ITOM Cloud License Estimator - Support and Troubleshooting

ITOM Cloud License Estimator .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This KB article provides a step-by-step guide to using the ITOM Cloud License Estimator store application to validate account credentials and generate a resource count reports.

Table of Contents Description Limitations Disclaimer Prerequisites Azure Configuration 1. Azure supported resources 2. Azure API calls 3. Azure credentials configuration 4. Create Azure Account Configuration 5. Generate the Azure Resource Report AWS Configuration 1. AWS Supported Resources 2. AWS API Calls 3. AWS Configuration Requirements 4. AWS Config Aggregator Setup 5. AWS Credentials Setup In ServiceNow Instance 6. Create AWS Account Configuration 7. Generate the AWS Resource Count Report Resource Report Report Page Overview Description The ITOM Cloud License Estimator is a standalone store application with no dependencies on other plugins or store applications. It is used to validate cloud account credentials and generate resource count reports. With just a few steps, users can easily generate reports using this plugin.

Currently, this plugin supports two cloud providers:

AWS Azure It connects directly to the cloud environment through HTTP API calls from the ServiceNow instance, eliminating the need for a MID server. For this direct connection to work, the ServiceNow instance must have access to the customer’s cloud environment.

Limitations This tool does not use a MID server , so the ServiceNow instance must have direct access to the customer's cloud environment. This tool does not support GOV cloud. Disclaimer The license counts and estimations provided by this software (prior to using ITOM solutions to manage cloud resources) are based on the current licensing rules and the information and account details supplied by the user. These estimates are for informational purposes only and may not reflect the final licensing requirements. Users are advised to review the licensing agreements and documentation along with your sales representative to arrive at their ultimate licensing decisions.

Prerequisites A ServiceNow instance is required to configure the Cloud License Estimator. The ITOM Cloud License Estimator (App ID: sn_cle ) store application must be installed. The cloud environment should be accessible from the ServiceNow instance to make API calls and retrieve resources information. Azure Configuration This section provides guidance on configuring Azure accounts and generating reports.

Overview of Configuration Steps: Azure Supported Resources Azure API calls Azure Credential Configuration Create Azure Account configuration Generate the Azure resource report

1. Azure supported resources This tool currently supports the following Azure resource types.

Licensable resource types: These resources incur charges per ITOM licensing standards:

Resource Type License ratio (count per SU) microsoft.compute/virtualmachines 1 microsoft.sqlvirtualmachine/sqlvirtualmachines 1 microsoft.cache/redis 3 microsoft.dbformysql/servers 3 microsoft.dbforpostgresql/servers 3 microsoft.documentdb/databaseaccounts 3 microsoft.sql/managedInstances 3 microsoft.sql/servers 3 microsoft.web/sites 3 Non-Licensable resource types: These resources are not currently chargeable:

microsoft.compute/availabilitysets microsoft.compute/disks microsoft.compute/hostgroups/hosts microsoft.compute/images microsoft.compute/virtualmachinescalesets microsoft.containerservice/managedclusters microsoft.keyvault/vaults microsoft.network/applicationgateways microsoft.network/connections microsoft.network/dnszones microsoft.network/expressroutecircuits microsoft.network/loadbalancers microsoft.network/localnetworkgateways microsoft.network/natgateways microsoft.network/networkinterfaces microsoft.network/networksecuritygroups microsoft.network/privatednszones microsoft.network/publicipaddresses microsoft.network/routetables microsoft.network/virtualnetworkgateways microsoft.network/virtualnetworks microsoft.resources/subscriptions/resourcegroups microsoft.Storage/storageaccounts 2. Azure API calls This tool utilizes the following Azure API calls to validate accounts and retrieve resource count information.

