Licensing

Introduction
License types
Selecting a license type
- When you cannot switch license types
- Selecting a license type on initial install (AWS Marketplace products only)
More details about Dynamic licenses
License breaches
- License quota exceeded
- License expiry
Automated notification emails
License renewal and upgrade process

Introduction

In order to mask data with DataMasque, you require a license. You can obtain one by contacting the sales team: sales@datamasque.com.

You can view and configure the license at the top of the My Account page. Only admin users have permissions to edit the license information.

When the platform is unlicensed, you can still create connections and rulesets, but will not be able to mask any data.

License types

There are two types of licenses:

File-based licenses, which are files with names ending in .lic. These can be uploaded through the My Account page.
Dynamic licenses, where DataMasque connects to AWS License Manager to check out licenses.

File-based licenses

Free Trial license

Allows masking of up to 1,000 rows or 5 files in a single run. All other data will be left unmasked.

Free Trial licenses expire after 30 days.

Dynamic licenses

Dynamic licenses are specifically designed for use within the AWS ecosystem, and are currently only supported on AWS. Instead of using a traditional license file, DataMasque checks out a contract license directly from your AWS account. This requires an active AWS contract license for DataMasque products to be present in your AWS account.

To use a Dynamic license:

Obtain a Dynamic license by purchasing a contract-based DataMasque product through AWS.
Ensure that you have a valid contract license in your AWS account.
Use the My Account page to select the correct license type (Business or Enterprise).
DataMasque will then handle the license checkout process directly with AWS.

Selecting a license type

DataMasque offers two methods for license acquisition: file-based and cloud-based (AWS Contract License). In general, when DataMasque is deployed to an AWS platform (EC2, EKS or ECS), you can choose which method DataMasque uses to obtain its license, offering flexibility depending on your deployment environment and licensing model.

To change the license type, use the Account License Information section of the My Account page:

File-Based and Dynamic License Options

To upload a file license:
- Select Use license file.
- Click Configure next to License File.
- In the panel that opens, drag and drop a license file or click to browse and select one.
- If the license file is invalid, you will see an error message.
- Otherwise, click Save to apply the license.
To use a Dynamic license:
- Select AWS Contract License.
- Click Configure next to AWS Contract License.
- In the configure panel:
  - AWS Identity: If your contract is in a different AWS account, check Assume role for license check out and enter the billing account role ARN. See Cross-account licensing for setup instructions.
  - Checkout Mode: Choose how DataMasque selects a license product:
  - Automatic (recommended): tries available products in order until one checks out successfully.
  - Specific product: select a specific product from the discovered list. Use this if you have multiple DataMasque subscriptions and want this installation to use a particular one.
  - Disable checkout: checks in any currently held licenses and prevents automatic checkout. Masking runs cannot be executed until checkout is re-enabled.
  - Plan: Select Business or Enterprise to match your contract type. (Hidden when Disable checkout is selected.)
- Click Save.
- DataMasque will check out the license in the background and update the status in the Account License Information section.
- If checkout fails, an error will be shown. Refer to Troubleshooting Dynamic licenses for possible fixes.

When you cannot switch license types

When DataMasque is deployed on a non-AWS platform, or you are using a consumption-based (e.g. hourly) AWS product, only a file-based license is supported. You are not able to replace this license file.

When using a DataMasque Contract Product from AWS Marketplace, you will only see the option to use Dynamic licenses.

Selecting a license type on initial install (AWS Marketplace Contract Product only)

Refer to the AWS Installation page.

You can always change the selected contract license type through the My Account page, as described above.

More details about Dynamic licenses

AWS permissions

To use Dynamic licenses, the IAM role attached to the EC2, EKS cluster, or ECS task must include the following permissions:

{
    "Sid": "DataMasqueLicenseCheckInAndOut",
    "Effect": "Allow",
    "Action": [
        "license-manager:CheckoutLicense",
        "license-manager:CheckInLicense"
    ],
    "Resource": "*"
}

Note: "Resource": "*" is required. AWS License Manager does not support resource-level restrictions for CheckoutLicense, CheckInLicense, or ExtendConsumptionLicense. Scoping the Resource to a specific license ARN will cause an AuthorizationException even when the ARN is correct.

