Best practices for IAM Security
The IAM administrator will be responsible for the following three key areas.
-
Ensuring that the SAP system can authenticate itself with Amazon EC2 metadata or Secret Key credentials.
-
Ensuring that the SAP system has the permissions it needs to elevate itself with
sts:assumeRole
. -
For each logical IAM role, creating an IAM role for SAP users with the permissions required to perform the business functions (for example, the necessary permissions for Amazon S3, DynamoDB, or other services). These are the roles that SAP users will assume.
For more information, see the Security chapter in the SAP Lens: Amazon Well-Architected Framework.
Best practice for Amazon EC2 instance profile
The Amazon EC2 instance on which your SAP system runs has a set of authorizations based on its
instance profile. Generally, the instance profile only needs to have permissions to call
sts:assumeRole
, to allow the SAP system to assume business-specific IAM roles
as needed. This elevation to other roles ensures that an ABAP program can assume a role that
gives the user the least privilege needed to do their job. For example, an instance profile
might contain the following statement.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::0123456789:role/finance-cfo", "arn:aws:iam::0123456789:role/finance-auditor", "arn:aws:iam::0123456789:role/finance-reporting" ] } ] }
This preceding example allows the SAP system to assume the IAM roles for the CFO, AUDITOR, or REPORTING user. Amazon SDK will choose the correct IAM role for the user based on the user’s PFCG role in SAP.
Amazon EC2 instance profile can also be used for other functions.
These solutions may also require sts:assumeRole
permissions to roles specific
to backup or failover or they may require permissions to be assigned directly to the instance
profile.
IAM roles for SAP users
The ABAP program needs permissions to perform the user’s job: read a DynamoDB table, invoke Amazon Textract on a PDF object in Amazon S3, run an Amazon Lambda function. The same security model is used in all Amazon SDKs. You can use an existing IAM role that was used for another Amazon SDK.
The SAP business analyst will ask the IAM administrator for the arn:aws-cn: of an IAM role for each logical role needed. For example, in a financial scenario, the business analyst may define the following logical IAM roles.
-
CFO
-
AUDITOR
-
REPORTING
The IAM administrator will define IAM roles for each logical IAM role.
CFO
-
arn:aws:iam::
0123456789
:role/finance-cfo -
read and write permissions to an Amazon S3 bucket
-
read and write permissions to a DynamoDB database
AUDITOR
-
arn:aws:iam::
0123456789
:role/finance-auditor -
read permissions to an Amazon S3 bucket
-
read permissions to a DynamoDB database
REPORTING
-
arn:aws:iam::
0123456789
:role/finance-reporting -
read permissions to a DynamoDB database
-
no permission for the Amazon S3 bucket
The business analyst will enter the IAM roles into a mapping table to map the logical IAM roles with the physical IAM roles.
IAM roles for SAP users need to allow the sts:assumeRole
action for trusted
principals. The trusted principals can vary based on how the SAP system is authenticated on
Amazon. For more details, see Specifying a principal.
The following are some examples of the most common SAP scenarios.
-
SAP system running on Amazon EC2 with an instance profile assigned – here, an Amazon EC2 instance profile is attached to an IAM role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Principal": { "AWS": "arn:aws:iam::
123456789012
:role/SapInstanceProfile
" } } ] } -
SAP systems running on Amazon EC2 without an instance profile – here, Amazon EC2 assumes roles for SAP users.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Principal": { "Service": [ "ec2.amazonaws.com" ] } } ] }
-
SAP systems running on-premises – SAP systems that run on-premises can only authenticate using the Secret Access Key. For more information, see SAP system authentication on Amazon.
Here, any IAM role assumed by an SAP user must have a trust relationship that trusts the SAP user.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Principal": { "AWS": "arn:aws:iam::
123456789012
:user/SAP_SYSTEM_S4
H" } } ] }