Integration SAP Key Management Service (SAP KMS) with AWS Key Management Service (AWS KMS) - General SAP Guides

Integration SAP Key Management Service (SAP KMS) with AWS Key Management Service (AWS KMS)

SAP KMS is a multi-cloud SaaS application that helps organizations maintain visibility, control, and encryption of their data in the cloud. It consists of two main services:

  • Transparency and Control Service, which provides data governance capabilities, including data lineage, auditing, and compliance monitoring.

  • Key Management Service, which enables customer-managed encryption keys for data stored in various cloud services, including AWS. Please note that SAP KMS is not the same as AWS KMS.

SAP KMS is typically used by SAP customers for the following:

  • Data Governance and Compliance. SAP KMS helps organizations comply with global data protection regulations, such as GDPR and CCPA, by providing visibility, control, and auditing over data storage and processing.

  • Data Transparency. SAP KMS offers real-time insights, data lineage tracking, and auditing capabilities for monitoring data usage and compliance status across cloud environments.

  • Security and Access Control. SAP KMS implements advanced security measures, including encryption, access controls, and anomaly detection, to protect sensitive data from unauthorized access.

  • Automation and Policy Management. SAP KMS automates the enforcement of data policies and allows for customizable policies tailored to specific business needs and regulatory requirements.

As an alternative to using SAP KMS’ own Key Management Service, SAP KMS can be integrated with AWS KMS. Using AWS KMS as the keystore for SAP KMS provides a consistent and centralized approach to key management, especially if AWS KMS is already employed for other AWS workloads, enabling seamless integration, streamlined key lifecycle management, and enhanced security through AWS robust encryption and access control mechanisms.

This integration allows customers to manage and control the encryption keys used to protect their sensitive data, ensuring greater security and compliance. SAP KMS can be interfaced with AWS KMS either in BYOK (Bring Your Own Key) or HYOK (Hold Your Own Key) scenarios:

Area AWS KMS (BYOK Scenario) AWS KMS (HYOK Scenario)
Supported Key Types AES, RSA RSA
Supported Key Sizes 3072, 4096 3072, 4096
Key Management Key is created in AWS KMS keystore and imported into the SAP KMS-provided tenant Key is created and stored in AWS KMS keystore
Key Revocation Key can be disabled or deleted at any time Key can be disabled or unregistered at any time

Note that SAP recommends that keystores be enabled in the same AWS Region as the consuming SAP service and the SAP KMS tenant (see AWS BYOK Scenarios). SAP KMS only supports Single-Region Keys, based on Keystore Region Availability.

Below is the SAP KMS integration iwth AWS KMS - BYOK

The SAP KMS integration iwth AWS KMS - BYOK

In the diagram above:

  • Key is created in AWS KMS keystore

  • Key is imported into SAP KMS tenant

  • SAP KMS encrypts SAP data at application level

Below is the SAP KMS integration iwth AWS KMS - HYOK

The SAP KMS integration iwth AWS KMS - BYOK

In the diagram above:

  • Key is created in AWS KMS keystore

  • Key is stored in AWS KMS and retrieved by SAP KMS when required

  • SAP KMS encrypts SAP data at application level