Security and compliance
The following are additional Amazon security resources to help you achieve the optimum level of security for your SAP NetWeaver environment on Amazon:
Infrastructure hardening
In some cases, you can further lock down the operating system configuration. For instance, to avoid sharing the credentials of your Amazon account with an SAP administrator who needs to log on to an Amazon EC2 instance. Refer to Security in Amazon EC2 and Best Practice 6.2 – Build and protect the operating system to learn more.
You can also use an automated solution provided by Amazon – Amazon Inspector
Encryption
The important aspect of securing your workloads is encrypting your data, both at rest and in transit. For more details, refer to the following resources.
You can also refer to the following SAP resources.
Security group
A security group
SAP system is often separated into multiple subnets, with the database in a separate subnet to the application servers, and other components, such as a web dispatcher in another subnet, possibly with external access.
If workloads are scaled horizontally, or high availability is necessary, you may choose to include multiple, functionally similar, Amazon EC2 instances in the same security group. In this case, you must add a rule to your security groups.
If Linux is used, some configuration changes may be necessary in the security
groups, route tables, and network ACLs. For more information, see Security group rules for different use cases
Network ACL
A network access control list (ACL)
See Amazon VPC Subnet Zoning Patterns for SAP on Amazon
API call logging
Amazon CloudTrail is a web service that records Amazon API calls for your account and delivers log files to you. The recorded information includes the identity of the caller, time of the call, source IP address, request parameters, and response elements returned by the Amazon service. With CloudTrail, you can get a history of Amazon API calls for your account, including API calls made via Amazon Web Services Management Console, Amazon SDKs, command line tools, and higher-level Amazon services (such as, Amazon CloudFormation). The Amazon API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.
For more information, see What Is Amazon CloudTrail?
Notification on access
You can use Amazon SNS