Creating a secure foundation for SAP on AWS - AWS Virtual Workshop

AWS Developers · Intermediate ·☁️ DevOps & Cloud ·4y ago

Key Takeaways

The video demonstrates how to create a secure foundation for SAP on AWS using various AWS services and tools, including AWS Config, AWS Conformance Packs, EC2 Image Builder, and AWS Systems Manager.

Full Transcript

[Music] thank you so much and hello everyone good afternoon my name is rajpath and i will be leading the first session of today's presentation along with me i also have sunil yado who's going to share some best practices around how to harden the emi before you deploy an s4hana solution this is actually a three-day event today we are going to talk about how you can secure the aws foundation to get your saps for hana workload ready for the migration tomorrow my friend and my colleague is going to demonstrate how you can architect and deploy an s4hana system on aws using a tool called aws launch wizard and on the episode 3 we will be sharing how you can migrate and optimize ses for hana workload on aws um by following some best practices and recommendations uh from from again from italy yeah so what we are going to learn today uh before we start building the s4hana solutions on aws we would like to cover some aws security fundamentals right and how you can utilize an out of the box aws solutions to provide an ability to control those secure requirement um automatically right and after that sunil is going to demonstrate how you can select an operating system from the aws marketplace and then harden it according to the cis standards and sunil is also going to share uh some best practices and recommendations around how you can utilize aws services like ssm to further uh operate your sap workloads more securely so with aws you control where you your data is stored and who can access it and what resources your organization is consuming at any given moment uh fine grain auditing and uh identity and access controls combined with continuous monitoring for near real-time security information ensures that the right resources have the right access at all times whenever your information wherever your information is stored and you do have an ability to automatically secure tasks on aws and that enables you to be more secure by reducing humor configuration errors and giving your team more time to focus on other work critical that are critical to your business selecting from a wide variety of deeply integrated solutions that can be combined to automate tasks in normal ways making it easier for your security team to work closely with developer and operations team to create and deploy code faster and more securely now we do govern uh the aws platform by providing a higher standard for privacy and data security and we are all in vigilant about your privacy now with aws you can build on the most secure global infrastructure knowing you always own your data including the ability to encrypt it move it and manage retention all data flowing across the aws global network that interconnects our data centers and and regions is automatically encrypted at the physical layer before it leaves our secure facilities and with that said let me move to the next slide one of the way that we actually help our customers is to follow a roadmap right so sap journey to aws is not a one-team responsibility now implementing security controls at aws infrastructure operating system database and at sap application has usually been part of any sap products whether it's a fresh sap implementation a data center exit a transformation project or even a lift and ship migration projects understanding your organization's security controls and aligning it to uh design and development practice should be included in the project plan and here is an example on how aws assist sap customers to implement security controls as part of the sap projects a general understanding of implementing security is not only to configure monitoring tools but also implement tools like implement controls like dr strategies change control incident problem management backup recovery solutions and also build the run books to prepare for the worst now identifying the gaps in the security controls and understanding the risk for those gaps to your business should be at the top priority list to prepare your enterprise against a security vulnerabilities and threats like ransomware software vulnerabilities or even distributed denier of service attacks applying the abol engagement model has helped several sap on aws customers to build their sap on aws security best practices and by implementing the controls by design now for next one hour myself and sunil is going to provide demos and how to how to tutorials uh to tackle few of the machine security controls by design and leveraging the power of infrastructure as a core at scale all right so aws provides several services to implement standards uh as well as a customer defined security control for sap workloads now going from top to the bottom of the screen aws cloud formation service enables customers to write their own infrastructure as a code in either of json or yaml format language and then aws cloudformation also offers the ability to launch the templates using api access even to further uh innovate and integrate the solutions based on your organization needs now building sap systems on aws involves a lot of services right so if you start from ec2 we have 96 type of ec2 instances that you can select from to launch your sap workload um to handle the compute requirements right and those workloads could be or the compute power could be memory optimized compute optimize or even a general purpose cc2 instances along with that you also have the ability to select five different type of storages from a service evs elastic block store and also we have services like s3 who can actually retain your data based on the enterprise data retention requirements and along with