Settings in AWS License Manager - AWS License Manager

Settings in AWS License Manager

The Settings section of the AWS License Manager console displays settings for the current account. You must configure settings to enable associated functionality.

Managed licenses

The following settings are configurable for managed licenses:

  • Distribution of managed entitlements and self-managed licenses to your organization

  • Cross-account resource discovery

  • Amazon SNS notification

For more information, see Managed licenses.

Linux subscriptions

The following settings are configurable for Linux subscriptions:

  • Discovery and aggregation of Commercial Linux license subscription data

  • Red Hat Subscription Manager (RHSM) discovery for Linux subscriptions

For more information, see Linux subscriptions.

User-based subscriptions

The following settings are configurable for user-based subscriptions:

  • AWS Managed Microsoft AD

  • Virtual Private Cloud (VPC)

For more information, see User-based subscriptions.

Delegated administration

This tab is displayed if your account has administrative access for your organization. As an administrator, you can register a delegated administrator from the AWS CLI or AWS Management Console. For more information, see Delegated administrators.

Edit License Manager settings

To edit your License Manager settings, follow these steps:

  1. Open the License Manager console at https://console.aws.amazon.com/license-manager/.

  2. In the left navigation pane, choose Settings.

  3. Choose the tab containing the settings to configure. For example, choose Managed licenses to configure Account details.

  4. After you've configured your settings, choose Save, or choose Cancel to back out.

Managed licenses

The following settings are available for managed licenses.

Account details

You can review your account details to see information such as the account type, whether accounts in AWS Organizations are linked, the account's License Manager S3 bucket ARN, and the AWS Resource Access Manager share ARN. This section also enables you to link your AWS Organizations accounts.

To distribute managed entitlements or self-managed licenses within your organization, choose Link AWS Organizations accounts. The distributed grants for managed entitlements are auto-accepted by all of your member accounts. When you select this option, we add a service-linked role to the management and member accounts.

Note

To enable this option, you must be signed in to your management account and all features must be enabled in AWS Organizations. For more information, see Enabling all features in your organization in the AWS Organizations User Guide.

This selection also creates an AWS Resource Access Manager resource share in your management account, which allows you to seamlessly share self-managed licenses. For more information, see the AWS Resource Access Manager User Guide.

To disable this option, call the UpdateServiceSettings API.

Cross-account resource discovery

You can turn on cross-account resource discovery in order to manage license usage across all of your accounts in AWS Organizations.

To enable cross-account resource discovery in your organization, choose Turn on for cross-account resource discovery. When you turn on the cross-account resource discovery, AWS Organizations will automatically be linked to perform resource discovery across all of your accounts.

License Manager uses Systems Manager inventory to discover software usage. Verify that you have configured Systems Manager inventory on all of your resources. Querying Systems Manager inventory requires the following:

Note

The following AWS Regions don't require Amazon Athena or AWS Glue to query or aggregate inventory data for Systems Manager inventory to discover software usage:

  • Asia Pacific (Jakarta)

  • Israel (Tel Aviv)

Simple Notification Service (SNS)

You can configure an Amazon SNS to receive notifications and alerts from License Manager.

To configure an Amazon SNS topic
  1. Choose Edit next to Simple Notification Service (SNS).

  2. Specify an SNS topic ARN in the following format:

    arn:<aws_partition>:sns:<region>:<account_id>:aws-license-manager-service-*

  3. Choose Save changes.

Linux subscriptions

During the process of discovery, License Manager searches the EC2 instances that are running under your AWS account for Linux subscriptions. It detects if you have more than one Linux subscription defined for any instances, and aggregates the data.

Linux subscriptions settings

You can configure settings for Linux subscriptions to control how License Manager handles discovery and aggregation. Default discovery settings apply across all types of Linux subscriptions.

The following actions are available to configure Linux subscription discovery.

Edit

Change settings for Linux subscription discovery.

Deactivate

Deactivate discovery and aggregation for Linux subscriptions associated with your EC2 instances. If you also have discovery activated for Red Hat Subscription Manager, License Manager first deactivates your RHSM registered provider, then it continues with deactivation for Linux subscription discovery.

Note

Deactivation doesn't affect your access secret for Red Hat Subscription Manager (RHSM). To avoid charges on your AWS bill for an associated secret that you no longer need, see Delete an AWS Secrets Manager secret in the AWS Secrets Manager User Guide.

