Best Practice 6.2 – Build and protect the operating system
Protecting the operating system underlying your SAP software reduces the possibility that a malicious actor could gain unauthorized access to data within the SAP application, impact software availability, or otherwise destabilize your mission-critical implementation. Follow recommendations from SAP, the operating system vendor, the database vendor, and AWS to help secure the operating system. Depending on your chosen SAP solution and operating system, you may need to enable/disable services, set specific kernel parameters, and apply different combinations of security patches. Consider how SAP requirements align with those of your organization, and identify any conflicts.
Suggestion 6.2.1 – Determine an approach for provisioning a secure operating system
An Amazon Machine Image (AMI) provides the information required to launch an EC2 instance. You should be confident that your AMIs are secure at the operating system level; otherwise, security holes could be propagated to any number of instances as AMIs are reused and updated over time.
AMIs can be either standard images from the operating system vendor or custom images
that you build yourself. In both cases, you need to have a consistent approach for ensuring
the operating system is secure at launch and maintained in an on-going basis. Using
infrastructure as code (IaC) tools such as AWS CloudFormation
Refer to the AWS Well-Architected Framework [Security Pillar] guidance on protecting compute resources, specifically the information on performing vulnerability management and reducing the attack surface, for additional details.
-
Well-Architected Framework [Security]: Protecting Compute
Suggestion 6.2.2 – Determine an approach for building and patching a secure operating system
As mentioned in the Well-Architected Framework [Security Pillar] discussion on protecting compute, if your chosen operating system is supported by the EC2 Image Builder, it can simplify the building, testing, and deployment of your SAP-specific AMIs and their ongoing patch management. AWS Systems Manager Patch Manager should also be investigated for maintaining the security posture of your operating system by automating security patch application.
-
Well-Architected Framework [Security]: Protecting Compute
-
AWS Documentation: EC2 Image Builder
-
AWS Documentation: AWS Systems Manager Patch Manager
Suggestion 6.2.3 – Review additional security recommendations applicable to your operating system
Determine the complete list of items that are required to harden the operating system underlying the SAP software. For example, file system permissions on Linux-based systems should be set according to SAP guidelines, while limiting Administrator group access is a best practice on Windows-based systems.
The following SAP-specific recommendations might be relevant to your environment:
-
SAP Documentation: SAP NetWeaver Security Guide - Operating System Security
-
SAP Note: 2808515 - Installing security software on SAP servers running on Linux
Operating System | Guidance |
---|---|
All Supported UNIX/Linux Operating Systems |
|
SUSE Linux Enterprise Server |
|
Red Hat Enterprise Linux |
|
Microsoft Windows |
|
Oracle Enterprise Linux |
|
Suggestion 6.2.4 – Validate the security posture of the operating system
After the operating system has been securely deployed and patched, validating the operating system security posture ensures that the operating system maintains an ongoing high level of security without violation. Consider automating this validation using third-party host intrusion protection, intrusion detection, antivirus, and operating system firewall software.
Consider the following services:
-
Amazon Inspector
is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. -
Amazon GuardDuty Malware Protection is a continuous security monitoring service to analyze and process threats from multiple data sources. Use it to highlight activity that may indicate an instance compromise, such as cryptocurrency mining, denial of service activity, EC2 credential compromise, or data exfiltration using DNS.
-
AWS Security Hub
and AWS Config can be used for aggregation and assessment of operating system based alerts and configuration, along with other AWS services.
For more details, refer to the following information:
-
Well-Architected Framework [Security]: Secure Operation
-
Well-Architected Framework [Security]: Detection
-
Well-Architected Framework [Security]: Protecting Compute