Security - SAP HANA on Amazon
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Here are additional Amazon security resources to help you achieve the level of security you require for your SAP HANA environment on Amazon.

OS Hardening

You may want to lock down the OS configuration further, for example, to avoid providing a DB administrator with root credentials when logging into an instance.

You can also refer to the following SAP notes:

  • 1730999: Configuration changes in HANA appliance

  • 1731000: Unrecommended configuration changes

Disabling HANA Services

HANA services such as HANA XS are optional and should be deactivated if they are not needed. For instructions, see SAP Note 1697613: Remove XS Engine out of SAP HANA database. In case of service deactivation, you should also remove the TCP ports from the SAP HANA Amazon security groups for complete security.

API Call Logging

Amazon CloudTrail is a web service that records Amazon API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the Amazon service.

With CloudTrail, you can get a history of Amazon API calls for your account, including API calls made via the Amazon Management Console, Amazon SDKs, command line tools, and higher-level Amazon services (such as Amazon CloudFormation). The Amazon API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.

Notifications on Access

You can use Amazon Simple Notification Service (Amazon SNS) or third-party applications to set up notifications on SSH login to your email address or mobile phone.