that you have vpc subnets raw tables aws data provider back-end tool elastic file systems and many other services that customers can leverage for building those secure environment on aws now going through this entire list of services and automating those services using services like aws cloud formation could be a tedious task and we are talking about a heavy time and development effort not only doing the initial software development lifecycle part of it but also from the management point of view and supporting those infrastructures that are code could be another challenge so to simplify that requirement um and based on our customer feedback we have launched aws launch wizard for sap service which enables the sap customers to configure the required aws services according to sap and aws best practices and recommendation and if customer would like aws launch wizard also configures the operating system and installs the sap application in either standard distributed or high levelability configuration launch wizard supports deploying sap netweaver and latest s4hana application on either souza or red hat operating system now with a single plane of inserting all sap configuration in aws console customers can store common input values in the form of configuration files and utilize that to launch several sap systems in matter of hours now my colleague bidwan and rozelle are going to demo how sap on aws customers are leveraging this service to simply simplify their sap system build process at a scale which is covered tomorrow now sap customer has access to this 45 services to tackle the most demanding security requirements to run sap on aws now based upon how you configure these services it can help you to identify protect detect respond and recover security incidents automatically now it could be even semi-automatically or manually as well for example you can utilize services like identity and access management to define fine-grained security controls at aws resource level and then you can create custom manage key through a key management service and which is right here which has the ability to define who as a user or as a service can manage the key and decrypt encrypt and decrypt the data not only within that aws environment or account but also other aws accounts as well now you can also utilize aws web application firewall service that you can actually put it in front of alb which can protect sap web application servers against common attacks like sql injection or cross-site scripting even before the request hits the alb now a good starting point to understand this entire services and how these various services can help you or your organization to meet the security requirements would be to review the frequently asked sessions uh uh sorry frequently asked uh question sessions of the individual aws services web pages now today i'm going to cover an interesting feature of how you can utilize aws config service um and that feature you may or may not be discovered have discovered so far so what is aws config service right so first of all it's a native uh serverless aws service which is actually available through the console right and aws config service enables you to access audit and evaluate the configuration of your aws resources now config continuously monitors and records your aws resource configuration and allows you to automate the evaluation of recorded configuration then it compares uh an event with what you have configured and then provides you a notification uh in the form of an sns topic event right so it's pretty easy service to be that you can actually enable uh to secure your most of the regulatory requirements uh by design right now there are several benefits that customer have already realized by enabling aws config service and the first which is very interesting is continuous monitoring you can continuously monitor and record configuration changes of aws resources and third-party resources or even custom resource type such as on-premise service now inventory the aws resources and third-party resources and configuration of aws resources and you can also monitor a software configuration within the ec2 instance as well through the continuous assessment you can continuously audit and assess overall compliance of your aws resource configuration um and if there is a deviation you can trigger an sns notifications and have a cloud wash event whenever a resource configuration or any configuration changes debates from the rules um in the change management piece you can track relationship among the resources and review resource dependencies among them now there is another advantage of using aws config service is to have that central uh monitoring capabilities through a feature known as data aggregation so if you have multiple aws accounts that are deployed and you have multiple regions where your data is residing you can actually utilize the data aggregation service and you can view the compliance data across the enterprise and identify the non-compliant resources and this is how aws config service works so once you define your rules config will identify any change that is actually has been introduced to your aws account and then aws config will compare that change with how that change should look like through the rules that you have defined in aws config service now if there are any deviation in terms of the change or change of the resource um aws config service will notify you through an s topic right as a matter of fact that configuration changes that are being identified by aws config are normalized and the data are actually put in a consistent format either on amazon s3 as a service as well and those events are also captured in aws uh sorry amazon cloud watch now one of the interesting topic about this is like you may have 50 or even 100 security controls you can define your custom aws uh config rules for monitoring those controls but just like how deploying an sap system