Backup and restore SAP HANA workloads to Amazon S3
This section provides information about setting up and using Amazon Backint agent to backup and restore your SAP HANA workloads to Amazon S3.
Topics
Prerequisites
After your SAP HANA system is successfully running on an Amazon EC2 instance, verify the following prerequisites to install Amazon Backint agent using the Amazon EC2 Systems Manager document or using Amazon Backint installer.
Topics
Amazon Identity and Access Management
-
To access the Amazon resources required to install Amazon Backint agent with Amazon Systems Manager, you must attach the
AmazonSSMManagedInstanceCore
managed policy to your IAM role.Note
If you choose to install the Amazon Backint agent using the Amazon Backint installer, you can skip this step.
-
To allow your Amazon EC2 instance to access your target Amazon S3 bucket, you must create or update an inline IAM policy with the following permissions and attach it to your EC2 service role. Replace the resource names, such as the S3 bucket name, to match your resource name. You must provide the Amazon Region and Amazon S3 bucket owner account ID along with the Amazon S3 bucket name.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:GetBucketPolicyStatus", "s3:GetBucketLocation", "s3:ListBucket", "s3:GetBucketAcl", "s3:GetBucketPolicy" ], "Resource": [ "arn:aws:s3:::<Bucket Name>/*", "arn:aws:s3:::<Bucket Name>" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "<KMS Arn>" }, { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutObjectTagging", "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::<bucket name>/<folder name>/*" } ] }
Note
If you want to allow cross-account backup and restore, you must add your account details under a principal element in your policy. For more information about principal policies, see Amazon JSON Policy Elements: Principal in the Amazon Identity and Access Management User Guide. In addition, you must ensure that the S3 bucket policies allow your account to perform the actions specified in the IAM policy example above. For more information, see the example for Bucket owner granting cross-account bucket permissions in the Amazon S3 Developer Guide.
For more information about managed and inline policies, see the IAM User Guide.
Amazon Systems Manager Agent (SSM Agent)
To install the Amazon Backint agent with the Amazon Systems Manager Agent (SSM Agent) document, you must install the Amazon Systems Manager Agent (SSM Agent) version 2.3.274.0 or later, and your instance must be a managed instance that is configured for Amazon Systems Manager. If you want to install Amazon Backint agent using Amazon Backint installer, you can skip this step. For more information about managed instances, see Amazon Systems Manager Managed Instances. To update the SSM Agent, see Update SSM Agent by using Run Command.
Note
The SSM Agent will not work if you do not attach the
AmazonSSMManagedInstanceCore
policy to your EC2 instance
role.
Amazon S3 bucket
When you install the Amazon Backint agent, you must provide the name of the S3 bucket where you want to store your SAP HANA backups. Only Amazon S3 buckets created after May 2019 are compatible with Amazon Backint agent. If you do not own a bucket created after May 2019, create a new S3 bucket in your target Region. Additionally, ensure that the Amazon S3 bucket where you want to store your backups doesn’t have public access enabled. If the S3 bucket has public access enabled, backups will fail.
Amazon Backint agent supports backing up to Amazon S3 with VPC endpoints. Amazon S3 gateway endpoint can improve performance, and help potentially avoid timeouts. It increases security while reducing cost. For more information, see VPC Endpoints.
S3 storage classes —Amazon Backint agent supports backing up your SAP HANA database to an Amazon S3 bucket with the S3 Standard, S3 Standard-IA, S3 One Zone-IA, and S3 Intelligent-Tiering storage classes. S3 Reduced Redundancy, Deep Archive, and Glacier storage classes are not supported by Amazon Backint agent. By default, the S3 Standard storage class is used to store your backups. You can change the storage class to use for backups by modifying the Amazon Backint agent configuration file. Alternatively, you can change your backup files to one of the supported storage classes through S3 LifeCycle configuration or directly using APIs. To learn more about Amazon S3 storage classes, see Amazon S3 Storage Classes in the Amazon S3 Developer Guide.
Note
S3 Intelligent-Tiering storage class enables movement of objects between four access
tiers. It can also move objects to the archival tiers. However, Amazon Backint
agent for SAP HANA does not support backup and recovery from archival tiers.
To recover or delete objects from the archival tiers, you must first restore the archived S3 objects
Encryption— Amazon Backint agent supports encrypting your SAP HANA
backup files while storing them in Amazon S3, using server-side encryption with Amazon KMS (KMS). You
can encrypt your backups with a aws-managed-key
called aws/s3
or
you can use your own custom symmetrical Amazon KMS key stored in KMS. To encrypt your backup
files with keys stored in KMS (Amazon-managed or custom), you must provide the KMS ARN during
the install, or update the Amazon Backint agent configuration file at a later time. To learn more about
encrypting your S3 objects using Amazon KMS, see How Amazon S3 uses Amazon KMS in the
Amazon Key Management Service Developer Guide.
Alternatively, you can enable default encryption for your Amazon S3 bucket using keys managed by
Amazon S3. To learn more about enabling default encryption for your bucket, see How
do I enable default encryption for an Amazon S3 bucket? in the Amazon S3 Console User Guide.
Object locking— You can store objects using a write-once-read-many (WORM) model with S3 Object Lock. Use S3 Object Lock if you want to prevent your SAP HANA backup files from being accidentally deleted or overwritten for a specific time period or indefinitely. If S3 Object Lock is enabled, you can't delete your SAP HANA backups stored in Amazon S3 using SAP HANA Cockpit, SAP HANA Studio, or SQL commands until the retention period expires. To learn about S3 Object Lock, see Locking objects using S3 Object Lock in the Amazon S3 Developer Guide.
Object tagging — By default, Amazon Backint agent adds a tag called
AWSBackintAgentVersion
when it stores your SAP HANA backup
files in your S3 bucket. This tag helps to identify the Amazon Backint version and the SAP HANA
version used when backing up your SAP HANA database. You can list the value of the tags
from S3 console or using APIs. To disable default
tagging, modify the Amazon Backint agent configuration file.
Amazon CLI
Amazon Backint agent installation leverages the Amazon CLI to validate S3 bucket properties. To install or update to the Amazon CLI, see Install or update to the latest version of the Amazon CLI.