Scribd
Upload
389 views

AWS SAP AWS-ENT - Slide-Deck

Uploaded by

Ankush Adlakha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
389 views

AWS SAP AWS-ENT - Slide-Deck

Uploaded by

Ankush Adlakha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 72

Migrate, secure, and deploy SAP

S/4HANA on AWS

SEPTEMBER 20-22, 2021

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Episode 1: Creating secure foundation
for SAP on AWS

Raj Bhatt Sunil Yadav


Sr. SAP Consultant – HCLS Principal SAP Consultant

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
In this SAP on AWS Workshop Series

Day 1: Creating secure foundation for SAP on AWS


What you will learn from this episode:
• AWS security fundamentals for SAP applications

• Selecting an OS Image from AWS Marketplace to support your S/4HANA deployment

• Hardening the image to meet AWS security best practices

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure and services to elevate your security in the cloud

Inherit global Scale with superior Highest standards Automate & reduce Largest ecosystem
security & visibility & control for privacy & data risk with deeply of security partners
compliance security integrated services & solutions
controls

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAP on AWS Customer Engagement
Model

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How SAP Customers are accelerating SAP Projects on AWS?

Align Launch Scale Optimize

Identify/Align Design/Implement Assist/Guide updates to


Working
Automation Controls(POC) Qualification/Validation
Backwards
Scope [AWS/OS/DB/SAP] Procedures
Stream 1:
Security Visibility Change Management/Knowledge Operational Integration &
Long Range SAP DevSecOps Design/Development
Transfer/Enablement Sessions Performance Testing for MVP
Planning

SAP System SAP Extend Strategy discussions


Roadmap Solution Standardization Cost AWS Tools/ Build
Stream 2: Creation Alignment Control Approach Prototypes
Launch (SAP Monitoring/Refresh
/Testing Automation/Analytics/Cost control)
SAP Solution build
automation
Integrate AWS SAP build/operation automation solutions

Resource Customer/Partner Enablement [SAP on AWS KT/Workshops]


Assignment
Stream 3:
Technical Architecture Technical
Security Alignment/
Lab environment HA/DR
Incident/Problem
Go-Live Finalize Design
Team Norms Architecture
Security Control
Build Backup/Restore
Management Best
Check* Docs/RunBooks
Automation Practices

*Exact sequencing and details of activities usually gets finalized during detailed planning phase

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitoring & Security for SAP on AWS
Security & compliance underpins our strategy
INFRASTRUCTURE PROVISIONING
Infrastructure as Code
Automatically manage and provision
hardware
EC2 EBS S3 CloudFormation

PROVISIONING BACK UP SERVERLESS


SAP Automation on AWS
Develop, test and deploy securely in the
AWS Cloud
AWS Launch Wizard AWS BackInt for SAP Amazon AppFlow

SECURITY MONITORING
Monitoring and Security
Keep your application performant
and secure IAM Security Application Network Guard CloudWatch Security Amazon
Groups Firewall Firewall Duty Hub Macie

Automation For Regulated Industry Compliant Security Standards Develop Test & Deploy
SAP Workloads Securely
© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security Ecosystem

AWS AWS Systems AWS Well- AWS Trusted AWS Transit Amazon Amazon Amazon Amazon AWS Amazon Amazon AWS Step AWS
Config Manager Architected Advisor Gateway VPC Route 53 Cloud GuardDuty Security Detective EventBridge Functions OpsWorks
Tool Directory Hub

AWS Service AWS Amazon AWS Amazon VPC AWS Resource AWS AWS IoT Device AWS Systems AWS AWS
Catalog Organizations Inspector Security Hub PrivateLink Direct Access Directory Defender Manager Lambda CloudFormation
Connect manager Service

Automate
Identify Protect Detect Respond Recover
Investigate

Amazon Macie AWS Shield IAM AWS KMS Amazon AWS Control Amazon AWS CloudTrailPersonal Health AWS Backup Amazon S3
Secrets Cognito Tower CloudWatch Dashboard Glacier
Manager

AWS Audit AWS WAF AWS Firewall AWS AWS AWS Single CloudEndure
Manager Manager Certificate CloudHSM Sign-On Disaster Recovery
Manager

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
✓ Native, agent-less AWS capability to discover resources in your account
✓ Tracks configuration changes and maintains a history (up to 7 years)
✓ Evaluates configuration changes against compliance policies (using AWS Config rules)
✓ Provides aggregated view of resource configuration and compliance status across accounts and regions
✓ Integrates with AWS Security Hub and AWS Audit Manager
✓ Integrates with your own ITSM/CMDBs (such as ServiceNow, Jira Service Desk)

