AWS Cloud Operations & Migrations Blog

Prepare for Oracle license audits in AWS using AWS Audit Manager and AWS License Manager

Many of our customers who run Oracle databases need help with managing their Oracle licenses on AWS and ensuring that they have not fallen out of compliance with Oracle’s licensing rules. They must be prepared to provide relevant evidence in an auditor-friendly format during an Oracle license audit.

Gathering evidence in a timely manner to support an Oracle audit event can be a significant challenge due to manual, error-prone, and sometimes distributed processes of managing and tracking license consumption. Organizations typically entrust license administrators (who are in IT or procurement departments) with the responsibility to manage licensing compliance across all their environments. Using AWS License Manager, administrators can create licensing rules to help track Oracle license consumption and provide organizations with visibility and control over their Oracle license usage.

AWS Audit Manager is a fully managed service that provides prebuilt frameworks for common industry standards and regulations. AWS Audit Manager automates the nearly continuous collection of evidence to help you prepare for an audit. This nearly continuous and automated gathering of evidence related to your AWS resource usage also helps simplify risk assessment and compliance with regulations and industry standards.

You can run Amazon RDS for Oracle under two different licensing options: License Included and Bring-Your-Own-License (BYOL). In the License Included option, you don’t need separately purchased Oracle licenses because the Oracle database software has been licensed by AWS. If you already own Oracle database licenses, you can use the BYOL option to run Oracle databases on Amazon RDS. The BYOL licensing option is designed for customers who prefer to use existing Oracle database licenses or purchase new licenses directly from Oracle.

In this blog post we provide an integration that combines the use of AWS Audit Manager with Oracle licensing rules configured in AWS License Manager. We demonstrate how this integration streamlines the gathering of evidence related to your Oracle license usage and helps you prepare for Oracle license audits.

Overview

We show you how to configure the setup for integrating AWS Audit Manager with AWS License Manager in two steps:

  1. Set up AWS Audit Manager: You will create an AWS Audit Manager assessment from AWS License Manager framework  which is used to gather evidence.
  2. Set up AWS License Manager: You will configure AWS License Manager to track Oracle licenses used by database engine editions, options, and management packs used in Amazon RDS for Oracle.

Finally, we show you how to test our scenario by deploying Amazon RDS for Oracle. You’ll initially deploy the Oracle Database Enterprise Edition and then augment your deployment by adding a read replica to the Oracle database running on Amazon RDS. The read replica is configured in read-only mode so it requires an Active Data Guard license from Oracle. In this mode, Oracle Active Data Guard transmits and applies changes from the source database to all read replica databases.  In both cases, we show the evidence gathered to prepare for an Oracle audit using an AWS Audit Manager assessment.

Prerequisites

To complete the steps in this blog post, you need the following:

  • An AWS account
  • An IAM user/role that drives audit preparation and has full permissions over AWS Audit Manager resources

Walkthrough

Step 1: Set up AWS Audit Manager

If this is your first time using AWS Audit Manager, check AWS Audit Manager documentation to set it up.

Create AWS Audit Manager Assessment

1. In the left navigation pane, choose Framework library. Under Standard frameworks, select AWS License Manager and then choose Create assessment from framework.

The Framework library page has tabs for Standard frameworks and Custom frameworks. The Standard framework with AWS License Manager option is selected.

Figure 1: Framework library

2. In Specify assessment details, under Assessment Details enter a name for the assessment (for example, Record License Configuration) and an optional description. Under Assessments reports destination, select an existing Amazon S3 bucket or create new one to store assessment reports and then choose Next.

The Specify assessment details page provides fields for name and description. It also includes sections for Assessment reports destination, Frameworks, and Tags.

Figure 2: Specify assessment details

3. If your account is in an organization created in AWS Organizations, choose the accounts you want to track.

The Specify AWS accounts in scope page provides a table where AWS accounts are organized by account ID, account name, and email.

Figure 3: Specify AWS accounts in scope

4. Under AWS services, AWS License Manager will be selected by default. Choose Next.

In the AWS services list, AWS License Manager is selected. Its category is Management and governance.

Figure 4: AWS License Manager selected in the AWS services list

5. In Specify audit owners, select users from the list.

Use the Specify audit owners page to select an IAM user or role with permissions to access AWS Audit Manager resources.

Figure 5: Specify audit owners

6. On the Review and create page, choose Create assessment.

The assessment is an implementation of the AWS Audit Manager framework. It collects the evidence related to Oracle license consumption, converts it into an auditor-friendly format, and attaches the evidence to the custom license control in the framework.

The Record License Configuration is displayed with a status of Active.

Figure 6: Assessments page

You’ve now completed the AWS Audit Manager setup. Your assessment will start collecting evidence for your Oracle license consumption.