The following permissions are optional. If granted, DataMasque will display additional metadata on the My Account page when using a Dynamic license:

{
    "Sid": "DataMasqueLicenseMetadata",
    "Effect": "Allow",
    "Action": [
        "license-manager:GetLicense",
        "license-manager:GetLicenseUsage",
        "aws-marketplace:SearchAgreements"
    ],
    "Resource": "*"
}

license-manager:GetLicense — enables display of the Product Name and Contract Expiry date.
license-manager:GetLicenseUsage — enables display of consumed and available entitlement counts in the AWS Contract License configure panel when using Specific product checkout mode.
aws-marketplace:SearchAgreements — enables display of the Agreement ID with a link to the AWS Marketplace console. Grant this on the DataMasque instance role for same-account deployments, or on the billing account cross-account role when using assume role (see Cross-account licensing).

If these permissions are not granted, license checkout will still work normally. The product name, contract expiry, agreement ID, and entitlement counts will simply not be shown.

Cross-account licensing

If your AWS Marketplace contract is in a different AWS account from where DataMasque is deployed — for example, a centralised billing account holds the contract while DataMasque runs in a separate production account — you need to give DataMasque access to the license across accounts.

See the Cross-Account Licensing Setup guide for full AWS IAM setup instructions for both approaches below.

Choosing an approach

Approach	How it works	Recommended
Assume role	DataMasque temporarily assumes an IAM role in the billing account when performing license operations.	✓
License grants	The billing account uses AWS License Manager to grant the license directly to the deployment account. DataMasque checks it out from there without needing cross-account credentials.

Assume role is recommended for most deployments because it does not require modifying the license grant and gives fine-grained control over which accounts and roles can access the license.

Assume role setup

DataMasque in the deployment account temporarily assumes an IAM role in the billing account when performing license operations. Setup involves creating a cross-account IAM role in the billing account, granting sts:AssumeRole to the DataMasque instance role in the deployment account, and entering the role ARN in the DataMasque UI.

For full setup instructions, see the Cross-Account Licensing Setup guide.

License grants setup

Note: Assume role is the recommended approach. Use license grants only if your organisation already uses or prefers the AWS License Manager grants workflow.

AWS License Manager allows the billing account to grant license usage directly to another AWS account. Once the deployment account accepts the grant, DataMasque can check out the license without any assume role configuration or role ARN in the UI.

For full setup instructions, see the Cross-Account Licensing Setup guide.

Troubleshooting cross-account setup

AccessDenied when checking out a license — Verify that the DataMasque instance role has license-manager:CheckoutLicense and license-manager:CheckInLicense. If using assume role, also confirm the role has sts:AssumeRole permission for the billing account role.
AccessDenied when assuming the role — Check that the trust policy on the billing account role references the correct deployment account role ARN, and that the deployment account policy targets the correct billing account role ARN.
No products shown in Specific checkout mode — The billing account role may be missing license-manager:ListReceivedLicenses. Add this permission to the role's policy.
Role ARN field is greyed out or Save is disabled — The ARN field only becomes active after checking Assume role for license check out. Ensure the value is a valid IAM role ARN (arn:aws:iam::<account-id>:role/<role-name>) before saving.

You can verify assume role is correctly configured using the AWS CLI from an instance that uses the same IAM role as DataMasque:

aws sts assume-role \
    --role-arn arn:aws:iam::<billing-account-id>:role/DataMasqueLicenseRole \
    --role-session-name datamasque-verify-session

If this returns temporary credentials, the IAM setup is correct.

On ECS, DataMasque also requires the following permissions to read information about the ECS task under which DataMasque is deployed:

{
    "Sid": "DataMasqueQueryTasks",
    "Effect": "Allow",
    "Action": [
        "ecs:ListTasks",
        "ecs:DescribeTasks"
    ],
    "Resource": "*"
}

Automatic License Renewal

By default, cloud licenses are automatically checked out or renewed in the background approximately every 5 minutes while the DataMasque instance is running. This ensures that your DataMasque instance always has a valid license.

To disable automatic license checkout, click Configure next to AWS Contract License on the My Account page, set Checkout Mode to Disable checkout, and click Save. When checkout is disabled:

All active licenses are immediately checked in to AWS License Manager.
DataMasque will not automatically check out licenses.
Masking runs cannot be executed until checkout is reconfigured and re-enabled.

License units and dimensions

DataMasque's licensing model is based around three product dimensions. For a Business-type Dynamic license, the available dimensions are:

business_lic (base license)
business_sup (additional license with support plan)
business_add (additional license)

Likewise, for enterprise, the dimensions are enterprise_lic, enterprise_sup, and enterprise_add.

All the above dimensions are granted in single Count units. When you purchase a Dynamic license, you might purchase varying numbers of different dimensions, and each will grant one unit.

