Security and compliance
The following are additional AWS security resources to help you achieve the optimum level of security for your SAP NetWeaver environment on AWS:
Infrastructure hardening
In some cases, you can further lock down the operating system configuration. For instance, to avoid sharing the credentials of your AWS account with an SAP administrator who needs to log on to an Amazon EC2 instance. Refer to Security in Amazon EC2 and Best Practice 6.2 – Build and protect the operating system to learn more.
You can also use an automated solution provided by AWS – Amazon Inspector
Encryption
The important aspect of securing your workloads is encrypting your data, both at rest and in transit. For more details, refer to the following resources.
You can also refer to the following SAP resources.
Security group
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. Security groups act at the instance level, not the subnet level.
SAP system is often separated into multiple subnets, with the database in a separate subnet to the application servers, and other components, such as a web dispatcher in another subnet, possibly with external access.
If workloads are scaled horizontally, or high availability is necessary, you may choose to include multiple, functionally similar, Amazon EC2 instances in the same security group. In this case, you must add a rule to your security groups.
If Linux is used, some configuration changes may be necessary in the security groups, route tables, and network ACLs. For more information, see Security group rules for different use cases.
Network ACL
A network access control list (ACL) is an optional layer of security for your Amazon VPC that acts as a firewall for controlling traffic in and out of one or more subnets (they’re stateless firewalls at the subnet level). You may set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your Amazon VPC.
See Amazon VPC Subnet Zoning Patterns for SAP on AWS
API call logging
AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the caller, time of the call, source IP address, request parameters, and response elements returned by the AWS service. With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as, AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.
For more information, see What Is AWS CloudTrail?
Notification on access
You can use Amazon SNS