Security
SAP manages the security in Amazon Web Services account managed by SAP. You can implement additional security mechanisms in your own Amazon Web Services account.
Topics
Single Sign-On – SAP Business Technology Platform (BTP) and Amazon IAM Identity Center
In RISE with SAP, you can integrate your own Identity Provided (IdP), such as Amazon IAM, Okta, Ping, Microsoft Windows Azure Active Directory, and others using Identity Authentication of SAP BTP.
-
For more information about Amazon IAM Identity Center, see What is IAM Identity Center?
-
For more information about Identity Authentication, see SAP Cloud Identity Services - Identity Authentication
on SAP Help Portal.
The following image shows the integration between Identity Authentication from SAP BTP and Amazon IAM Identity Center.
![Integrating SAP BTP IAS and IAM Identity Center](images/ia-idc.png)
Authentication flow
-
User accesses SAP Fiori via an Internet browser.
-
Identity Authentication intercepts and routes request to IAM Identity Center.
-
Access to SAP S/4HANA in RISE with SAP VPC is enabled on successful authentication.
Use Amazon services to enhance security in RISE with SAP
Integrate RISE with SAP VPC with Amazon VPC in your own Amazon Web Services account that is not managed by SAP at the network layer to implement security mechanisms. For more information, see VPC to VPC connectivity.
The network traffic can be routed through Amazon services that strengthen security and operate on a network layer, coming in and out of the RISE with SAP VPC. For more information, see Infrastructure OU – Network account.
You can use the following Amazon services to enhance RISE with SAP security.
-
Amazon Shield to mitigate risks against denial of service (DDoS) attacks.
-
Amazon Network Firewall to implement intrusion detection and prevention.
-
Amazon WAF to protect web applications such as, SAP Fiori, against attacks.
-
Amazon Certificate Manager to handle management of public SSL certificates.
-
Amazon CloudFront (including Amazon Shield, and optionally Amazon WAF) to implement security at edge for protecting SAP workloads.
-
Amazon Partner Solutions on Amazon Web Services Marketplace
for more advanced security requirements.
The following image shows RISE with SAP security enhancement with Amazon services.
![Traffic flow for RISE with SAP security enhancements.](images/sec-ser.png)
Traffic flow
-
User accesses SAP Fiori via an Internet browser.
-
The traffic is routed through the inbound VPC managed by you. The entire traffic flow is via Amazon Transit Gateway.
-
The traffic is routed to the firewall VPC managed by you. Based on your company's security policies, the traffic may be filtered by a Network Firewall.
-
The traffic is now passed to an Amazon EC2 instance running in Amazon Web Services account managed by SAP.
-
Amazon EC2 instance response is routed back to customer managed firewall VPC.
-
The response traffic is now passed on to the outbound VPC managed by you.
-
The response traffic reaches the user.