without the launch wizard is is going to be cumbersome applying those security controls would be also very tedious and a more complex task to assist our customers we have actually enabled a service called conformance packs which are actually part of aws config service that are bundled um that are actually offers you a bundled service of sorry security rules that you can enable with just few click within aws console so what is confirm is pack conference packs are collection of aws config rules and remediation and remediation actions as a single entity uh for an example you have an um a country rule which says that i want to secure my security group making sure that it's not um opened up widely um a those are not open up widely um and uh it only allows a certain ip address range to have access on the sap servers right so you can actually um create an aws config rule and then uh you can enable that in the aws console uh to have that restriction now there are multiple of other rules that you can actually configure and uh one of the way of course is to do that would be through conformance pack which which actually bundles all those secured uh config rules together uh following certain standards of certain industry standards like cis benchmark right and another benefit of using conformance packs um is that those are actually immutable so you cannot make any changes as a package once you deploy them right and if you have deployed those uh conformance packs using organization master account uh individual member of those master account cannot have will not have permission to modify them now again this is only a simple template on top of this you can actually define your own config rules and create custom conformance packs based on your security requirement so i'm going to walk you through a simple way of how you can actually enable confirmers pack please feel free to uh follow along with me if you already are on aws console so the service is actually available in aws config so within the console if you just type aws config and then click on this config service it will take you to this page and over here you click on confirmance packs and once you click on the confirm is back you will see this page but you will see a link excuse me which says deploy conformance back and then it will take you to this screen where you will see a list of all the example templates and in this case it's actually for the cis benchmark and in that one you will see all the cis benchmark or best practices that you can actually select and then you click on next button and here you will select a use sample template and then you will select the operation best practices template that we just reviewed in the previous screen you can name the conformance pack the way you want in this case i just named it as aws hyphen cis hyphen v1 and then click next here is a summary of all the configuration that you have selected so in in this case we are deploying the operational best practices template which will configure this aws account according to the cis standards level one right now this conformance pack is only going to uh provide the best practices for the aws resources but my colleague sunil yado is going to demonstrate how you can implement the cis benchmark at the operating system level as well through the services like ec2 builder right they migrated now once you deploy the confirmance pack in your aws account you will see this screen where it will say that the deployment of that confirms pack is actually in progress and soon after a few minutes you will see that that confirms pax pack sorry is now deployed and you now have the uh some of your aws resources which are marked as non-compliant now this is again according to the cis label one benchmarks um you are enabling that that best practice for the aws resources that you have launched in this specific aws account now when you click on that confirmance pack to find out more details about which resources are not compliant you will come to this screen now here in the search button or search session you can actually provide additional filter criteria one of being want to list out all the non-compliant resources that are launched in this aws account so by this time compliance and clicking up clicking on non-compliant resource or our page you can actually now list which are all the resources that are not compliant right and if you want to filter down based on say awf services you can also just type the service name in case ec2 for an example um and one of the pre-configured compliant rule is to make sure that all the ebs volume that you have launched in that aws accounts are encrypted right so if you have launched an ebs volume uh without providing any default key or custom managed key then that resource will be marked as non-compliant and it will appear in the screen so of course there are a lot of other things that we can talk about whenever we talk about conformance pack um now security groups for example are another very good example that i provided earlier along with that you have s3 so if you want to restrict the s3 access making sure that only certain ip addresses have the access to the sd pocket you can actually define that in the aws config as well along with that you want to make sure that you have im rolls which are restricted as well so you can even create um additional custom config rule and utilize or utilize a standard best practices confirmance packs that can also provide you that ability now um i would not be going into more detail so let me switch a little uh switch the gear a little bit and talk about how this conformance packs can help you out in your sap journey right so i just provided a few conformance pack templates but we have almost 59 out there to satisfy various type of requirements so for example if you are in healthcare and life science industries you do need to follow the fda 21 cfr part 11 requirements we do have an operational best