Management Account Validation: API Endpoint: https://management.azure.com/providers/Microsoft.Management/managementGroups/ ?api-version=2018-03-01-preview This API call verifies the existence and configuration of the specified management account by checking the ManagementAccountID. It validates account access with Service Principal credentials. Subscription Validation: API Endpoint: https://management.azure.com/subscriptions/ ?api-version=2020-01-01 This endpoint confirms the validity of an individual subscription by querying with subscriptionId, ensuring it is active and accessible through the Service Principal credentials. Resource groups: API Endpoint: https://management.azure.com/subscriptions/ /resourcegroups?api-version=2021-04-01 This call retrieves a list of resource groups within a specified subscription (subscriptionID). Subscriptions under Management Account: API Endpoint: https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01 Query Parameter: microsoft.resources/subscriptions This Resource Graph API call fetches all subscriptions under a specified management account. Resource Graph API for Resource count Aggregation: API Endpoint: https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01 This API is used to retrieve an aggregate count of resources across subscriptions or management accounts. 3. Azure credentials configuration To use this tool, configure the Azure Service Principal Account credentials.

This setup is similar to the credentials configuration for Azure Cloud Discovery. This step is optional if credentials are already configured in the ServiceNow instance, as the same credential ID can be referenced in the later steps.

Create Service Principal User in Microsoft Azure portal: In Azure portal, create a Service principal and assign the Reader role for management accounts, all of the subscriptions under management account. For detailed instructions, refer to the " Create Azure cloud credentials " product documentation. Steps to configure Azure credentials: Navigate to Filter Navigator > All > ITOM Cloud License Estimator > Home On the Home Page, Click Go to Credentials to open the Credentials (discovery_credentials) page.

3. Click New > Azure Service Principal and enter the Azure Service Principal Account details. For detailed instructions, refer to the " Create Azure cloud credentials " product documentation.

Outcome : A Credential ID is generated, which will be required when creating configurations in the next steps.

4. Create Azure Account Configuration The tool supports two types of configurations:

Management Account : Includes all subscriptions under the management account. Single Subscription : Targets a specific subscription only. Follow these steps to create account configuration:

Navigate to Filter Navigator > All > ITOM Cloud License Estimator > Home On the Home page, Click Create Configuration to open the Create Configuration popup Enter the following details: Name : Enter a name of the configuration. Cloud Provider : Choose Azure from the list. Additional options will appear: Account ID : Enter the Management account ID or Subscription ID Management group : Select If the Account ID is a management account. Credentials : Select the Azure Service principal credentials configured in the previous step: Credentials Configuration. Active : Enable this option click Save and run license estimator to generate report.

Outcome: This step will create Configuration and initiates the license estimator execution.

5. Generate the Azure Resource Report After clicking " Save and run license estimator ", the configuration is saved, and the tool generates the report. You will be redirected to the Report Page, where the status of the report generation can be tracked.

The tool performs the following actions:

Validate Credentials : The configured credentials are validated against the specified account id. If Credential validation is Successful : For Management accounts : Retrieve all subscriptions under the management account. Validate the each subscription with configured credentials Resource counts are collected across all subscriptions. For Non-Management Accounts: Retrieve resource counts for the specified subscription. Report Generation : If all credential validations are successful and the resource count API calls are successful, the report will be generated. Otherwise, the report will not be generated.

4. Click on Download resource report

Outcome : Generated Resource Report.

AWS Configuration This section provides guidance on configuring AWS accounts and generating reports.

Overview of Configuration Steps: AWS Supported Resources AWS API Calls AWS Configuration Requirements AWS Config Aggregator Setup AWS Credential Configuration Create AWS Account configuration Generate the AWS resource report 1. AWS Supported Resources To retrieve resource counts, the tool utilizes the AWS Config service recorder , which streamlines the collection of resource count information from the AWS Config Aggregator. Since AWS Config supports only a limited range of resources, the tool directly performs region- and resource-specific API calls for any unsupported resources. For more details, please refer to the following sections.

This tool currently supports the following AWS resource types.

