Backup and restore SAP HANA workloads to Amazon S3

This section provides information about setting up and using Amazon Backint agent to backup and restore your SAP HANA workloads to Amazon S3.

Topics

Prerequisites

After your SAP HANA system is successfully running on an Amazon EC2 instance, verify the following prerequisites to install Amazon Backint agent using the Amazon EC2 Systems Manager document or using Amazon Backint installer.

Amazon Identity and Access Management

To access the Amazon resources required to install Amazon Backint agent with Amazon Systems Manager, you must attach the AmazonSSMManagedInstanceCore managed policy to your IAM role.

Note
If you choose to install the Amazon Backint agent using the Amazon Backint installer, you can skip this step.

To allow your Amazon EC2 instance to access your target Amazon S3 bucket, you must create or update an inline IAM policy with the following permissions and attach it to your EC2 service role. Replace the resource names, such as the S3 bucket name, to match your resource name. You must provide the Amazon Region and Amazon S3 bucket owner account ID along with the Amazon S3 bucket name.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::<Bucket Name>/*",
                "arn:aws:s3:::<Bucket Name>"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "<KMS Arn>"
        },
          {
              "Sid": "VisualEditor0",
              "Effect": "Allow",
              "Action": [
                  "s3:PutObjectTagging",
                  "s3:PutObject",
                  "s3:GetObject",
                  "s3:DeleteObject"
              ],
              "Resource": "arn:aws:s3:::<bucket name>/<folder name>/*"
          }
    ]
}

Note

If you want to allow cross-account backup and restore, you must add your account details under a principal element in your policy. For more information about principal policies, see Amazon JSON Policy Elements: Principal in the Amazon Identity and Access Management User Guide. In addition, you must ensure that the S3 bucket policies allow your account to perform the actions specified in the IAM policy example above. For more information, see the example for Bucket owner granting cross-account bucket permissions in the Amazon S3 Developer Guide.

For more information about managed and inline policies, see the IAM User Guide.

Amazon Systems Manager Agent (SSM Agent)

To install the Amazon Backint agent with the Amazon Systems Manager Agent (SSM Agent) document, you must install the Amazon Systems Manager Agent (SSM Agent) version 2.3.274.0 or later, and your instance must be a managed instance that is configured for Amazon Systems Manager. If you want to install Amazon Backint agent using Amazon Backint installer, you can skip this step. For more information about managed instances, see Amazon Systems Manager Managed Instances. To update the SSM Agent, see Update SSM Agent by using Run Command.

Note

The SSM Agent will not work if you do not attach the AmazonSSMManagedInstanceCore policy to your EC2 instance role.

Amazon S3 bucket

When you install the Amazon Backint agent, you must provide the name of the S3 bucket where you want to store your SAP HANA backups. Only Amazon S3 buckets created after May 2019 are compatible with Amazon Backint agent. If you do not own a bucket created after May 2019, create a new S3 bucket in your target Region. Additionally, ensure that the Amazon S3 bucket where you want to store your backups doesn’t have public access enabled. If the S3 bucket has public access enabled, backups will fail.

Amazon Backint agent supports backing up to Amazon S3 with VPC endpoints. Amazon S3 gateway endpoint can improve performance, and help potentially avoid timeouts. It increases security while reducing cost. For more information, see VPC Endpoints.

S3 storage classes -- Amazon Backint agent supports backing up your SAP HANA database to an Amazon S3 bucket with the S3 Standard, S3 Standard-IA, S3 One Zone-IA, and S3 Intelligent-Tiering storage classes. S3 Reduced Redundancy, Deep Archive, and Glacier storage classes are not supported by Amazon Backint agent. By default, the S3 Standard storage class is used to store your backups. You can change the storage class to use for backups by modifying the Amazon Backint agent configuration file. Alternatively, you can change your backup files to one of the supported storage classes through S3 LifeCycle configuration or directly using APIs. To learn more about Amazon S3 storage classes, see Amazon S3 Storage Classes in the Amazon S3 Developer Guide.

Note

S3 Intelligent-Tiering storage class enables movement of objects between four access tiers. It can also move objects to the archival tiers. However, Amazon Backint agent for SAP HANA does not support backup and recovery from archival tiers. To recover or delete objects from the archival tiers, you must first restore the archived S3 objects before initiating a recovery or deletion with the Amazon Backint agent.

Encryption-- Amazon Backint agent supports encrypting your SAP HANA backup files while storing them in Amazon S3, using server-side encryption with Amazon KMS (KMS). You can encrypt your backups with a aws-managed-key called aws/s3 or you can use your own custom symmetrical Amazon KMS key stored in KMS. To encrypt your backup files with keys stored in KMS (Amazon-managed or custom), you must provide the KMS ARN during the install, or update the Amazon Backint agent configuration file at a later time. To learn more about encrypting your S3 objects using Amazon KMS, see How Amazon S3 uses Amazon KMS in the Amazon Key Management Service Developer Guide. Alternatively, you can enable default encryption for your Amazon S3 bucket using keys managed by Amazon S3. To learn more about enabling default encryption for your bucket, see How do I enable default encryption for an Amazon S3 bucket? in the Amazon S3 Console User Guide.

Object locking-- You can store objects using a write-once-read-many (WORM) model with S3 Object Lock. Use S3 Object Lock if you want to prevent your SAP HANA backup files from being accidentally deleted or overwritten for a specific time period or indefinitely. If S3 Object Lock is enabled, you can’t delete your SAP HANA backups stored in Amazon S3 using SAP HANA Cockpit, SAP HANA Studio, or SQL commands until the retention period expires. To learn about S3 Object Lock, see Locking objects using S3 Object Lock in the Amazon S3 Developer Guide.

Object tagging -- By default, Amazon Backint agent adds a tag called AmazonBackintAgentVersion when it stores your SAP HANA backup files in your S3 bucket. This tag helps to identify the Amazon Backint version and the SAP HANA version used when backing up your SAP HANA database. You can list the value of the tags from S3 console or using APIs. To disable default tagging, modify the Amazon Backint agent configuration file.

Amazon CLI

Amazon Backint agent installation leverages the Amazon CLI to validate S3 bucket properties. To install or update to the Amazon CLI, see Install or update to the latest version of the Amazon CLI.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Amazon Backint Agent for SAP HANA

Install and configure