Prerequisites - Databases for SAP applications on Amazon
Amazon Identity and Access Management (IAM)Amazon S3 Bucket
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Prerequisites

This section provides information on mandatory prerequisites for Amazon Backint Agent for SAP ASE.

Amazon Identity and Access Management (IAM)

To enable S3 bucket access for your Amazon EC2 instance, create or update an inline IAM policy with the following permissions and attach it to your EC2 service role. Replace the resource names, such as the S3 bucket name, to match your setup. You must provide the Amazon Region and Amazon S3 bucket owner account ID along with the Amazon S3 bucket name and KMS Key for Encryption.

{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::your-bucket-name/*",
                "arn:aws:s3:::your-bucket-name"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id"
        },
          {
              "Effect": "Allow",
              "Action": [
                  "s3:PutObjectTagging",
                  "s3:PutObject",
                  "s3:GetObject",
                  "s3:DeleteObject"
              ],
              "Resource": "arn:aws:s3:::your-bucket-name/your-folder-name/*"
          }
    ]
}
Note

If you want to allow cross-account backup and restore, you must add your account details under a principal element in your policy. For more information about principal policies, see Amazon JSON Policy Elements: Principal in the Amazon Identity and Access Management User Guide. In addition, you must ensure that the S3 bucket policies allow your account to perform the actions specified in the IAM policy example above. For more information, see the example for Bucket owner granting cross-account bucket permissions in the Amazon S3 Developer Guide.

For more information about managed and inline policies, see the IAM User Guide.

Amazon S3 Bucket

In preparation for installation of the Amazon Backint agent, identify or create an S3 bucket in the target Region where SAP ASE backups will be stored. The bucket must have been created after May 2019 in order to be compatible with Amazon Backint agent and must have public access blocked, as backups will fail if public access is enabled.

Amazon Backint agent supports backing up to Amazon S3 with VPC endpoints. Using an Amazon S3 gateway endpoint can improve performance, help prevent timeouts, enhance security, and reduce costs. For more information, see VPC Endpoints.

S3 storage classes

Amazon Backint agent supports storing SAP ASE database backups in S3 Standard, S3 Standard-IA, S3 One Zone-IA, and S3 Intelligent-Tiering storage classes. By default, backups use the S3 Standard storage class, but this can be changed through the Amazon Backint agent configuration file, S3 Lifecycle rules, or directly via APIs.

Amazon Backint Agent for SAP ASE does not support the following storage classes: . Reduced Redundancy . Deep Archive . Glacier

While S3 Intelligent-Tiering can automatically move objects to archival tiers, Amazon Backint agent requires objects to be in standard access tiers for recovery or deletion operations. For more information, see Amazon S3 Storage Classes in the Amazon S3 Developer Guide.

Encryption

Amazon Backint agent supports encrypting your SAP ASE backup files while storing them in Amazon S3, using server-side encryption with Amazon Key Management Service (KMS). You can encrypt your backups with an Amazon managed key (aws/s3) or you can use your own customer managed key stored in Amazon KMS. To encrypt your backup files with Amazon KMS keys (Amazon managed or customer managed), you must provide the KMS key ARN during installation or update the Amazon Backint agent configuration file later. To learn more about encrypting your S3 objects using Amazon KMS, see How Amazon S3 uses Amazon KMS in the Amazon Key Management Service Developer Guide. Alternatively, you can enable default encryption for your Amazon S3 bucket using either Amazon KMS keys or keys managed by Amazon S3 (SSE-S3). To learn more about enabling default encryption for your bucket, see How do I enable default encryption for an Amazon S3 bucket? in the Amazon S3 Console User Guide.

Object locking

You can store objects using a write-once-read-many (WORM) model with S3 Object Lock. Use S3 Object Lock if you want to prevent your SAP ASE backup files from being accidentally deleted or overwritten for a specific time period or indefinitely. If S3 Object Lock is enabled, you can’t delete your SAP ASE backups stored in Amazon S3 using SAP ASE Cockpit, SAP ASE Studio, or SQL commands until the retention period expires. To learn about S3 Object Lock, see Locking objects using S3 Object Lock in the Amazon S3 Developer Guide.

Object tagging

By default, Amazon Backint agent adds a tag called AmazonBackintAgentVersion when it stores your SAP ASE backup files in your S3 bucket. This tag helps to identify the Amazon Backint version and the SAP ASE version used when backing up your SAP ASE database. You can list the value of the tags from S3 console or using APIs. To disable default tagging, modify the Amazon Backint agent configuration file. See Additional Parameters for more information.

Data perimeter

Amazon Backint Agent must be installed on your Amazon EC2 instance. To download the installation binary, your EC2 instance needs access to the Amazon-managed S3 buckets where the installer packages are hosted. If your organization uses data perimeter policies to control access to Amazon S3 in your environment, you might need to explicitly allow these service-owned buckets so that the EC2 instance can retrieve the required installer. The following policy shows an example Service control policy to permit access to service-owned resources through the resource perimeter, relevant service owned buckets are listed in the NotResource element of the policy.

{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "EnforceResourcePerimeterAWSResources",
      "Effect": "Deny",
      "Action": "*",
      "NotResource": [
        "arn:aws:s3:::awssap-backint-agent-ase",
        "arn:aws:s3:::awssap-backint-agent-ase/*"
      ],
      "Condition": {
        "StringNotEqualsIfExists": {
          "aws:ResourceOrgID": "<organization id>",
          "aws:PrincipalTag/dp:exclude:resource": "true"
        }
      }
    }
  ]
}

The following policy shows an example VPC endpoint policy allowing access to specific service-owned resources through a VPC endpoint. Relevant service owned buckets are listed in the Resource element of the statement.

{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AllowRequestsToAWSOwnedResources",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::awssap-backint-agent-ase",
                "arn:aws:s3:::awssap-backint-agent-ase/*"
            ]
        }
    ]
}

Amazon Command Line Interface (CLI)

Amazon Backint agent installation leverages the Amazon CLI to validate S3 bucket properties. To install or update to the Amazon CLI, see Install or update to the latest version of the Amazon CLI.