 

The following settings are displayed in the License Manager console for Linux subscription discovery.

Linux subscription discovery settings
Linux subscription discovery

Indicates whether you've activated Linux subscription discovery for your account.

Source AWS Regions

AWS Regions where you want License Manager to discover subscription data.

AWS Organizations

Optionally aggregate subscription data across your accounts in AWS Organizations.

For more information, see Manage Linux subscriptions in License Manager.

Red Hat Subscription Manager discovery

If you've activated Linux subscription discovery, you can configure access for License Manager to retrieve additional data for RHEL subscriptions that are managed through Red Hat Subscription Manager (RHSM).

The following actions are available to configure your RHSM subscription discovery.

Edit tags

Change the tags that are associated with your access secret.

Note

If you need to make other changes to your RHSM subscription, you must deactivate your current registration first, then set up a new registration.

Deactivate

Deactivate your RHSM registered provider.

Note

Deactivation doesn't affect your access secret for Red Hat Subscription Manager (RHSM). To avoid charges on your AWS bill for an associated secret that you no longer need, see Delete an AWS Secrets Manager secret in the AWS Secrets Manager User Guide.

 

The following settings are displayed in the License Manager console for RHSM discovery.

Red Hat Subscription Manager discovery settings
Discovery status

Indicates whether you've activated discovery for RHSM subscriptions.

Secret name

Links to the RHSM access secret in AWS Secrets Manager that contains your Red Hat offline token. License Manager uses this secret to generate a new temporary access token to request subscription data from Red Hat Subscription Manager (RHSM).

You can make changes to an existing secret through Secrets Manager. To update tags or other metadata for your secret, see Modify an AWS Secrets Manager secret in the AWS Secrets Manager User Guide. To update the secret value, see Update the value for an AWS Secrets Manager secret.

Last data synchronized on

The timestamp from the last successful update of subscription data from the registered Red Hat Subscription Manager (RHSM) account.

Tags

You can define key value pairs for tags that License Manager assigns to your RHSM access secret in Secrets Manager. To retrieve and decrypt your RHSM access secret, the License Manager service-linked role policy requires the secret, and any associated AWS KMS key, to have the following tag assigned:

"LicenseManagerLinuxSubscriptions": "enabled"

The tag is automatically assigned if License Manager created your secret during the registration process. If you create your own secret for the offline token, make sure that you assign that tag to the secret and to the associated KMS key, if it's encrypted. To add the tag, see Modify an AWS Secrets Manager secret in the AWS Secrets Manager User Guide.

User-based subscriptions

The following settings are available depending on which products you require for user-based subscriptions.

AWS Managed Microsoft AD

License Manager requires AWS Managed Microsoft AD to be configured before you can work with user-based subscriptions. For more information, see Manage user-based subscriptions in License Manager.

Virtual private cloud

License Manager requires your VPC to be configured, in addition to your AWS Managed Microsoft AD, when you use user-based subscriptions with Microsoft Office. For more information, see Manage user-based subscriptions in License Manager.

Delegated administrators

You can register a delegated administrator to perform administrative tasks for managed licenses and Linux subscriptions in License Manager. To simplify administration, we recommend using the License Manager console to register a single delegated administrator for each feature of License Manager. Using this approach, you will have a single delegated administrator in your organization for License Manager.

Using the AWS CLI or SDKs, you can register different member accounts in your organization as the delegated administrator for each supported feature of License Manager. This results in different member accounts in your organization being able to perform administrative tasks for managed licenses and Linux subscriptions.

Important

To use the delegated administration features in the License Manager console, you must have the same member account registered as the delegated administrator for each feature of License Manager. If you registered more than one member account as the delegated administrator, you first have to deregister the existing member accounts, and then register the same account for each feature of License Manager.

Before you register a delegated administrator, you must enable trusted access with Organizations. For more information, see Inviting an AWS account to join your organization and Enable trusted access with AWS Organizations.

The following are the features for which you can register a delegated administrator:

Managed licenses

You can perform administrative tasks, such as sharing self-managed licenses with other member accounts, performing cross-account resource discovery, and distributing managed entitlements to other member accounts.