Licensable resource types: These resources incur charges per ITOM licensing standards:

Resource Type License ratio (count per SU) Is Config Service supported AWS::EC2::Instance 1 Yes AWS::Lambda::Function 20 Yes AWS::ApiGateway::RestApi 3 Yes AWS::RDS::DBInstance 3 Yes AWS::Redshift::Cluster 3 Yes AWS::Cassandra::Keyspace 3 Yes AWS::ApiGatewayV2::Api 3 Yes AWS::DynamoDB::Table 3 Yes AWS::ElastiCache::ReplicationGroup::Node 3 No AWS::ECS::Container::Instance 3 No AWS::OpenSearchService::Domain 3 No AWS::MemoryDB::Cluster::Node 3 No AWS::AppSync::API 3 Yes AWS::EventBridge::EventBus 3 Yes AWS::MQ::Broker 3 Yes AWS::ElasticBeanstalk::Application 3 Yes AWS::SQS::Queue 3 Yes AWS::StepFunctions::StateMachine 20 Yes Non-Licensable resource types: These resources are not currently chargeable:

Resource Type Is Config Service Supported AWS::ElasticLoadBalancing::LoadBalancer Yes AWS::KinesisFirehose::DeliveryStream Yes AWS::KinesisVideo::Stream Yes AWS::S3::Bucket Yes AWS::KinesisAnalyticsV2::Application Yes AWS::EC2::VPC Yes AWS::EC2::Subnet Yes AWS::EC2::NatGateway Yes AWS::ECS::TaskDefinition Yes AWS::EC2::VPNGateway Yes AWS::RDS::DBCluster Yes AWS::EC2::RouteTable Yes AWS::EC2::InternetGateway Yes AWS::ECS::Service Yes AWS::EC2::NetworkInterface Yes AWS::EC2::SecurityGroup Yes AWS::Kinesis::Stream Yes AWS::EC2::CustomerGateway Yes AWS::EC2::VPNConnection Yes AWS::EC2::EIP Yes AWS::EC2::Host Yes AWS::EC2::Volume Yes AWS::Cognito::UserPool Yes AWS::ECS::Cluster Yes AWS::EKS::Cluster Yes AWS::ElasticLoadBalancingV2::LoadBalancer Yes AWS::EC2::NetworkAcl Yes AWS::AutoScaling::AutoScalingGroup Yes AWS::ElasticLoadBalancingV2::Listener Yes AWS::EC2::KeyPair No AWS::EC2::Image No AWS::ElastiCache::ReplicationGroup No AWS::MemoryDB::Cluster No AWS::ECS::Task No

2. AWS API Calls Management account validation Service: AWS Organizations Endpoint: https://organizations.us-east-1.amazonaws.com Account validation Service: AWS Security Token Service (STS) Endpoint: https://sts.amazonaws.com Action: GetCallerIdentity Temporary credentials generation using Assume role Service: AWS Security Token Service (STS) Endpoint: https://sts.amazonaws.com/ Action: AssumeRole Member accounts Service: AWS Organizations Endpoint: https://organizations.us-east-1.amazonaws.com Header: X-Amz-Target: AWSOrganizationsV20161128.ListAccounts Config Service API call for Resource count Service: AWS Config Endpoint: https://config. .amazonaws.com Action: SelectAggregateResourceConfig ECS Cluster Service: Amazon ECS Endpoint: https://ecs. amazonaws.com Headers for Actions List Clusters x-Amz-Target : AmazonEC2ContainerServiceV20141113.ListClusters List Container Instances x-Amz-Target: AmazonEC2ContainerServiceV20141113.ListContainerInstances List Taks x-Amz-Target: AmazonEC2ContainerServiceV20141113.ListTasks ELastiCache Service: AWS ElastiCache Endpoint: https://elasticahe. amazonaws.com Action : DescribeReplicationGroups MemoryDB Service: AWS MemoryDB Endpoint: https://memory-db. amazonaws.com Header X-Amz-Target: AmazonMemoryDB.DescribeClusters OpenSearch Service: Amazon OpenSearch Service Endpoint: https://es. amazonaws.com/2021-01-01/domain/ Amazon EC2- Images Service : Amazon EC2 Endpoint: https://ec2. amazonaws.com Action: DescribeImages Query parameters: Owned Images: Owner.1 = self Shared Images: ExecutableBy.1 = self Amazon EC2 - Key Pairs: Service : Amazon EC2 Endpoint: https://ec2. amazonaws.com Action: DescribeKeyPairs 3. AWS Configuration Requirements This Tool supports following configuration types. But, at least one account with permanent AWS credentials must be configured in the ServiceNow Instance. The tool does not support a credentials-less flow.

