Set up for Amazon Launch Wizard for SAP
This section describes the prerequisites that you must verify to deploy an SAP application with Amazon Launch Wizard.
General prerequisites
The following general prerequisites must be met to deploy an application with Launch Wizard.
-
You must create a VPC that consists of private subnet(s) in a minimum of two Availability Zones. The subnets must have outbound internet access. For more information on how to create and set up a VPC, see Getting Started with Amazon VPC in the Amazon VPC User Guide.
-
You must create a user or role and attach the AmazonLaunchWizardFullAccessV2 policy. See the following sections for the steps to attach the policy to the user or role.
-
To run custom pre- and post-configuration deployment scripts, you must add the permissions listed in Add permissions to run custom pre- and post-deployment configuration scripts to the
AmazonEC2RoleForLaunchWizard
role. -
If you want to install SAP software, you must download the software from the SAP Software Download page and upload it to an Amazon S3 bucket. For steps on how to download the software and upload it to an Amazon S3 bucket, see Make SAP HANA software available for Amazon Launch Wizard to deploy a HANA database.
-
Depending on the operating system version you want to use for the SAP deployment, an SAP Marketplace subscription may be required. For a complete list of supported operating system versions, see Operating systems.
Amazon Identity and Access Management (IAM)
Establishing the Amazon Identity and Access Management (IAM) role and setting up users with the required permissions is typically performed by an IAM administrator for your organization. The steps are as follows:
-
A one-time creation of IAM roles that Launch Wizard uses to deploy SAP systems on Amazon.
-
The creation of users or roles who can grant permission for Launch Wizard to deploy applications.
Launch Wizard for SAP IAM topics
Sign up for an Amazon Web Services account
If you do not have an Amazon Web Services account, use the following procedure to create one.
To sign up for Amazon Web Services
Open http://www.amazonaws.cn/
and choose Sign Up. Follow the on-screen instructions.
Amazon sends you a confirmation email after the sign-up process is
complete. At any time, you can view your current account activity and manage your account by
going to http://www.amazonaws.cn/
Secure IAM users
After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.
To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.
For more information about creating and securing IAM users, see the following topics in the IAM User Guide:
One-time creation of IAM role
On the Choose Application page of Launch Wizard, under
Permissions, Launch Wizard displays the IAM role
required for the Amazon EC2 instances created by Launch Wizard to access other Amazon services
on your behalf. When you select Next, Launch Wizard attempts to
discover the IAM role in your account. If the role exists in your account, it
is attached to the instance profile for the Amazon EC2 instances that Launch Wizard launches
from your account. If the role does not exist, Launch Wizard attempts to create the role
with the same name, AmazonEC2RoleForLaunchWizard
.
The AmazonEC2RoleForLaunchWizard
role is comprised of two IAM
managed policies: AmazonSSMManagedInstanceCore
and
AmazonEC2RolePolicyForLaunchWizard
. The
AmazonEC2RoleForLaunchWizard
role is used by the instance
profile for the Amazon EC2 instances that Launch Wizard launches into your account as part of
the deployment.
If you want to deploy Amazon Backint Agent as a backup and restore solution for
your application, you must attach a policy to the
AmazonEC2RoleForLaunchWizard
so that Launch Wizard can perform
Backint Agent operations on your behalf. The required policy and instructions
can be found in Step 2 of the Backint Agent IAM documentation. During a
deployment, Launch Wizard provides the policy as well as the steps to update the
role, taking user specifications into account.
After the IAM roles are created, the IAM administrator can either continue with the deployment process or optionally delegate the application deployment process to another user, as described in the following section. At this point in the IAM set up process, the IAM administrator can exit the Launch Wizard service.
Enable users to use Launch Wizard
To deploy an SAP system with Launch Wizard, your user must have the permissions provided by the AmazonLaunchWizardFullAccessV2 policy. The following guidance is provided for IAM administrators to provide permissions for users to access and deploy applications from Launch Wizard using the AmazonLaunchWizardFullAccessV2 policy.
To provide access, add permissions to your users, groups, or roles:
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
Important
You must log in with the user or assume the role associated with this IAM policy when you use Launch Wizard.
Add permissions to use Amazon KMS keys
Amazon Launch Wizard uses Amazon default encryption keys to encrypt Amazon EBS volumes. In addition, Launch Wizard supports the use of KMS keys created and maintained in Amazon KMS. You can choose to either create new keys or use preexisting keys to encrypt your EBS volumes. You must add permissions to the KMS key policy for your key so that Launch Wizard can use your KMS key for encryption.
How to add permissions to your KMS key policy so that Launch Wizard can use your key for encryption
-
Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms
. -
To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.
-
Choose Customer managed keys in the left navigation pane.
-
Select the alias of the KMS key that you want to use to encrypt your EBS volumes.
-
Under Key users, choose Add.
-
Select the check box next to
AmazonEC2RoleForLaunchWizard
and the role your users assume with Launch Wizard full access permissions. -
Choose Add. Verify that
AmazonEC2RoleForLaunchWizard
and the user or role with Launch Wizard full access permissions appear in the Key users list.
Add permissions to run custom pre- and post-deployment configuration scripts
To run custom pre- and post-configuration deployment scripts, you must add the
following permissions to the AmazonEC2RoleForLaunchWizard
role. The
following steps guide you through the process of adding the required permissions
for using custom scripts to the AmazonEC2RoleForLaunchWizard
role.
-
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies, Create policy.
-
On the Create policy page, choose JSON, then copy and paste the following policy into the JSON tab. Enter the S3 paths where your scripts are stored.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::
<S3bucket1>
/<S3prefix1
>/<script1
>", "arn:aws:s3:::<S3bucket2>
/<S3prefix2>
/<script2>
", "arn:aws:s3:::<S3bucket1>
", "arn:aws:s3:::<S3bucket2>
" ] } ] } -
Choose Next: Tags and create any tags you require.
-
Choose Next: Review and enter a Name for the policy.
-
Choose Create Policy.
-
Verify that the correct policy is listed, and then choose Policy actions.
-
Choose Attach.
-
Search for the policy named AmazonEC2RoleForLaunchWizard and select the check box to the left of the policy name.
-
Choose Attach policy.
If the pre- or post-deployment configuration deployment scripts are expected
to run additional Amazon services, the permissions to use the services must also
be manually added as policy to the
AmazonEC2RoleForLaunchWizard
.
Add permissions to save deployment artifacts to Amazon S3
To create Amazon Service Catalog products from successful deployments, which include Amazon CloudFormation templates and application configuration scripts, you must provide access to an Amazon S3 location to save the generated artifacts.
The following steps guide you through adding the required permissions for
saving deployment artifacts to Amazon S3. These permissions are required in
addition the ones provided by the
AmazonLaunchWizardFullAccessV2
role. If the S3 bucket that
you want to use to save deployment artifacts does not contain the prefix
launchwizard
in its name, you must perform the following
steps to attach the required policy to the IAM role that will be used for
performing the deployments.
-
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies, Create policy.
-
On the Create policy page, choose JSON, then copy and paste the following policy into the JSON tab. Enter the S3 path where you want to store your artifacts in the policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SaveLaunchWizardDeploymentArtifacts", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::${bucketName}/${bucketFolder}*" ] } ] }
-
Choose Next: Tags and create any tags you require.
-
Choose Next: Review and enter a Name for the policy.
-
Choose Create Policy.
-
Verify that the correct policy is listed, and then choose Policy actions.
-
Choose Attach.
-
Search for the role your users assume with Launch Wizard full access permissions and select the check box to the left of the policy name.
-
Choose Attach policy.