Security and compliance - SAP NetWeaver on Amazon
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security and compliance

The following are additional Amazon security resources to help you achieve the optimum level of security for your SAP NetWeaver environment on Amazon:

OS Hardening

Check the following resources to strengthen the security of your workloads. You must have access to the SAP portal to view the SAP Notes.

To follow the CIS Benchmarks, see Securing Oracle Linux.


The important aspect of securing your workloads is encrypting your data, both at rest and in transit. For more details, refer to the following:

In addition to Amazon encryption features, you can also use Oracle Transparent Data Encryption, as described in SAP Note 974876.

Security group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. Security groups act at the instance level, not the subnet level.

Customers often separate the SAP system into multiple subnets, with the database in a separate subnet to the application servers, and other components, such as a web dispatcher in another subnet, possibly with external access.

If workloads are scaled horizontally, or high availability is necessary, you may choose to include multiple, functionally similar, Amazon EC2 instances in the same security group. In this case, you must add a rule to your security groups.

If Linux is used, some configuration changes may be necessary in the security groups, route tables, and network ACLs. For more information, see Security group rules for different use cases.

Network ACL

A network access control list (ACL) is an optional layer of security for your Amazon VPC that acts as a firewall for controlling traffic in and out of one or more subnets (they’re stateless firewalls at the subnet level). You may set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your Amazon VPC.

See Amazon VPC Subnet Zoning Patterns for SAP on Amazon to understand the network considerations for SAP workloads.

API call logging

Amazon CloudTrail is a web service that records Amazon API calls for your account and delivers log files to you. The recorded information includes the identity of the caller, time of the call, source IP address, request parameters, and response elements returned by the Amazon service. With CloudTrail, you can get a history of Amazon API calls for your account, including API calls made via Amazon Web Services Management Console, Amazon SDKs, command line tools, and higher-level Amazon services (such as, Amazon CloudFormation). The Amazon API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.

Notification on access

You can use Amazon SNS or any third-party application to set up notifications on SSH login to your email address or mobile phone.