Independent Accounts: Each account has its own credentials configured. Management Account with Member Accounts: A management account with credentials, granting access to all member accounts through IAM roles (either a custom role or the default OrganizationAccountAccessRole). Accessor Account with Management and Member Accounts: An accessor account with credentials, accessing a management account (via IAM role), which in turn has access to all member accounts (using either a custom role or OrganizationAccountAccessRole). Types of AWS credentials: This tool supports both permanent and temporary AWS credentials for configuring access to AWS Service accounts.

Permanent credentials: The permanent credentials refer to the actual AWS credentials for the service account that you add in the Configuration form or the service accounts within the ServiceNow instance Temporary credentials: These credentials are generated by the AWS Security Token Service (AWS STS) for IAM roles. After configuring IAM roles for AWS service accounts, the tool uses these generated temporary credentials to access AWS resources. The default IAM role OrganizationAccountAccessRole can be used, or custom IAM roles can be set up. To use temporary credentials, ensure IAM roles are configured in Service Accounts. Credential Selection Process: The tool selects credentials for each AWS account using the following process:

1. Configuration form Credentials: If credentials are provided in the configuration form, the tool uses these credentials to access AWS resources for that account.

2. If no Configuration form credentials are set:

Service accounts check: The tool first checks if permanent credentials are configured under Service Accounts. Accessor Account with IAM Role: If no permanent credentials are available, the tool checks for an accessor account with an associated IAM role. If found, it generates temporary credentials using the AWS STS AssumeRole function for the specified IAM role. Management Account with Member Accounts: If none of the above options are set and the account is a member account, the tool looks for a management account configuration and uses the default IAM role (OrganizationAccountAccessRole) to generate temporary credentials.

Permissions for AWS Resources This tool leverages the AWS Config service to retrieve resource counts for resources that are supported by AWS Config. To enable access to these resources, the IAM user/role requires the config:SelectAggregateResourceConfig permission. For resources not supported by AWS Config, the tool makes resource-specific API calls. In this case, the IAM user/role will need permissions specific to those resources. Below is the required policy JSON to grant the necessary permissions for using this tool:

{ "Version":"2012-10-17", "Statement":[ { "Sid":"PermissionsNeededForCloudEstimator", "Effect":"Allow", "Action":[ "config:ListDiscoveredResources", "config:SelectAggregateResourceConfig", "ec2:Describe*", "ecs:Describe*", "ecs:List*", "elasticache:Describe*", "elasticache:List*", "es:DescribeDomain", "memorydb:Describe*", "organizations:Describe*", "organizations:DescribeOrganization", "organizations:List*" ], "Resource":"*" } ] } Note: If you are using credentials configured for AWS Cloud Discovery, ensure that the config:SelectAggregateResourceConfig permission is granted to the AWS Config Aggregator account in order to use this tool.

Configuring IAM Permissions and Trust Relationships in AWS This guide explains how to configure IAM roles and trust relationships between three types of accounts in AWS: The Accessor Account (IAM User with permanent credentials), the Management Account (IAM Role), and the Member Accounts (IAM Role). Follow the steps below to set up the roles and trust policies required for secure cross-account access.