practices template that actually can enable those controls within your aws accounts if your workloads requires pci dss compliance you can leverage the operational best practices that are offered by pci dss tablet now again this is just a starting point to get you going i would strongly advise you to not enable that in your production account uh try to do that in a non-production or a qc account because some of these config packs sorry confirmance pack will have the ability to even perform the remediation actions automatically as well which is actually sometimes really beneficial but not in a non-tested environment right so in terms of sap workloads these are the list of aws services which may be able to get benefited by enabling the confirmation pack so for example you have an im policy that you have created for the sap ec2 instance you want to make sure that that im policy doesn't have elevated actions a very simple example is you might have an im role you have created an instance profile role out of it and you might have given a terminating c2 instance to that specific im role so if you attach that im role to any of the ec2 instance you may be allowing any operating system user to terminate these c2 instances that specific example you can actually control that through the conformance pack or creating your own aws config rule so if you end up having that i am policy even before creating that kind of policies the aws conflict will not allow and simply terminate or delete that specific i am role now another example is a subnets so uh you may want to create an aws country group to not allow the end users to launch an ec2 instance in a public subnet right so if somebody goes ahead and launches any instance then aws config service will be will get the notification it will check that event with what you have configured and it can even stop or even terminate that easy for instance um the other example is of course an uh iami right so you want to make sure that whenever an sap user or a platform team launches an ec2 instance they're only allowed to launch through a specific ami id right not a direct emi that is available through marketplace which are not hardened right so you can create an aws config rule that will allow you to select that specific ami id and if somebody launches an am launches an ec2 uh with a different emi id then aws config will not allow it or at least terminate that async for instance right of course on the storage side you want to make sure you're encrypting your ebs s3 and efs service right so uh confirmance packs will enable that configuration by default so these are a few of the examples on how you can use the conformance packs to implement those security controls by design now of course we put this all things together and once we have enabled it we want to see what is the final product right so let's think about a hypothetical scenario where you have actually received an sns notification from aws config service um alerting you on something happen on pc2 instance right so let's walk through that scenario and uh understand how confirmance packs and abs config service can help you to triage that specific device and understand what went wrong what action aws config service might can do to remediate that security incident so with that said again please follow me if you can the session that we are trying to cover here is what how you can actually identify a resource that went from a compliant member to a non-compliant member and again to the compliance member right and you're looking for a resource timeline which provides you more auditing and analytic capabilities to understand that entire incident right so um within the aws config service you can click on resources and in the resources you can filter by an ec2 instance right and then once you do that you will see all the resource identifiers that are that satisfies this filter criteria right so in here when you filter it by the amazon or sorry awscc2 instance here you will see all the instance ids and one of the instance id is actually marked as non-compliant so let's click on that ec2 instance to find out what went wrong now once you click on that you can see that sorry you can see more details about that ec2 instance you can see the instance id you can also see which availability zone it belongs to what type of ec2 instance it is and then with more details you can also find out what happened to that ec2 instance through resource timeline once you click on the resource timeline you will see that till 12 10 42 that resource was actually compliant and at 12 11 03 something happened that caused that resource to be non-compliant now you can actually expand this specific event and see what happened which caused that resource to become non-compliant so when you click when you expand that specific event you notice that somebody actually attached a public ip address to that ec2 instance and that public ip address is actually also available here right and what aws config then noticed that okay then we removed that specific public ip address and the eso2 instance was actually stopped right so that's one example of finding out what went wrong when that specific event occurred what actions were performed to bring that specific resource in a compliant manner so again this is just an example you can think about many other examples where the aws config service can help you to implement the security controls based on your enterprise level security requirements so let's dive deep into another feature of the aws config service which is advanced queries so one of the i would say benefit of combining most of the repeated events would be writing your own query right so you can actually write your own query to identify any deviation or to find out like list of aws resources that are repeatedly being queried right so this is just an example for an example you are looking for how many ebs volumes that are unused and that are