Integration SAP Key Management Service (SAP KMS) with AWS Key Management Service (AWS KMS)
SAP KMS is a multi-cloud SaaS application that helps organizations maintain visibility, control, and encryption of their data in the cloud. It consists of two main services:
Transparency and Control Service, which provides data governance capabilities, including data lineage, auditing, and compliance monitoring.
Key Management Service, which enables customer-managed encryption keys for data stored in various cloud services, including AWS. Please note that SAP KMS is not the same as AWS KMS.
SAP KMS is typically used by SAP customers for the following:
Data Governance and Compliance. SAP KMS helps organizations comply with global data protection regulations, such as GDPR and CCPA, by providing visibility, control, and auditing over data storage and processing.
Data Transparency. SAP KMS offers real-time insights, data lineage tracking, and auditing capabilities for monitoring data usage and compliance status across cloud environments.
Security and Access Control. SAP KMS implements advanced security measures, including encryption, access controls, and anomaly detection, to protect sensitive data from unauthorized access.
Automation and Policy Management. SAP KMS automates the enforcement of data policies and allows for customizable policies tailored to specific business needs and regulatory requirements.
As an alternative to using SAP KMS’ own Key Management Service, SAP KMS can be integrated with AWS KMS. Using AWS KMS as the keystore for SAP KMS provides a consistent and centralized approach to key management, especially if AWS KMS is already employed for other AWS workloads, enabling seamless integration, streamlined key lifecycle management, and enhanced security through AWS robust encryption and access control mechanisms.
This integration allows customers to manage and control the encryption keys used to protect their sensitive data, ensuring greater security and compliance. SAP KMS can be interfaced with AWS KMS either in BYOK (Bring Your Own Key) or HYOK (Hold Your Own Key) scenarios:
Area | AWS KMS (BYOK Scenario) | AWS KMS (HYOK Scenario) |
---|---|---|
Supported Key Types | AES, RSA | RSA |
Supported Key Sizes | 3072, 4096 | 3072, 4096 |
Key Management | Key is created in AWS KMS keystore and imported into the SAP KMS-provided tenant | Key is created and stored in AWS KMS keystore |
Key Revocation | Key can be disabled or deleted at any time | Key can be disabled or unregistered at any time |
Note that SAP recommends that keystores be enabled in the same AWS Region as the consuming SAP service and the SAP KMS tenant (see
AWS BYOK Scenarios
Below is the SAP KMS integration iwth AWS KMS - BYOK
In the diagram above:
Key is created in AWS KMS keystore
Key is imported into SAP KMS tenant
SAP KMS encrypts SAP data at application level
Below is the SAP KMS integration iwth AWS KMS - HYOK
In the diagram above:
Key is created in AWS KMS keystore
Key is stored in AWS KMS and retrieved by SAP KMS when required
SAP KMS encrypts SAP data at application level