1. Accessor Account Configuration (IAM User with permanent credentials) Create an IAM User in Accessor Account: In the Accessor account (e.g., Account ID: XXXXXXXX7410), create a IAM user(e.g., cloud-discovery) with permanent credentials. This IAM user will be responsible for assuming role in the Management account. Ensure this IAM user has appropriate permissions to interact with other AWS resources. The full ARN of this user will be: arn:aws:iam::XXXXXXXX7410:user/cloud-discovery. 2. Management Account Configuration (IAM Role) Create an IAM Role in the Management Account In the Management Account (e.g., Account ID: XXXXXXXX1520), create an IAM role(e.g., MasterRole). This role will be responsible for assuming roles in member accounts. Trust Relationship for the IAM Role in the Management Account Configure the trust policy for the MasterRole to allow the IAM user from the Accessor account to assume this role. Use the following trust policy snippet, replacing the Accessor IAM user's ARN with your actual IAM user's ARN: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::XXXXXXXX7410:user/cloud-discovery", ] }, "Action": "sts:AssumeRole" } ] } Permissions for the Management Role Attach the necessary permissions to the MasterRole. This role must have permissions to assume roles in the member accounts. The policy should look like this: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::*:role/MemberRole" ] } ] } Member Role ARN: arn:aws:iam::*:role/MemberRole. Replace MemberRole with the actual IAM role name in your Member accounts. This policy allows the Management account IAM role to assume roles (e.g., MemberRole) in all Member accounts. 3. Member Account Configuration (IAM Role) Note: Repeat the process of creating the IAM roles and setting up trust relationships for each member account that falls under the management account.

Create an IAM Role in Each Member Account In each Member Account (e.g., Account ID: XXXXXXXX5091), create an IAM role named MemberRole. This role will be assumed by the MasterRole in the Management Account. Trust Relationship for the Member IAM Role Set up a trust policy for the MemberRole in the member account that allows the MasterRole from the Management Account to assume it. Replace the role ARN in the following trust policy snippet with your actual role ARN: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::XXXXXXXXX1520:role/MasterRole" ] }, "Action": "sts:AssumeRole" } ] } Important Notes: These steps allow cross-account access only. To access specific resources (e.g., EC2 instances) in an account using either the IAM User or IAM Role, you must attach the appropriate permissions as described in the "Permissions for AWS Resources" section.Be sure to attach policies granting permissions for specific AWS resources in each account where access is needed.

summary of this step:

Accessor Account (IAM User): Create IAM user (cloud-discovery) with permanent credentials. Attach required permissions to interact with AWS resources. Management Account (IAM Role): Create IAM role (MasterRole) Configure trust relationship with Accessor IAM User. Attach permissions to assume roles in member accounts. Attach required permissions to interact with AWS resources. Member Accounts (IAM Role): Create IAM role (MemberRole) in each member account. Configure trust relationship with Management Account IAM Role. Attach required permissions to interact with AWS resources.

4. AWS Config Aggregator Setup This setup is performed in AWS console .

An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from the following: Multiple accounts and multiple regions. Single account and multiple regions. An organization in AWS Organizations and all the accounts in that organization which have AWS Config enabled. Advantages of using Central Aggregator: The central aggregator allows this tool to access all necessary data from a single location, eliminating the need to loop through each account and region individually. This setup significantly improves performance and accelerates the retrieval of resource count data. Setup Instructions: Please follow the setup instructions in the AWS Documentation: AWS Config Supported Resources: For a list of resources supported by AWS Config, see the AWS documentation: supported resource types Outcome of config service setup (for use in 'Create AWS Account configuration' step) Account Id where the Aggregator is created. Name of the AWS Config Aggregator. AWS Region where the Aggregator is created. Note: This tool retrieves resource counts from the configured AWS Aggregator. When using a Management account, ensure that both the management account and all child accounts are correctly configured with AWS Config. If any account is not configured, the tool will not collect resource counts for that account, which may lead to incomplete data in the tool's generated reports.

5. AWS Credentials Setup In ServiceNow Instance To use this tool, configure the AWS credentials table(table iID: aws_credentials). Please follow the below steps.

This setup follows a similar process as configuring credentials for AWS Cloud Discovery. If AWS credentials with the required permissions (includes config:SelectAggregateResourceConfig ) are already set up in the ServiceNow instance, the same credential ID can be referenced in the following steps. In this scenario, Step "Steps to configure AWS Permanent credentials" is optional.

Steps to configure AWS Permanent credentials These steps guide you in configuring IAM user permanent credentials for the designated account.

Navigate to Filter Navigator > All > ITOM Cloud License Estimator > Home On the Home Page, Click Go to Credentials to open the Credentials (discovery_credentials) page.