not attached to any ec2 instances so you can actually write that specific query save it in the advanced queries and then utilize it for generating the reports so let me show you how you can actually utilize a simple ec2 instance query right so you can in the query editor you write this uh simple query uh selecting the resource id resource name uh what tags are availability zone and then you can put aware condition to identify what type of resource you're looking for and you're looking for the state as well um so in this case we are looking for all these c2 instances that have a status of running right and once you execute that query you will have all the list of ec2 instances that are running in that um aws account so this is again just an example uh to get you started so uh i would encourage you to look into the aws config rules and create your own custom rule by identifying your own security requirements and then of course we have played here in just one aws account but most of the time this controls the audit requirements and most of the compliance requirements are usually governed in the central account right or central security account now we can always talk about so many things but this all topics around a landing zone and building a secure vpc requires its own time and uh at this moment actually i would like to hand it over to sunil to carry this presentation uh with providing more details around how customer can use ec2 instance builder or sorry easy to image builder to harden the amis so i would like to hand it over to sunil now and thanks for joining today's presentation so hello everyone i'm sunil yadav uh i'm sp principal consultant at aws professional services and uh part of our sap global specialty practice team and uh for our last five years i had the opportunity to work with the multiple customers in their exciting journey to aws and today i'll be specifically talking about two of the services they use uh one is the easy to image builder and the second one is the session manager so let's get started okay so uh about easy to image builder uh this this service is a managed service and it it automatically lets you create your images and basically it automates the pipeline for you without you writing any code for the automation however you can write some code to customize as you're going to see in the demo following that but it significantly reduces your effort required to create and maintain any golden images uh without writing or maintaining any automation so if you're using image builder you can create these pipelines through a wizard in aws console and when any software updates become available or a new image available or if your source images changes you can trigger this pipeline again which is gonna repeat this whole process automatically for you but you still have the control if you don't want to run it automatically you can still do it manually or you can have some other you know like like scheduling like for example every month every quarter or when some other image available as i mentioned before so with this ec2 image builder it also comes with a lot of built-in automation for validation which which basically you know make sure that you can deploy some very high quality images to your production and and those validations include our standard uh standard components and you can also add your own specific validation that's in case you are adding your own custom software there um so the the approach we are taking there like with all these automations and consistency uh this also allows you to make sure that you're maintaining a consistent security and uh to throw throughout this build process and in case uh you know you have to meet your internal security criteria and document and make the logs available for auditing uh it provides that uh functionality as well so you can actually you know connect to multiple other services while you're building uh these images you can leverage let's say some files from s3 or you can put the logs out back um and if you are especially looking for some predefined security standards like you know security technical implementation guide stig very common with the uh like department of defense what they are using if you only leverage those standards uh they're all coming out of the box and we're gonna see like you know how you can select those as well um then the next part is the uh that it also simplifies sharing of your images across aws accounts and not just accounts like you can actually specify which region and which accounts you want to distribute so like when you start your journey you might think of uh having like a simple account structure but normally uh for the enhanced security if you are going through our landing zone service or control tower service that gives you a structured layer of different accounts and normally you deploy this easy to image builder in your like shared services account or some other account dedicated for your ci cd pipelines or automations so from there once these images are built you can decide where you want to distribute so let's say from here there you can distribute it to your uh other accounts like dev qa production sap accounts and then you can also control who's allowed to launch these amis and finally uh you know the same workflow and the same approach uh it it works for both the virtual machine images and also for container images so in case you are using containers uh for some other say non-sap applications you can use a very similar approach where you go and build your very baseline image which could be for sap and known sap both and then on top of it you can you know execute some additional steps which are more sap specific okay so uh this is the flow uh we we just uh talked about briefly but normally uh in ec2 manager uh easy to image builder you're going to start with a source image and so one key requirement for this source image is that uh it it must have an systems manager