Integrating SAP Data Custodian Key Management Service with Amazon Key Management Service (Amazon KMS)

SAP Data Custodian Key Management Service enables customer-managed encryption keys for data stored in SAP services. Please note that SAP Data Custodian Key Management Service is not the same as Amazon Key Management Service (KMS).

Using Amazon KMS as the keystore in HYOK (Hold Your Own Key) scenario, SAP Data Custodian Key Management Service provides a consistent and centralized approach to key management especially if Amazon KMS is already employed for other Amazon workloads, enabling seamless integration, streamlined key lifecycle management, and enhanced security through Amazon robust encryption and access control mechanisms.

This integration allows customers to manage and control the encryption keys used to protect their sensitive data, ensuring greater security and compliance. SAP Data Custodian Key Management Service can be interfaced with Amazon KMS in HYOK (Hold Your Own Key) scenario with the following supported key:

Area	Amazon KMS (HYOK Scenario)	Supported Key Types and Key Sizes
AES (256), RSA (3072, 4096)	Key Management	Key is created and stored in Amazon KMS keystore

Below is the SAP KMS integration with Amazon KMS - HYOK

In the diagram above:

Key is created in Amazon KMS keystore
Key is stored in Amazon KMS and retrieved by SAP KMS when required
SAP KMS encrypts SAP data at application level

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Advanced security using Amazon Services for RISE with SAP

How Amazon Nitro helps secure RISE with SAP?