3. Click New > AWS Credentials and enter the details. Refer to the " Procedure " section in the ServiceNow documentation on Configure access to the AWS accounts using permanent AWS credentials . Skip the "What to do next" section, as it does not apply to this tool.

Outcome : A Credential ID is generated, which will be required when creating configurations in the next steps.

Steps to Configure AWS Temporary credentials for IAM role Note: This step is optional if you are configuring the account with AWS credentials. In that case, skip the steps to configure Service Accounts and proceed to the "Create AWS Account Configuration" step.

These steps guide you in configuring IAM roles to generate temporary credentials using STS API for a specified account. When using IAM roles for temporary credentials, the Credential ID is optional in the configuration form. However, AWS Service Accounts require an IAM role to be configured in Service Accounts. Ensure at least one Service Account has credentials to generate temporary credentials.

How to Configure Service accounts:

Navigate to Filter Navigator > All > ITOM Cloud License Estimator > Home > Click Service Account List icon

Configure the Service Accounts with the following options:

Configure a Service account with Permanent Credentials Configuring the Management account with IAM role Configuring the member account with custom IAM role

1. Configure a Service account with Permanent Credentials

When an account is configured with permanent credentials, it is referred to as an Accessor account. This account can be either management account or member account

On the Service account page > click Create New and enter the details: Name : Enter the AWS account name Cloud provider: Select AWS Account ID: Enter the AWS account ID Master account: Select If this is a management account. Credentials: Select the AWS Credential ID created in the previous step for permanent credentials Master account: Leave blank if not applicable. Accessor Account and Accessor role ARN: Not applicable for permanent credentials. click Save Example of Permanent Credentials Service account Configuring the Management account with IAM role On the Service account page > click Create New and enter the details: Name: Enter the AWS account name Cloud provider: Select AWS Account ID: Enter the AWS account ID Master account: Select this, as you are configuring the Management account Credentials: Leave blank. No credentials are required for this account Master account: Leave blank Accessor Account: Select the account that has a trust relationship with this management account's IAM role. Accessor role ARN: Enter the full ARN of the IAM role click Save Example of Management account setup with IAM Role Configuring the member account with custom IAM role Note: If the member account uses the default IAM Role (OrganizationAccountAccessRole) to generate temporary credentials, configuring a service account for the member account is not required.

If the member accounts are configured with a custom IAM role, follow these steps to create a service account for each member account under the management account:

Steps to create Service account:

On Service account page > click Create New and enter the details: Name: Enter the AWS account name Cloud provider: Select AWS Account Id: Enter the AWS account ID Master account: Don't select it, as this is a member account Credentials: Leave blank; no credentials are required for this account Master account: Select the management account from the list Accessor Account: Choose the account that has a trust relationship with this member account's IAM role. This can be either the management account or another member account. Accessor role ARN: Enter the full ARN of the custom IAM role. click Save Example of member account with Custom IAM Role Example configuration: This example outlines how to set up an Accessor account, a Management account, and Member accounts using custom IAM roles. The configurations show which credentials and roles are required for accessing AWS resources.

Account Name Account type Credentials configured Accessor Account Configured (Accessor Account + Custom IAM Role) How to access AWS resources 60921000 - Lior_account Accessor account Yes N/A Uses configured credentials 60921000 - ServiceNow-SW Management account No Yes Uses configured IAM Role(arn:aws:iam::XXXXXXXX1520:role/MasterRole) to generate temporary credentials via STS API 60921000 - Automation Member account No Yes Uses configured IAM Role( arn:aws:iam::XXXXXXXX5091:role/MemberRole) to generate temporary credentials via STS API

60921000 - ITOM-Neebula-Oracle Member account No No Use default role (OrganizationAccountAccessRole) to generate temporary credentials via STS API Configuration Summary

Accessor Account: This account requires permanent credentials. Management Account: Configure with a custom IAM role for generating temporary credentials. Member Accounts: If using a custom IAM role, configure as shown. If using the default IAM Role (OrganizationAccountAccessRole), service account configuration is not needed.

