Operations
Tagging Amazon resources
A tag is a label that you assign to an Amazon resource. Each tag consists of a key and an optional value, both defined by you. Adding tags to various Amazon resources will make managing SAP environments more efficient, and help you search for resources quickly. Many Amazon EC2 API calls can be used in conjunction with a special tag filter. For more information, see Tagging Amazon resources
Tag name |
Tag value |
Name |
SAP server’s virtual (host) name |
Environment |
SAP server’s landscape role; for example: SBX, DEV, QAT, STG, PRD. |
Application |
SAP solution or product; for example: ECC, CRM, BW, PI, SCM, SRM, EP |
Owner |
SAP point of contact |
Service level |
Known uptime and downtime schedule |
After tagging your resources, you can apply specific security restrictions, such as access control (as seen in the following example policy), based on tag values.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "LaunchEC2Instances", "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:RunInstances" ], "Resource": [ "*" ] }, { "Sid": "AllowActionsIfYouAreTheOwner", "Effect": "Allow", "Action": [ "ec2:StopInstances", "ec2:StartInstances", "ec2:RebootInstances", "ec2:TerminateInstances" ], "Condition": { "StringEquals": { "ec2:ResourceTag/PrincipalId": "${aws:userid}" } }, "Resource": [ "*" ] } ] }
IAM only allows specific permissions based on the tag value. In this scenario, the current ID must match the tag value to enable permissions for the user. For more information, see Tag your Amazon EC2 resources
Monitoring
Amazon provides multiple native services to monitor and manage your SAP environment. CloudWatch
Operating system maintenance
In general, operating system maintenance across large estates of Amazon EC2 instances can be managed by using:
-
Third-party products, such as those available on Amazon Marketplace.
-
Amazon Systems Manager
The following are some key operating system maintenance tasks.
Patching
You can follow SAP recommended patching process to update your landscape on Amazon. With Amazon Systems Manager Patch Manager
-
Scheduling based on tags
-
Defining patch baselines
-
Auto-approving patches with lists of approved and rejected patches
Amazon Systems Patch Manager integrates with IAM, CloudTrail, and CloudWatch Events to provide a secure patching experience that includes event notifications and the ability to audit usage. For details about the process, see How Patch Manager operations work
Maintenance Windows
Amazon Systems Manager Maintenance Windows
Administrator access
For administrative purposes, you can access the backend of your SAP systems via SSH or Amazon Systems Manager Session Manager
Automation
Amazon Systems Manager Automation simplifies common maintenance and deployment tasks of Amazon EC2 instances and other Amazon resources. For more information, see Amazon Systems Manager Automation
Automation using Infrastructure-as-Code with Amazon CloudFormation
We recommend following the principle of Infrastructure-as-Code (IaC) for automating and maintaining your workloads on Amazon. Amazon CloudFormation
Cost optimization
We recommend cost optimization as an ongoing process. There are many Amazon services that help with budgeting, cost control and optimization. For more details, see Cost Optimization Pillar - Amazon Well-Architected Framework