AWS Config = Continuous Configuration Auditor

Notifications
Normalized

API access

Changing resources AWS Config AWS Config rules


History, snapshot

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits

Continuous Continuous Change Operational Enterprise-wide


monitoring assessment management troubleshooting compliance monitoring
including
third-party resources

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it works

AWS Config APIs


& Console

AWS Config Amazon SNS


AWS Config records and normalizes
the changes into a consistent format

Amazon
CloudWatch
Configuration change occurs in
your AWS resources.
Amazon S3

Access change history and compliance


AWS Config automatically evaluates results usxing the console or APIs.
the recorded configurations against CloudWatch Events or SNS alert you when
the configurations you specify. changes occur. Deliver change history and
snapshot files to your S3 bucket for analysis.

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Conformance Packs

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Conformance Pack features

Configuration compliance common framework

A collection of AWS Config rules and remediation actions as a single entity


Deploys in a single account and a Region or across organization in AWS Organizations

Immutable

Individual rules cannot be changed outside of the pack, regardless of access or account permission
When deployed by an organization’s master account, it cannot be modified by the organization’s member accounts.

Sample Templates

Sample conformance pack templates available for various operational best practices such as PCI-DSS, AWS Best Practices (S3,
DynamoDB and IAM)
The sample templates provide a starting point in helping develop your own custom conformance pack.

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Conformance Packs

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Conformance Packs

SAP on AWS Infrastructure AWS Config > Conformance Packs


Verification Automation
provides 59 templates to select
from.
AWS Platform
Here are some examples:
IAM Policy VPC AMI
Storage • Operational Best Practices for FDA
(Encryption)
21CFR Part 11

AWS User
Security Group
Hardening
EBS S3 EFS
• Operational Best Practices
/Admin Policy requirement
for HIPAA

Service Role • Operational Best Practices for PCI


Subnets DNS resolution Versioning
Policy DSS (1)

Security/monitor Bucket Level


• Operational Best Practices for PCS
Root Account RouteTables
ing tools Policies DSS

• CIS Level 1 Benchmark for AWS


Private EndPoints
(S3,EFS,EC2,SSM)
Life Cycle Policies Services

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration history
of AWS resources

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Resources

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Resource

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resource Timeline

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configuration Changes

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Advanced queries

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Query editor

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Query output

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 Image Builder

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 Image Builder : Overview and Benefits
Simplify the building, testing, and deployment of Virtual Machine and container images for use on AWS or on-
premises.
✓ Improved IT productivity

✓ Simpler to secure

✓ Built-in validation support

✓ Consistent workflow to build and test both Virtual Machine and container images

✓ Centralized policy enforcement

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 Image Builder : Features
✓ Automated pipelines to keep images secure and up-to-date
✓ Validate and deploy high quality images into production
✓ Built-in validation support
✓ Minimize unnecessary exposure to security vulnerabilities
✓ Simplified sharing of images across AWS accounts
✓ Supports both Virtual Machine and container images

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 Image Builder : How it works

EC2 Image Builder


Start with a Customize software Secure image with Test image with Distribute “golden”
Source Image source image installed on AWS-provided AWS-provided tests image to selected AWS
the image and/or custom and /or your regions
templates own test

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CIS Benchmarks [an example from the index]

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example…

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CIS Level 1 Benchmark Script in S3 Bucket

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Create Build component for the EC2 Builder recipe

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure Configuration

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Create Recipe

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Create Recipe

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Create Pipeline

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Create Pipeline

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Create Pipeline

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Run the pipeline

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pipeline build in progress

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Systems Manager → Automations

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
System Manager → Automations → Execution ID

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
System Manager → Automations → Execution ID

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
System Manager → Automations → Execution ID

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
System Manager → Automations

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
System Manager → Automations → Execution ID

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pipeline completes

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pipeline output

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 → AMI

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Systems Manager
Session Manager

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits

Shorten the Easy to use Improve Visibility Manage Hybrid Maintain Security
time to detect Automation and Control Environments and Compliance
problems

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it works

AWS Systems Manager Group resources Visualize data Take Action


Systems Manager helps you safely Create groups of resources View aggregated operational Respond to insights and
manage and operate your across different AWS services, data by resource group automate operational actions
such as applications or across resource groups
resources at scale
different layers of an
application stack