Linux subscriptions

You can perform administrative tasks, such as viewing and managing commercial Linux subscriptions you own and run across AWS Regions and your accounts in AWS Organizations. You can also create and manage Amazon CloudWatch alarms for your Linux subscriptions. The data must first be discovered and aggregated before it is visible in the License Manager console and any alarms can function if they are configured.

Important

Once registered, the delegated administrator has visibility into EC2 instances owned by accounts in your organization.

You can register and deregister delegated administrators using the AWS License Manager console, AWS CLI, or AWS SDKs.

Regions supported for delegated administrators

The following Regions support License Manager delegated administrators:

  • US East (Ohio)

  • US East (N. Virginia)

  • US West (N. California)

  • US West (Oregon)

  • Asia Pacific (Mumbai)

  • Asia Pacific (Seoul)

  • Asia Pacific (Singapore)

  • Asia Pacific (Sydney)

  • Asia Pacific (Tokyo)

  • Asia Pacific (Hong Kong)

  • Middle East (Bahrain)

  • Canada (Central)

  • Europe (Frankfurt)

  • Europe (Ireland)

  • Europe (London)

  • Europe (Paris)

  • Europe (Stockholm)

  • Europe (Milan)

  • Africa (Cape Town)

  • South America (São Paulo)

Register a delegated administrator

You can register a delegated administrator using the AWS CLI or AWS Management Console.

Console

To register a delegated administrator using the AWS License Manager console, perform the following steps:

  1. Sign in to AWS as the administrator of the management account.

  2. Open the License Manager console at https://console.aws.amazon.com/license-manager/.

  3. Choose Settings from the left navigation pane.

  4. Choose the Delegated administration tab.

  5. Choose Register delegated administrator.

  6. Enter the member account ID to register as the delegated administrator, confirm that you want to grant License Manager the required permissions, and then choose Register.

  7. A message indicates if the specified account has been successfully registered as the delegated administrator License Manager.

AWS CLI

To register a delegated administrator for managed licenses using the AWS CLI, perform the following steps:

  1. From the command line, run the following AWS CLI command:

    aws organizations register-delegated-administrator --service-principal=license-manager.amazonaws.com --account-id=<account-id>
  2. Run the following command to verify that the specified account is successfully registered as the delegated administrator:

    aws organizations list-delegated-administrators --service-principal=license-manager.amazonaws.com

To register a delegated administrator for Linux subscriptions using the AWS CLI, perform the following steps:

  1. From the command line, run the following AWS CLI command:

    aws organizations register-delegated-administrator --service-principal=license-manager-linux-subscriptions.amazonaws.com --account-id=<account-id>
  2. Run the following command to verify that the specified account is successfully registered as the delegated administrator:

    aws organizations list-delegated-administrators --service-principal=license-manager-linux-subscriptions.amazonaws.com

Deregister a delegated administrator

You can deregister a delegated administrator using the AWS CLI or AWS Management Console.

Console

To deregister a delegated administrator using the AWS License Manager console, perform the following steps:

  1. Sign in to AWS as the administrator of the management account.

  2. Open the License Manager console at https://console.aws.amazon.com/license-manager/.

  3. Choose Settings from the left navigation pane.

  4. Choose the Delegated administration tab.

  5. Choose Remove.

  6. Enter the text remove to confirm you would like to remove the delegated administrator for License Manager and choose Remove.

  7. A message indicates if the specified account has been successfully removed the delegated administrator for License Manager.

AWS CLI

To deregister a delegated administrator for managed licenses using the AWS CLI, perform the following steps:

  1. From the command line, run the following AWS CLI command:

    aws organizations deregister-delegated-administrator --service-principal=license-manager.amazonaws.com --account-id=<account-id>
  2. Run the following command to verify that the specified account is successfully deregistered as the delegated administrator:

    aws organizations list-delegated-administrators --service-principal=license-manager.amazonaws.com

To deregister a delegated administrator for Linux subscriptions using the AWS CLI, perform the following steps:

  1. From the command line, run the following AWS CLI command:

    aws organizations deregister-delegated-administrator --service-principal=license-manager-linux-subscriptions.amazonaws.com --account-id=<account-id>
  2. Run the following command to verify that the specified account is successfully deregistered as the delegated administrator:

    aws organizations list-delegated-administrators --service-principal=license-manager-linux-subscriptions.amazonaws.com

You can register a deregistered account again at any time.