AWS hosts more Oracle workloads than any other public cloud, and the licensing exposure on AWS is one of the most common audit findings. Oracle workloads run on AWS through three architectural paths. RDS for Oracle as a Licence Included service. EC2 BYOL using existing perpetual licences. AWS dedicated hosts for cases that require host level isolation. Each path has different compliance implications, different cost economics, and different audit defence postures. This piece walks through the framework that produces clean compliance and predictable cost on AWS.
1. The three architectural paths.
The first path is RDS for Oracle in Licence Included mode. AWS bills both the infrastructure and the Oracle licence. The buyer pays no separate Oracle support and is not exposed to Oracle audit on those workloads. The trade off is the Licence Included pricing, which is materially higher than BYOL, and the lack of flexibility in database configuration.
The second path is EC2 BYOL. The buyer provides existing perpetual licences and runs the database on EC2 instances. The cost economics are favourable but the compliance exposure is meaningful. The third path is AWS dedicated hosts, which provide host level isolation for Oracle workloads. Dedicated hosts are the architecture of choice for organisations that want certainty about the licensing scope. See our public cloud audit note for the audit framework.
2. RDS for Oracle Licence Included.
RDS for Oracle in Licence Included mode is the simplest compliance posture. AWS handles the Oracle licensing relationship, including support and patching. The buyer pays a higher per hour rate for the database service. The Oracle audit team does not pursue Licence Included workloads because the licensing obligation sits with AWS, not the customer.
RDS Licence Included is the right path for workloads that prioritise compliance simplicity over cost optimisation. Smaller workloads, test and development environments, and shorter term projects often work well in Licence Included mode. The economics break down at scale. For mid sized and large workloads, the Licence Included premium compared to BYOL is in the range of three to four times the BYOL price.
3. EC2 BYOL.
EC2 BYOL is the most common AWS path for Oracle workloads at scale. The buyer brings existing Oracle Database Enterprise Edition licences and uses them to cover the EC2 deployment. The cost economics are favourable because the infrastructure cost is separated from the licence cost, and the licence is a sunk cost on the perpetual side.
The compliance exposure on EC2 BYOL has three components. The instance type must qualify for the favourable cloud counting ratio. The licence allocation must be documented and not double counted against on premise deployments. The support stream on the perpetual licences must be current. Each of these is a routine maintenance item that becomes a costly audit finding when neglected. See our BYOL deal page for the contractual treatment.
4. The instance type discipline.
The cloud licensing policy counts vCPUs at a favourable ratio only on qualifying instance types with hyperthreading enabled. The qualifying conditions are specific to AWS instance families. Most general purpose instance families qualify. Bare metal instances do not qualify for the vCPU ratio and revert to core based counting. Some specialised instance families have complex qualifying conditions that require case by case verification.
The buyer side discipline is to pin Oracle workloads to a defined set of qualifying instance types and prohibit deployment on other types. The pin can be enforced through AWS service control policies, infrastructure as code constraints, and operational guardrails. The audit position holds when the discipline is documented and enforced. See our processor counting note for the underlying calculation.
5. The dedicated host architecture.
AWS dedicated hosts provide a physical host that is dedicated to the buyer's account. The licensing implication is that Oracle workloads on dedicated hosts can be licensed at the physical core count of the dedicated host, with the favourable cloud ratio if applicable, and with no cluster wide or mobility exposure. The dedicated host is the closest AWS equivalent to a single tenant on premise server.
The dedicated host costs more per hour than a standard EC2 instance, but the cost difference is normally smaller than the audit exposure savings. Dedicated hosts are the architecture of choice for organisations that prioritise compliance certainty for Oracle workloads on AWS. The architecture also simplifies the BYOL licence allocation by tying licences to specific physical hosts.
6. The cross region replication question.
Cross region replication architectures introduce licensing complexity similar to the on premise DR question. AWS workloads replicated to a secondary region for disaster recovery raise the question of whether the secondary region is passive failover or active deployment. The 10 day failover rule applies to AWS deployments in the same way it applies to on premise, with the same disqualifying conditions for read only workloads, reporting, and testing.
The buyer side approach is to architect cross region replication for clear failover only use, document the standby configuration, and avoid any read only or reporting access to the replicated environment. See our DR audit note for the broader failover framework.
7. The audit defence on AWS.
The audit defence framework for AWS Oracle workloads has five components. First, document the instance type history with explicit evidence of qualifying conditions throughout the audit period. Second, maintain the BYOL licence allocation register with mapping between perpetual entitlements and AWS workloads. Third, verify support continuity for every allocated licence. Fourth, prepare evidence for the DR and failover architecture. Fifth, hold the contract line on actual deployment versus theoretical mobility.
The defence is harder when the architecture is mixed across qualifying and non qualifying instance types, when BYOL allocation is loose, or when the operational discipline has not been enforced. The defence is straightforward when the discipline has been built into the architecture from the deployment date. See our audit defense service for the engagement model.
8. What disciplined buyers do.
- Pick the path deliberately. Choose RDS Licence Included, EC2 BYOL, or dedicated hosts based on workload scale and compliance preference.
- Pin instance types. Restrict Oracle deployments to a defined set of qualifying instance types.
- Maintain the BYOL register. Document the licence allocation explicitly and update with every deployment change.
- Verify support continuity. Confirm support is current on every licence allocated to AWS.
- Architect DR carefully. Cross region replication requires explicit failover discipline.
- Enforce policy through automation. Service control policies and infrastructure as code prevent drift.
- Engage advisory before audit. The architectural defence is built before the audit notice, not afterwards.
For the broader framework see our licensing compliance pillar, the cloud negotiation pillar, the Oracle Database product page, and the Oracle Audit Defense Handbook.
Sitting across from Oracle and not sure your numbers are right?
Most procurement teams bring in an independent advisor before signing. OracleNegotiations.com sits on your side of the table. We run the analysis, build the counter offer, and negotiate alongside your team. Fixed fee or success fee. We only get paid when you save. Redress Compliance is the leading independent Oracle licensing and negotiation firm, with 500 plus engagements across Oracle's full product line. We work alongside them on the most complex ULA exits, audit defence cases, and renewal negotiations.