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Systems Manager Features

Operations Management Application Management Change Node


Management Management

Explorer Application Manager Change Manager Fleet Manager

OpsCenter AppConflig Automation Inventory

Incident Manager Parameter Store Maintenance Window Run Command

Change Calendar Patch Manager

Distributor

State Manager

Session Manager

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Systems Manager Services

AuthN
Service AuthZ
Session Manager
Administrator IAM

Description
Management
Securely connect to a Managed Instance Console CLI Audit Log
with a single click, without having to open
an inbound port or manage SSH keys
Systems Manager
Session Manager
HTTPS CloudWatch
Logs

Security Group

S3

EC2 Instance Application

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Session Manager
• Quickly and securely access your Windows and Linux Managed Instances
• Session Manager is a managed service that provides you with one-click secure access to your
Managed Instances
• Centralized access control over who can access your instances and full auditing capabilities
• Quickly view audit trails of user access to Managed Instances

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Remove Bastion Hosts
VPC VPC
Application VPC Management VPC

NAT Gateway

App
Server Private Key

Internet Security group Security group VPC peering Security group Internet Gateway
Gateway

Public Subnet Private Subnet


Public Subnet

Availability Zone Availability Zone

AWS
EC2 Systems Manager Corporate Network

IAM policy Private Key

VPN

S3 bucket SNS topic CloudWatch Metric

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Handling guest authentication
• When a version of SSM Agent that supports Session Manager starts on an instance,
it creates a user account with root or administrator privileges called ssm-user
– On Linux machines, the account is added to/etc/sudoers
– On Windows machines, it is added to the Administrators group
• The IAM user/role would invoke the session from the browser or CLI and inside the guest the
user would be operating as the ssm-user

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Restricting Access within a Session
• For Windows you can change group membership
• For Linux you can utilize SSMSessionRunAs
– You tag the IAM user or role being used and specify the OS level user name (Recommended)
– Enable support in Session Manager Preferences – all sessions are run by the same OS user for all the IAM
users (Optional)

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it works
• Register your instances with Systems Manager
• IAM User or Role has Permissions for Session Manager
• Establish a session within the browser or from AWS CLI (CLI plugin required)
– Linux connects you to a shell
– Windows drops you to a Powershell session
• Session history is stored within Session Manager
• Session output can be sent to S3
• Session output can be sent to CloudWatch Logs group
– Alerting with Metric Filters and SNS or review with CloudWatch Logs Insights
• Gives you a transcript of the session

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Start a Session Systems Manager Console

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Start a Session EC2 Console
This will open a new tab to a Session Manager session for that instance

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Start a Session from AWS CLI
• From your local workstation start a new AWS CLI session
• Install Session Manager Plugin for the AWS CLI
• Enter the following command:
aws ssm start-session—target "i-1234567890abcdef0"
• Works for Linux or Windows managed instances
• Records fully auditable logs from each session
• Connect to a managed instance securely via Systems Manager

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Session Audit Trail Logging
• Session Manager lets you store your Session output
logs to:
– S3
– CloudWatch Logs

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Logging to S3
Session Manager lets you store your
Session output logs to S3:

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch Logs
• Session Manager lets you store
your Session output logs to
CloudWatch Logs
• Create alerts using Metric Filters
off all log events in a Log Group

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Session Manager – Additional Session Encryption
• Session data is encrypted with TLS
1.2 by default
• Optionally you can enable additional encryption using
KMS
• You provide permission to use the
CMK with Session Manager through IAM policies

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Session Manager – Secure VPC Use Case
• Session Manager lets you connect to a managed instance in fully-private VPCs
• Three VPC Endpoints are required for Systems Manager use:
com.amazonaws.region.ssm
com.amazonaws.region.ec2messages
com.amazonaws.region.ec2
• One additional interface endpoint is needed for Session Manager use
com.amazonaws.region.ssmmessages

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What’s Next?

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Upcoming Episodes in this series
Episode 2: Architect and deploy S/4HANA on AWS
September 21, 12:00 PM – 1:30 PM PST | 3:00 PM – 4:30 PM EST

What you will learn in Episode 2:


• Architecture patterns for SAP on AWS.
• EC2 Instance types and sizes for SAP applications and databases.
• How to automate configuration and deployment with AWS Launch Wizard.

Episode 3: Migrate and optimize SAP S/4HANA on AWS


September 22, 12:00 PM – 1:30 PM PST | 3:00 PM – 4:30 PM EST

What you will learn in Episode 3:


• Migration patterns for SAP on AWS.
• How to plan for your SAP migration.
• How to use AWS tools and processes to optimize file transfer, reduce cutover time, and accelerate your path
to go-live.

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q&A

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security Hub Information Flows

Remediation Actions

And more to come…


Findings

Taking Action Partners

Audit prep

Investigations Plus many others…

Plus dozens of others…

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

You might also like