Step 2: Set up AWS License Manager

AWS License Manager performs automatic discovery of Oracle licenses, options, and packs used in Amazon RDS. Now, you will create license configurations in AWS License Manager to automatically track licenses of Amazon RDS for Oracle Enterprise Edition. Optionally, you can create another configuration to track licenses for the Oracle Active Data Guard.

1. In the AWS License Manager console, choose Self-managed licenses, and then choose Create self-managed license configuration.

2. Because you want AWS License Manager to track Oracle database licenses, under Product information, for Product name, choose Oracle database.

3. For Product type, choose Enterprise Edition.

4. For Resource type, choose Amazon RDS.

The Create self-managed license page includes sections for Configuration details, Automated discovery rules, and Tags.

Figure 7: Create self managed license

Now use the AWS License Manager console to create another customer managed license.

1. From the left navigation pane, choose Customer managed licenses, and then choose Create customer managed licenses.

2. Because you want AWS License Manager to track Oracle database option pack licenses, for Product name, choose Oracle database.

3. For Product type, choose Active Data Guard.

4. For Resource type, choose Amazon RDS, and then choose Submit.

On the Customer managed licenses page, the license configuration for Oracle Active Data Guard licenses should be displayed:

Oracle Active Data Guard & Oracle Enterprise Licenses appears in the self managed licenses list. They have a status of Active. 0 of 30 licenses are consumed for both.

Figure 8: Self-managed licenses

You are now ready to test your setup. Follow these steps to create an Amazon RDS for Oracle database. The database in this example has four vCPUs.

Review the Overview of Oracle replicas and then create a read replica for the Amazon RDS for Oracle database with the Active Data Guard option. It consumes an additional four vCPUs.

The Databases page displays a source database (database-1) and replica (database-1-readreplica).

Figure 9: Databases page in the Amazon RDS console

To create a read replica in the read-only mode for the Amazon RDS for Oracle database, you must use the Oracle Active Data Guard option.

Open the AWS License Manager console, and from the left navigation pane, choose Dashboard. You can see that you are now tracking Oracle Active Data Guard licenses.

Oracle Active Data Guard & Oracle Enterprise Licenses in the self managed licenses list. They have status of Active. Both have 8 of 30 licenses consumed.

Figure 10: Self-managed licenses tracking Oracle Licenses

AWS Audit Manager evidence recording

For AWS Audit Manager to record the evidence for your licenses, go to the self-managed licenses your created in AWS License Manager console and refresh. AWS Audit Manager may take up-to 24 – 48 hours to record evidence.

1. In the AWS Audit Manager console, from the left navigation pane, choose Assessments. Choose the Record License Configuration assessment.

2. Choose Controls tab, under Control sets you will see evidence collected by the assessment.

The Figure shows assessment detals, control status summary and control sets with collected evidence

Figure 11: Evidence Collection Summary

3. Select control 3.0.4. Under Evidence folders, select the evidence and choose Add to assessment report.

Figure shows the control details, control status and the evidence folders tab with evidence collected. It has the option to add evidence to assessment report

Figure 12: Adding Evidence to assessment report

4. Navigate to Record License Configuration assessment, select Assessment report selection and then choose Generate Assessment Report.

Figure shows assessment detals with Assessment report selection tab selected with the option of generating report

Figure 13: Generate assessment report

You can now select and download the assessment report, which includes all your selected evidence. The report is available in your chosen S3 bucket as well.

The demo-record-license-configuration is selected. It has a status of Generated.

Figure 14: Assessment reports

Cleanup

To avoid ongoing charges, delete the Assessment you created. If you created Oracle Database or any read replica as a part of this exercise and if you do not need them, delete them.

There is no additional charge for using License Manager. You pay only for the AWS resources that are managed by License Manager, based on the AWS pricing of the resources.

Conclusion

In this blog post, we showed you how the combined use of AWS Audit Manager with custom Oracle licensing rules configured in AWS License Manager can help simplify audit preparation for an Oracle license audit. The setup described in this post uses AWS License Manager to automatically discover and track your Oracle license usage. It uses the integration between AWS License Manager and AWS Audit Manager to streamline the gathering of evidence in preparation for Oracle license audits. For more information on AWS Audit Manager, check the AWS Audit Manager documentation.

About the authors

About the author Kanishk Mahajan

Kanishk Mahajan

Kanishk Mahajan has been leading AWS cloud transformation, solution architecture and delivery teams for customers for several years. Currently at AWS, Kanishk specializes in the domains of management and governance, migrations and modernizations, and security and compliance. He is a Technical Field Community (TFC) member at AWS in each of those domains.

Author photograph - Pranjal Gururani

Pranjal Gururani

Pranjal Gururani is a Solutions Architect at AWS based out of Seattle. Pranjal works with various customers to architect cloud solutions that address their business challenges. He enjoys hiking, kayaking, skydiving, and spending time with family during his spare time.