The additional accounts will be where your tagged Amazon EC2 instances and application workloads are deployed that you want to track with License Manager.

To quickly recap, we are using the three following accounts for this example:

  • Account A: Management account
  • Account B: License Manager delegated account
  • Additional accounts (any other account in the organization)

It should be noted that while you will be using a multi-account setup with this method, the licensing solution can be deployed in a single account setup. If you want to use a single account, follow the steps in method 1.

There are three main steps for this multi-account method. If you already have Organizations set up, you can skip to Step 2 (License Manager delegation).

  1. Click on AWS Organizations to access the Organizations console, as shown in Figure 10.
    The home page for the AWS Organizations console. From here you can create an Organization

    Figure 10: The home page for the AWS Organizations console. From here, you can create an Organization.

    1. Click on Create an Organization.
    2. Click on Add an AWS Account.
    3. Here you can either create new accounts to be part of the Organization you just created or add existing accounts. For this scenario, you will be adding existing accounts. To add existing accounts, you will choose Invite an existing AWS Account.
    4. You must verify the management account’s email address before you can invite AWS accounts to join your organization. You can click on Send verification email, as shown in Figure 11.

      When creating an AWS Organization, you can invite existing accounts by sending a verification email by clicking Send verification email.

      Figure 11: When creating an AWS Organization, you can invite existing accounts by sending a verification email by clicking Send verification email.

    5. Check the email address configured with Account A. You should receive an email titled “AWS Organizations email verification request.” Click on the Verify your email address button.
    6. As shown in Figure 12, you can now add the additional accounts you want to be part of the Organization; in this case, Account B and any other account you want to manage as part of your multi-account solution. To do this, select Add an AWS Account. In the next window, select Invite an existing AWS account. You can then choose to use the email address or account ID of the AWS accounts to invite. To invite multiple accounts, select Add another Account to provide multiple emails/account IDs. You can optionally add a message to include in the invitation and set tags. Once you’ve finished, select Send Invitation.
    7. To accept the invitation, you can check the email address associated with the account(s) you invited. You will see an email titled “Your AWS account has been invited to join an AWS organization.” In this email, you can select Accept invitation. Optionally, you can log into the accounts you have invited, go to the Organizations console, and click on invitations to accept the invite.
    8. Once all of the invites have been accepted, you should be able to log into the management account (Account A) and see all of the accounts you have added under Organization, as shown in figure 12.

      From the management account, you will be able to see all of the accounts that have been added to the Organization

      Figure 12: From the management account, you will be able to see all of the accounts that have been added to the Organization.

  2. Set up the License Manager Delegated Administrator If you already have License Manager delegations set up, you can skip to Step 3 (Deploy and test the automation).
    1. From the management account, you need to enable License Manager. To do this, go to the AWS License Manager console page and select Start Using AWS License Manager, as shown in Figure 13. You will then be prompted to grant License Manager the required IAM permissions to manage licenses.

      From the AWS License Manager console, to begin tracking your licenses, you can click on Start using AWS License Manager

      Figure 13: From the AWS License Manager console, to begin tracking your licenses, you can click on Start using AWS License Manager

    2. From the AWS License Manager console, you can configure the account delegation. Select Settings. Select the Delegated administration tab. From here, you can set the account to delegate license administration. In this scenario, we are using the licensing Account B, as shown in Figure 14.

      From the Management account, you can register a member account from your organization as the delegated administrator

      Figure 14: From the Management account, you can register a member account from your organization as the delegated administrator

    3. From the account you set as the delegated administrator (in this case, account B), log into License Manager, as shown in figure 15. Select Settings. From the Managed license tab, select Turn On for Cross-account resource discovery. You should only need to perform this step from the account you will be managing licenses from.

      The image shows that cross-account discovery for AWS License Manager has been enabled for this account

      Figure 15: Example from the Licensing account with enabled cross-account discovery.

    4. Link AWS Organizations accounts from Management account (Account A).
    5. Do the same as above for the Licensing account (Account B).
    6. Lastly, you will want to make sure that AWS Resource Access Manager (AWS RAM) is enabled as a trusted service at the organization level. Log into the Management account and go to the AWS Organizations console. Select Services and then select AWS RAM in the list of services. From here, you should be able to enable trusted access. An example of RAM being enabled in AWS Organizations is shown in Figure 16.

      Resource Access Management (RAM) is shown as enabled in AWS Organizaitons for the Management account.

      Figure 16: Resource Access Management (RAM) is shown as enabled in AWS Organizations for the Management account.

