cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FNMS and AWS License Manager

Does anyone have any expereince with using AWS license Manger with FNMS.  Alternatively, does anyone have any insights on cloud discovery.  We are looking at:

- Deploying the Flexera Agent

- Getting the agent included in the AMI

(6) Replies

@AlanBenger 

I know that you're asking for experience from others in context of AWS License Manager with FNMS, but to the second part of your question (Alternatively...) you may want to consult the FNMS Inventory Adapters and Connectors Reference where chapter III beginning on pg. 112 provides guidance on how to set this up for AWS.

Thanks,

bmaudlin
By Level 9 Champion
Level 9 Champion

@AlanBenger 

Fundamentally it depends on your AWS environment. 

If you're using AWS, in a traditional DC manner - then you should have no major problems.

If you're using AWS, using the AWS Well-Architected Framework then you will face issues - currently the FNMS agent or beacon infrastructure does not support the following:

Containerisation

Rebuild of servers every 30 days

Autoscaling

RDS instances

Which are currently the major blockers I have (there may be other issues, I have not come across yet)

Ben

 

mag00_75
By Level 8 Champion
Level 8 Champion

I had many dialogues with our cloud team how to perform inventory. They didn't want to have a classic inventory agent installed and wanted us to use AWS License Manager. I looked into that product a bit and it's very simplified license management and has AWS Service Manager as the inventory agent.

I know that Flexera's cloud management product has an out of the box connector with AWS SM, if you want to do something similar with FNMS you can build an inventory adapter. I would compare AWS SM with SCCM, you will have limitations in editions, oracle inventory etc. AWS SM is better than having nothing and if you deploy fnms agent I still believe AWS SM could be a great secondary source

We have now started to deploy the fnms agent, biggest challenge is however to convince the cloud teams that they need to deploy the agent to ensure that we are future proof compliant in regardless if they say they are compliant today.

Then you have all other challenges to overcome with RDS, BYOL or Not, Containers

@mag00_75 

Hi there - we would be interested to make contact, outside of the forum, to hear about the challenges you have faced and how you have overcome them.  We are looking at the possibilities of deploying the FNMS agent to our AWS EC2 instances and we are looking for real world experiences in how you manage licenses in a dynamic, scalable environment.

Any chance you could contact us and we can arrange a conversation:

softwarecompliance@fca.org.uk

Thanks in anticipation.

Andy

Hi @mag00_75 

How were you able to convince the cloud team to allow a standard inventory agent to be installed? As we're having similar discussions...

Seems this is very much a "cloud" thing, but to me at least. I do not believe software inventory currently can be carried out reliably any other way. 

With the AWS agent you have referred to, is that AWS Systems Manager? (SSM) As I didn't think that FNMS could process this data nativity, as in there is no connector at least.

 

Hi

Let's say that we are still in process to convince them to go our way to ensure compliance. With FNMS it's basically two parts that needs to be solved, the API calls to get all instances and their status and the technical inventory.

API Calls

Before 2019R2 FNMS did only support getting info for one AWS Account at a time, led to that Cloud team wanted to develop their own script in Lambda to fetch needed information and that we needed to build an adapter in FNMS. We skipped this step and focused on other topics for some time.

With 2019R2 we got the improved API scripts from Flexera, we choose to deploy beacon in AWS that had a VPC to our internal network.
Cloud team liked the idée that they didn't need to give us any access rights separately, instead allocated Roles to the beacon instance.

Now we are stuck on the issue that they do now feel that the scripts can scale to the amount of Accounts we have. Instead of trying to convince the whole cloud team I now use my relations with the managers in that organisation to try to get a business decision instead of a technician decision. They also object a bit now to administrate it, because for every new account that is created you need to setup the Roles and also add the Account to another one. They have created a script to automatically setup for all new accounts, but the list for the beacon they do not want to manage. So either I need to get my own "governance" account to administrate that list or try to convince management.

Technical Inventory

Ofcourse cloud team wants to run AWS native tools like SSM and ontop of that the AWS License Manager. I have had several dialogues in regard to this topic and said that we cant have multiple tools because we will never get those resources. It lacks functionality, however they have come a bit longer in respect to inventory RDS instances compared to FNMS.

I convinced them to deploy the Scanner (ndtrack.sh) using SSM, worked for some time, but then they changed the team and we moved two steps back.
With the upcoming full agents from Flexera it will come better support for inventory containers, and by that I need to convince them to go for full agent and not scanner. From developers they probably want to automate deployment using GitHub or GitLab, one thing that Flexera could do better here are to provide the agent thru some common software deployment "market place" so they can fetch the software directly instead of building up company specific store.

We have a very decentralised governance in regards to AWS accounts, so I'm trying to convince that we need to have more central steering in regards to compliance. Best way to convince them is if you have found some compliance issue, and by that example take it forward. Difficulties is that 99% of everything you have in AWS will probably be compliant if you are using consumption licenses thru AWS services and not using BYOSL.

I hope the solutions will develop over time to help all SAM organisations to tackle the cloud challenges.
Hope it give you some input, but for sure this topic is complex.