Advanced security using Amazon Services for RISE with SAP - General SAP Guides
Amazon Network FirewallAmazon MacieAmazon GuardDutyUsing security services with Amazon Security Hub, Amazon Detective, Amazon Audit Manager and Amazon EventBridgeUsing All Amazon Security Services
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Advanced security using Amazon Services for RISE with SAP

Amazon offers a comprehensive suite of security services that can act as a multi-layered security envelope around RISE with SAP deployments on Amazon. These services act as an additional security barrier, intercepting and mitigating potential threats before they can reach the RISE account, providing robust protection and assisting with compliance with industry-standard security best practices.

Amazon Network Firewall

Amazon Network Firewall is a managed firewall service that provides essential network protection for Amazon Virtual Private Cloud (VPC) environments. Amazon Network Firewall acts as a first line of defence, filtering and inspecting all network traffic to and from RISE resources, effectively creating a protective perimeter around a RISE environment.

Key features of Amazon Network Firewall include:

  • Stateful Firewall Capabilities. Amazon Network Firewall offers advanced stateful firewall features to monitor and control network traffic. It can inspect the complete context of a network connection, including source, destination, ports, and protocols, to detect and block malicious or unauthorized traffic.

  • Threat Signature Matching. Amazon Network Firewall comes pre-loaded with a comprehensive set of threat detection rules and signatures, continuously updated by Amazon, to identify and mitigate known threats, malware, and other malicious activity targeting RISE deployments.

  • Custom Rule Definition. In addition to the pre-defined threat signatures, customers can create and deploy custom firewall rules to address specific security requirements or policies unique to connections hitting SAP systems in the RISE environment.

  • Centralized Policy Management. Amazon Network Firewall allows to define and manage firewall policies centrally, which can then be easily deployed across multiple VPCs including non-SAP VPCs and VPCs associated with the SAP-managed RISE VPC, ensuring consistent security enforcement.

  • Scalability and High Availability. As a fully managed service, Amazon Network Firewall automatically scales to handle changes in network traffic volume and patterns, ensuring RISE environment remains protected without the need for complex infrastructure management.

In the context of RISE with SAP, Amazon Network Firewall can be leveraged for the following:

  • Centralized Firewall Management. Amazon Network Firewall provides a centralized, managed firewall service to control and monitor network traffic travelling to and from the SAP-managed RISE VPC.

  • Stateful Packet Inspection. Amazon Network Firewall performs stateful packet inspection, allowing it to detect and mitigate advanced threats by analysing the context of network connections to/from SAP systems within the RISE VPC.

  • Regulatory Compliance. Amazon Network Firewall helps organizations meet compliance requirements by enforcing security policies and providing logging/auditing capabilities for the RISE with SAP landscape.

Below is example architecture of Amazon Network Firewall inspecting network traffic before it reaches RISE with SAP

Network Firewall inspecting network traffic before it reaches RISE with SAP

In the diagram above

  1. A malicious actor exploits network misconfiguration to get access to SAP system on RISE.

  2. Traffic is first routed through Amazon Transit Gateway.

  3. Packet inspection by Amazon Network Firewall catches abnormal connection attempts..

It is worth noting that Amazon Network Firewall can be also used by customers who want to consume SAP BTP services hosted by Amazon connecting first to an Amazon Transit Gateway with Amazon Direct Connect, so that their end-to-end stay on the Amazon backbone.

For instructions to configure Amazon Network Firewall, see Getting started with Amazon Network Firewall.

Amazon Macie

Amazon Macie is a data security service that helps customers discover, classify, and protect sensitive data stored in Amazon S3 buckets by continuously monitoring and alerting on potential data risks and unauthorized access attempts.

In the context of RISE with SAP, Amazon Macie can protect Amazon S3 buckets in customer-managed Amazon account fed by a RISE with SAP environment, for instance:

  • as a RISE customer, backups can be copied from the SAP-managed Amazon account to a customer-managed environment and S3 bucket.

  • SAP data can be extracted from or a RISE environment (see Architecture Options for extracting SAP Data with Amazon Services) to a customer-managed S3 bucket, to enable advanced analytics, machine learning, and business intelligence using other Amazon services like Amazon Athena, Amazon Glue, and Amazon Sagemaker;

  • Certain industries and regulations, such as GDPR, HIPAA, or PCI-DSS, may require long-term storage and preservation of sensitive data. Exporting this data to a customer-managed S3 can help meet these compliance requirements, as S3 provides robust security and durability features.

  • Centralized Policy Management. Amazon Network Firewall allows to define and manage firewall policies centrally, which can then be easily deployed across multiple VPCs including non-SAP VPCs and VPCs associated with the SAP-managed RISE VPC, ensuring consistent security enforcement.

  • Customers can also consume security event logs out of their RISE environment, so ingest in their own S3 buckets or SIEM systems.

Below is example architecture of Amazon Macie continuously scanning an S3 bucket with SAP data extracted from RISE

Amazon Macie continuously scanning an S3 bucket with SAP data extracted from RISE

In the diagram above

  1. Data is written to S3 bucket for data lake/compliance reporting purposes.

  2. Amazon Macie continuously analyzes bucket to detect Privately Indentifiable Information.

For instructions to configure Amazon Macie, see What is Macie ?.

Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behaviour within an Amazon environment. It combines machine learning, anomaly detection, and integrated threat intelligence to identify potential threats and protect Amazon account linked to RISE with SAP environments, workloads, and data.

Amazon GuardDuty monitors the following:

  • Amazon CloudTrail Logs: Amazon GuardDuty monitors API activity across Amazon account to detect suspicious API calls, unauthorized deployments, and unauthorized access attempts to resources. Amazon GuardDuty identifies attempts to access Amazon services from unauthorized IP addresses or regions. Amazon GuardDuty detects unusual behaviour in Identity and Access Management (IAM) users, roles, and policies, such as privilege escalation.

  • VPC Flow Logs. Amazon GuardDuty analyses network traffic within a Virtual Private Cloud (VPC) to detect unexpected traffic patterns, data exfiltration attempts, or unauthorized access alongside identifying communications between Amazon resources and known malicious IP addresses or domains. In the context of RISE with SAP on Amazon, the inspection takes places on a VPC fronting the RISE SAP-managed account;

  • DNS Logs. Amazon GuardDuty monitors DNS queries made by an Amazon resource to detect attempts to connect to malicious domains or unusual DNS request patterns. Amazon GuardDuty also detects the use of Domain Generation Algorithms (DGA) for generating domain names associated with Command and Control servers.

In the context of RISE with SAP, Amazon GuardDuty can be leveraged for the following:

  • Intrusion Detection: GuardDuty enables early detection of intrusion attempts into an RISE environment fronted by a customer-managed Amazon account by identifying malicious activities such as unauthorized API calls, network reconnaissance, and access attempts from known malicious IP addresses;

  • Compliance Validation: For organizations with stringent compliance requirements, GuardDuty helps ensure adherence by continuously monitoring for policy violations and unauthorized access attempts, providing detailed logs and reports for audit purposes. This can be achieved when the SAP RISE environment is accessed from a customer-managed Amazon account. See Compliance Validation for more details

  • Automated Incident Response. GuardDuty can be integrated with Amazon Lambda and Amazon Security Hub to automate incident response workflows. Upon detecting a threat, these services can trigger automated remediation actions, such as isolating compromised resources or notifying security teams.

Below is example architecture of GuardDuty monitoring CloudTrail trails of a RISE with SAP deployment on Amazon

GuardDuty monitoring CloudTrail trails of a RISE with SAP deployment

In the diagram above

  1. Data is written to S3 bucket for data lake/compliance reporting purposes.

  2. A malicious actor changes IAM rules and IAM permissions on S3 bucket to obtain access.

  3. IAM changes are intercepted by Amazon CloudTrail.

  4. GuardDuty detects suspicious activity and alerts administrators.

Below is example architecture of GuardDuty monitoring DNS logs of a RISE with SAP deployment on Amazon

GuardDuty monitoring DNS logs of a RISE with SAP deployment

In the diagram above

  1. A malicious actor introduces rogue DNS redirecting users to makeshift SAP systems.

  2. The rogue DNS entries are detected by GuardDuty and reported to administrators.

Below is example architecture of GuardDuty monitoring VPC Flow Logs of RISE with SAP VPC

GuardDuty monitoring VPC Flow Logs of RISE with SAP VPC

In the diagram above

  1. A malicious actor attempts to access SAP systems from VPC managed by customer peered to RISE VPC or scan ports.

  2. The connection attempt from malicious actor IP logged in VPC Flow Logs.

  3. The suspicious connection attempt is detected by Amazon GuardDuty and reported to administrators.

For instructions to configure Amazon GuardDuty, see Getting Started.

Using security services with Amazon Security Hub, Amazon Detective, Amazon Audit Manager and Amazon EventBridge

Building on implementation of GuardDuty and Amazon Macie, Amazon Security Hub acts as a central hub, consolidating and prioritizing security findings Amazon security services. Amazon Security Hub provides a unified view of the security posture across services surrounding a RISE with SAP deployment, allowing too quickly identify and address any security issues.

To further investigation and incident response capabilities, Amazon Detective analyses security incidents by gathering and processing relevant log data from Amazon resources. This service helps quickly identify the root cause of issues, enabling to take appropriate actions to mitigate the impact.

Maintaining compliance is also a critical aspect of securing a RISE with SAP environment. Amazon Audit Manager automates the assessment of Amazon resources against industry standards and regulations, helping demonstrate compliance and reduce the risk of non-compliance.

Finally, Amazon EventBridge enables real-time response to security events by triggering custom automated workflows and remediation actions. This service allows to quickly and efficiently address security incidents, minimizing the potential impact on RISE with SAP deployment

Below is example architecture of Amazon Security Hub, Amazon Detective, Amazon Audit Manager and Amazon EventBridge paired to RISE with SAP

Security Hub

Using All Amazon Security Services

Combining together all services described above allow for an architecture monitoring multiple areas of a RISE on Amazon deployment: network traffic, DNS logs, CloudTrail API activity, sensitive information extracted SAP data. Amazon GuardDuty and Amazon Security Hub are fed from multiple services and uses AIML intelligence to detect malicious activities and anomalies. Findings are passed to Amazon Detective for a deeper RCA analysis or sent to Amazon EventBridge for custom reporting and alerting.

Below is example architecture of GuardDuty, Amazon Network Firewall, Amazon Macie, Amazon Security Hub and Amazon Detective combined together to improve security posture of RISE with SAP on Amazon deployment

GuardDuty