  3. Deploy and test the License Management CloudFormation template.
    1. Navigate to the CloudFormation console in the Management account, as shown in figure 17.
    2. Select StackSets.
    3. If you haven’t used StackSets before, complete the CloudFormation StackSets prerequisites. In this example, we are using service-managed permissions. You can use self-managed permissions as well if required.
    4. Choose Create StackSet.

      From the CloudFormation console, you can select StackSets which will present you with an option to Create StackSet

      Figure 17: From the CloudFormation console, you can select StackSets, which will present you with an option to Create StackSet

    5. In the Specify template area, choose Upload a template file. Choose Choose file and select the template you downloaded. Leave all other parameters at their default values. Choose Next.
    6. For Template source, choose Upload a template file. Choose Choose file and select the template you downloaded in step 1. Choose Next.
    7. For Stack name, enter a stack name.
    8. In the Parameters area, set the following fields, as shown in Figure 18:
      1. For the AWSAccountId, enter in the Licensing account (Account B).
      2. EventBridgeRuleScheduleToAdd, which is a cron statement to control how frequently the automation will run to check for tags to add to license manager. By default, it will run every Sunday at 12:00 AM.
      3. EventBridgeRuleScheduleToRemove is a cron statement to control how frequently the automation will run to check for resources that have had the tags removed. This will remove the resources from the license. By default, it will run every Sunday at 1 AM.
      4. TagKey is used to specify the key on tags the automation will search for to add to your self-managed license. You can use PO as an example. Refer to Table 1 for more examples. Click on Next.

        The custom fields will need to be set as part of the StackSet deployment. You will need to specify the License Manager delegate account as well as the TagKey you wish to use. You can leave the defaults or put custom values for the Event Bridge schedules

        Figure 18: The custom fields will need to be set as part of the StackSet deployment. You will need to specify the License Manager delegate account, as well as the TagKey you wish to use. You can leave the defaults or put custom values for the EventBridge schedules.

    9. In the Target Account(s) area, select the OU, Region, and/or additional Regions. Choose Next.
    10. In the Configure stack options page, choose Next.
    11. Select I acknowledge that AWS CloudFormation might create IAM resources with custom names, then choose Submit.
    12. The CloudFormation can take a few minutes to deploy. Once completed, the automation will run at the time you specified (in this example, every 12 hours).
    13. If you would like to test the Lambda function to make sure it is picking up the Amazon EC2 instances, you can go to the Lambda function in one of the target accounts using the console and look for the function named “license-LicenseManagerLambdaFunction-xxxx”. Select the Test tab, provide any name for Event name, and then click on the Test button in the upper right corner.
    14. Once you’ve tested the function or allowed it to run at its scheduled time, you should be able to log into the Licensing account and go to the License Manager console. Select Self-managed licenses and you should see the resources in the application account(s) listed, as shown in Figure 19.

      Once the provided solution has been deployed and ran, you will see the resources which are linked to the license through tags show up as a tracked resource

      Figure 19: Once the provided solution has been deployed and ran, the tagged resources will be linked to the self-managed license.

Cleanup

Deploying this solution will provision AWS resources and incur costs. Once you have completed testing and no longer need the agent scaling mechanism in place, you can remove the provisioned resources by deleting the AWS CloudFormation stack you created as a part of this example. Navigate to the CloudFormation Console and select the stack that you created. Choose Delete, and then choose Confirm when prompted. Any Lambda function that you are using as part of this solution will be deleted, and all resources originally created by the CloudFormation template will be removed.

Conclusion

AWS License Manager has allowed customers more visibility and tracking into their licenses being utilized on AWS infrastructure. By using the template provided in this blog post, you can automatically track license usage across multiple accounts using custom tags and ensure you have an accurate number of resources being used at any one time.

Ali Alzand

Ali Alzand

Ali is a Microsoft Specialist Solutions Architect at Amazon Web Services who helps global customers unlock the power of the cloud by migrating, modernizing, and optimizing their Microsoft workloads. He specializes in cloud operations - leveraging AWS services like Systems Manager, Amazon EC2 Windows, and EC2 Image Builder to drive cloud transformation. Outside of work, Ali enjoys exploring the outdoors, firing up the grill on weekends for barbecue with friends, and sampling all the eclectic food has to offer.

Blake Lyles

Blake Lyles

Blake Lyles is a Microsoft Workloads Specialist Solutions Architect with a special focus on SQL Server. Blake has been at Amazon for over 6 years, spending most of that time working with database workloads, including, SQL Server on EC2, supporting RDS, Database Migration Service, and Amazon DocumentDB. Blake has helped customers migrate and modernize their database workloads on AWS.