You can view the dimensions with the maximum number of units, and number of units currently in use, in the AWS License Manager console. Under the granted license, select the License details tab. The Entitlements table shows the dimensions, the maximum number of units, and the number currently in use.

The total number of units is the sum of those across all relevant dimensions (either business or enterprise according to what is selected in the DataMasque UI, but not both). For example, if business_lic shows a Max count of 3, and business_sup shows 2, the total number of available units is five.

The number of units required to use DataMasque depends on the platform, as described below.

Units required on ECS

When DataMasque is deployed on an ECS platform and using a Dynamic license, the number of units required is the larger of the number of agent containers and in-flight-containers that are currently running, with a minimum of one unit.

For example:

Agent containers running	In-Flight Masking containers running	Units required
0	0	1
1	1	1
4	1	4
2	3	3

Units required on other platforms

On other platforms (EC2 and EKS), one unit is required.

Troubleshooting Dynamic licenses

Ensure the IAM role attached to the EC2, EKS cluster or ECS task has the IAM permissions listed above (license-manager:CheckoutLicense and license-manager:CheckInLicense).
On ECS, ensure the task IAM role also has the ecs:ListTasks and ecs:DescribeTasks permissions, and that there is no firewall blocking traffic to the ECS Task Metadata endpoint, which is typically an IP address in the 169.254.172.0/22 CIDR block.
On EC2 and EKS, ensure that the IMDS (Instance Metadata Service) configuration is correct and that there is no firewall blocking traffic to IMDS.
Use the AWS License Manager console to verify that the granted license is visible and not already in use. If the license is in use but DataMasque is not running, it will automatically be checked in within one hour, whereupon it should display as no longer in use and you can try again.
Ensure you have the correct contract license type (Business or Enterprise) set in the Configure panel for AWS Contract License.

Errors when upgrading from v2.29 or below to v2.30 or higher on EKS

Prior to v2.29, DataMasque used the EKS node instance ID to check out licenses, which led to licensing errors when containers were scheduled on different nodes.

As of version 2.30, DataMasque checks out licenses using a consistent ID for the whole cluster, thus fixing this issue. When upgrading to 2.30, any licenses checked out prior to upgrade will still be incorrectly using the node's instance ID, and as a result you may see an error on the My Account page regarding Dynamic licensing. To fix the error, temporarily disable Dynamic licensing, then re-enable it. To do this, click Configure next to AWS Contract License, set Checkout Mode to Disable checkout, and click Save. Then reopen the panel, set Checkout Mode back to Automatic, and click Save.

License breaches

License quota exceeded

When starting a masking run, if your accumulated usage exceeds the quota of your license:

If the target database has been masked previously, and has not increased markedly in size, a license breach will be registered, and the masking run will be started as usual. A warning will be displayed in the DataMasque interface and a notification email will be sent to all active admin users of your DataMasque instance.
If the target database has not been masked previously, or has increased markedly in size, the masking run will not start.

In the event that you exceed your license quota, you will be unable to mask any new database instances. Contact the DataMasque sales team (sales@datamasque.com) to upgrade your license quota.

License expiry

After license expiry, you will no longer be able to run any data masking tasks. You can however continue to log in and use the rest of the DataMasque web interface as normal.

Automated notification emails

The following email notifications will be sent using the configured SMTP settings as reminders.

License breach reminder notification and Expiry reminder notification are automatically scheduled to be sent on the 1st day of applicable months.
Summary of license usage is automatically scheduled to be sent weekly for the first month from the start date of the license, then monthly thereafter.

Notification on license limit breach

License limit breaches will trigger email notifications to all active admin users. Once a breach notification email has been sent, subsequent breaches within the following 30 days will not trigger additional notification emails.

License breach reminder notification

An email is sent monthly to all active admin users containing a summary of the license breaches that happened during the last calendar month. If no breach occurred during the last month, this email will not be sent.

Expiry reminder notification

During the last 3 months of the license subscription period, a monthly email notification will be sent to all active admin users with a reminder that the DataMasque license will expire soon. You may also see a reminder message at the bottom left of the screen when logging in to DataMasque.

Summary of license usage

An email is sent every 3 months to usage@datamasque.com containing a summary of the license usage report. This email is also bcc'd to all active admin users.

Note: admin users are bcc'd in License breach reminder notification and Expiry reminder notification emails.

License renewal and upgrade process

Contact the DataMasque sales team: sales@datamasque.com for license renewal or upgrade.