uh ssm agent installed so we're gonna talk about systems manager in a little bit after this one but this is also our managed service which allows you know you to automate a lot of things on your operations backups and uh you know anything you want to run on the operating system side so but the key requirement there is the ssm agent has to be there as part of that image and we're gonna i'm gonna show you how you can overcome that limitation because uh like let's say if you're using a red hat for sap uh image from the marketplace it doesn't come pre-installed it comes with bare minimal uh you know things you need so you can actually add that agent as a part of your build process so so basically the first step is to pick that image uh source image which you want to customize and the next step is you're gonna add your um like your customized software let's say if you have some security packages or any additional packages which are not part of the base image you can add those here and once you have that custom software added like those agents or you know your own packages you can go to the next step which is the the build uh build phase and actually just adding the package software is also part of the build phase and this is where you can use uh our custom temp your own custom templates or the temperature temperature provided by the aws so there are some standard as i mentioned about the stick component before those are available uh natively as part of this uh ec2 image builder so you can just pick it up from there and other things could be let's say if you want to install aws cli so you can just go and pick that component you don't have to write any code or you know customize that one because that's a very predefined um predefined setup there then once you're done with your grid phase you go to the test phase and and of course you want to make sure that whatever you're building it's um it's uh it's validated and it's compliant because as things change in future like new uh new images coming so the same thing may not work so you don't want to distribute any images which which are not validated so you go and validate those images and the last part is to distribute so this is where you can select which other regions which accounts it can go and if if it is like you know if you need the same images in the same account then you you don't have to do anything you just pick the default setting and it just makes the image available in that same account now uh so raj explain about like you know the cis level one benchmarks and how you can achieve it using the aws config and conformance packs for the aws infrastructure and services uh but uh the one part we did not cover there was like how you make sure that the same cs level one benchmark and met for your operating system as well so so that part uh we're gonna and with this example i'm gonna show you how you can actually automate that and of course you can you know this is a predefined standard so you can get most of these scripts ready uh and you know it's available publicly as well in some git repositories or you can write your own uh but you can also go and you know add and customize that you know if you want if you don't want specif items which don't work with your application you can disable those so in this case we're going to use a custom script and just to give an example of how how this you know cis level 1 benchmark all this looks like on the left hand side you can see here i have these different numbers like 1.1 section for file system configuration and then you go further deep into that 1.1.1 and so they basically define what is that particular check or compliance is and then this is like a big list of items it goes all the way up like six point two point twenty so i'm just showing you the end page of it so it is pretty pretty long and this guide itself from where i took this snapshot you can see it's like more than 400 pages uh but i'm gonna give you like a little bit taste of what it looks like so let's pull up the very first control so you can see right so it shows uh right at the top the um like you know which which control we are referring to and then the important part is the profile adaptability so it says cis level one so it means that if you are trying to meet um the uh the level one benchmark you must implement that it is a requirement right so uh similarly in the right hand side you can see like one point one point one two it says uh level two so if you are implementing only up to a level one this is optional you can skip that one but if you are doing level two then you must meet one and two both um so the first thing is like the audit part or eight part is basically how do you check whether your system meets that requirement or not so let's say you build the automation and then you you still want to validate that okay is it meeting existing images meeting the requirement or not existing servers whatever you are running are they still meet the requirement you're going to use the commands from the audit and uh these commands tell you they don't change anything they just tell you the current status and then what is the expected outcome right and then on the right hand side you can see there's a remediation part so this is like if you put some flag saying that okay i don't want to just check but i also want to fix it if something is found then you can use the code for the remediation as well and this is all uh documented in cis if you go to the cis benchmarks you can find all that information uh this is an example of how the same controls we just saw on the on the previous slide how they are implemented and this is a very simple bash script so you can see uh it's very well documented just to for a new you know anyone who's coming across this one for them to know what we are checking how we are checking which control it is referring to so the numbers match exactly to what was in the definition of those controls