This policy uses the SOAP version of the FlexNet Manager Cloud APIs, checks all EC2 instances running in AWS to determine if the FlexNet Inventory Agent is running on the instance, and reports on any that are missing the agent.
The policy is a recommendation only policy, no action is taken during the Policy Escalation.
The policy leverages the cloud API to get all current EC2 instances and the FlexNet Manager report (Custom view) API to get all AWS cloud instances with agent. It cross-checks the two lists to determine if any instances are running on the cloud that aren't known to FlexNet Manager. The policy matches the InstanceCloudID from FlexNet Manager System and the instanceId from AWS.
Current limitations:
- Output is limited to max 100000 rows.
This policy has the following input parameters required when launching the policy.
- Allowed/Denied Regions - Whether to treat regions parameter as allow or deny list.
- Regions - A list of regions to allow or deny for an AWS account. Please enter the regions code if SCP is enabled, see Available Regions in AWS; otherwise, the policy may fail on regions that are disabled via SCP. Leave blank to consider all the regions.
- FlexNet Manager host - Flexera One FlexNet Manager host. Required. Allowed Values: [
slo.app.flexera.com,slo.app.flexera.eu,slo.app.flexera.au,slo-uat.app.flexera.com,slo-uat.app.flexera.eu,slo-uat.app.flexera.au] - FlexNet Manager Report ID - FlexNet Manager Report ID. Required.
- Email addresses to notify - Email addresses of the recipients you wish to notify when new incidents are created
- Account Number - The Account number for use with the AWS STS Cross Account Role. Leave blank when using AWS IAM Access key and secret. It only needs to be passed when the desired AWS account is different than the one associated with the Flexera One credential. more
- Tags to ignore - List of tags that will exclude EC2 instance from being evaluated by this policy. Multiple tags are evaluated as an 'OR' condition. Tag keys or key/value pairs can be listed. Example: 'test,env=dev'.
- Send an email report
This Policy Template uses Credentials for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s).
-
AWS Credential (provider=aws) which has the following permissions:
ec2:DescribeRegionsec2:DescribeInstances
Example IAM Permission Policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeInstances" ], "Resource": "*" } ] } -
Flexera ITAM Credential (provider=flexera) which has the following roles:
Web Serviceor equivalent role in IT Asset Accounts (for calling ITAM SOAP APIs)
The Provider-Specific Credentials page in the docs has detailed instructions for setting up Credentials for the most common providers.
Create a custom view in FlexNet manager that could look like this: 
Click on Preview and filter.
Select Amazon Web Services under Inventory device > Hosted in 
Once saved, note the report number in the URL field : 
you need it when activating the Policy for 'FlexNet Manager System Report ID'.
- AWS
This policy template does not incur any cloud costs.