6. Create AWS Account Configuration The tool supports two types of configurations:

Management Account : Includes all subscriptions under the management account. Single Account : Targets a specific account only. Follow these steps to create account configuration:

Navigate to Filter Navigator > All > ITOM Cloud License Estimator > Home On the Home page, Click Create Configuration to open the Create Configuration popup Enter the following details: Name : Enter a name of the configuration. Cloud Provider : Choose AWS from the list. Additional options will appear: Account ID : Enter the AWS Account ID Management Account : Select If the Account ID is a management account. If Credentials Based : Select the AWS credentials configured for this account. If Role Based: If using IAM roles for AWS resource access, ensure the Service Accounts from the previous steps are configured. In the step " 2. AWS Config Aggregator Setup ", configure the AWS Config Aggregator in AWS and use the resulting details in this section.

Config aggregator account: Enter the Account Id where the Aggregator is created. Config aggregator name: Enter the name of the AWS Config Aggregator Config aggregator region: Enter the AWS Region where the Aggregator is created Active : Enable this option Credential Based Configuration

Role Based Configuration

click Save and run license estimator to save the configuration and generate report. Note: The tool retrieves resource counts using the AWS Config API at this endpoint: https://config. amazonaws.com?Action=SelectAggregateResourceConfig . If the Config Aggregator Account differs from the Configuring Account ID, it must be configured with either permanent credentials or an IAM role within the Service Accounts to ensure successful config API calls. A failed Config API call will result in report generation failure.

7. Generate the AWS Resource Count Report After clicking " Save and run license estimator ", the configuration is saved, and the tool generates the report. You will be redirected to the Report Page, where the status of the report generation can be tracked.

The tool performs the following actions:

Validate Credentials : The configured credentials are validated against the specified account id. If Credential validation is Successful : For Management accounts : Retrieve all member accounts under the management account. Validate the each member account Resource counts are collected across all accounts using the Config Aggregator for supported resources. For unsupported resources, AWS service-specific API calls will be made for all acocunts. For member Accounts: Resource counts are collected using the Config Aggregator for supported resources. For unsupported resources, AWS service-specific API calls will be made. Report Generation : If all credential validations are successful and the resource count API calls are successful, the report will be generated. Otherwise, the report will not be generated. 4. Click on Download resource report

Outcome : Generated Resource Report.

Resource Report The resource report is divided into 2 parts:

Page 1: Contains details about the configuration and other relevant information. Subsequent Pages: Contain resource count details for resources Example of Page 1:

Example of Subsequent Pages:

Report Page Overview The Report Page provides detailed information about the status and results of a report generation process. This page is displayed after the successful completion of report generation.

Configuration Name: The name specified while creating the configuration. Report ID: The unique identifier for the generated report. Cloud Provider: The cloud provider (e.g., AWS) associated with the configuration. Account ID: The ID of the account used for the configuration. Management Account: Indicates whether the specified Account ID is a management account. Yes: Account ID is a management account. No: Account ID is not a management account. Child Accounts: Displays the child accounts under the management account if the Account ID is a management account. If not a management account, this section remains empty. Run Status: Displays the current status of the report generation. Ready: Report generation has not started yet. In progress: Report generation is currently in progress. Completed: Report generation has finished. The result can be either a success or a failure. Account Validation: Indicates whether the account(s) were validated successfully Account credentials Validated: All accounts' credentials were validated successfully. Account Credentials are Incorrect: At least one account's credentials failed validation. Total Resource Count: The total count of configured resources across the account(s) at the time of report generation. For management accounts, this includes resources from child accounts. Download resource report: If the resource count is successful, this button is enabled. Click this button to download the generated report. Scan Status: Provides the status of connection checks and resource count API calls: If the connection check fails, resource count population is skipped. Resource Counts: Displays the status of API calls for resource counts and provides additional details about resource counts. Logs: For debugging purposes, this tab contains logs to help identify issues during the process.

Sample report page showing the progress of report generation

Sample report page showing the report generation failure scenario