and then again uh i'm just showing the start and end of the script so again it's like more than 600 lines of code there uh so it's it's pretty small compared to that we have kind of implemented all the level one uh going through those uh 400 pages of that guide okay now we're gonna dive a bit deeper into uh like how to work through the ec2 image builder so you can go to our uh you know console search for ec2 image builder and then you come across this particular screen here now in this one the right one left left hand side at the top you can see um you know like image pipelines so if you click on that it's gonna start a wizard but in the wizard uh you know it's gonna say okay basically you're customizing it right so for your requirements so it might say okay you know if you're just selecting all aws provided components you can just start the wizard select whatever you need and you can just finish nothing additional required but let's say if you want to add your own custom custom checks or or you know custom built components like what we're going to do here in the cis level 1 benchmark you're going to add your own component there so for that we need to create that component first so we're going to create this component and it's very simple you can just you know go through this uh like this template and it says okay we're gonna it's for the build face uh so that's the very first thing we do the name and the um the build phase and then uh you can see the name and you can pick any name there which uh meets this requirement and then the action so we are saying it's an execute bash so that's why it's a bash script we are trying to execute now where is that script so we don't want to hardcore the script in the image because then you can't modify without launching an instance and you don't want to do that again and again so it could be at your center repository it could be in your gate or some other place and for our purposes we just use a very simple mechanism where it's we're just pulling a script from the s3 bucket so in future if you want to make uh you know comment out something or delete something or make changes you can directly go and do it there as well so in this case we are downloading an s3 file from an s3 and then we are just executing it so that's our component for cs level benchmark the same script we just saw okay now uh the other question the wizard is going to ask you so we're kind of answering some of the questions which might be in the business it's going to ask you okay where you want to execute this pipeline so there's a very simple option there it says use default settings which is just going to execute in your default vpc and you know pick up any uh like you all the defaults but if you want to customize that then you can create your infrastructure configuration so that's what we have created so this infrastructure configuration you can go and you can see what what we have selected so we have selected an uh like a vpc so all these orange ones so vpc we selected a security group we selected a key pair you're gonna use uh for that instant this is an easy to keep here uh you can also define which instance type you wanna use so like again you don't wanna use like a t2 micro or something if you want your images to be fast and and it also varies depending upon how much work is being done during the image build process right so if you if there's something uh you know like um i'll say more cpu intensive uh kind of stuff then you can add and higher level instance like c5 large or something in between right so you can pick an instance type that's the point here and then uh you can also select your vpc subnet that we already talked so let's go to the next one so that that is pretty much defining your um like your uh the infrastructure the other thing which is here is um oh sorry actually you know this is oh i'm sorry this is actually the recipe uh we're gonna talk about that this comforts again but this is actually the recipe uh so in the recipe uh this is what executes at the start so uh well at the start means like when the ec2 instance launches and then um then it's going to execute this part so the first part is the user data part here so the user data you can like as i mentioned right the ssm agent we are talking about so this image doesn't have the ssm agent so what i have in the user data code is the actual uh code to install uh ssm agent right at the start and then it will be installed before any other steps are executed and then uh when you go in the recipe like where you can select the components um so you can select some existing components you can see the screen at the bottom that there are some two components like aws cli and then there's another one like simple boot test for linux so the first component is for our build phase provided by amazon and then we added our custom component this is the component we built uh in previous uh you know just before starting this recipe we created a component right for our um the one we were downloading the s3 file so that particular component so you can have just pre-select that component which is already there and the third one we added to have the uh build uh the testing keys and we're gonna see this in a bit more detail okay so here again you can you know see uh like when you when you choose uh start the pipeline you can choose your uh recipe like which recipe we have created and in that you can see like the same thing is popping up here again uh the recipe we just created and then here you can see in the component section so there are two build components down here so it um it basically let me turn on the pointer it will be much easier okay so this is the part i'm referring to the component so there are two build components aw cli we're gonna install that and then the cis level one benchmark which we just created using that uh bash script and then for the testing we're providing another component simple boot test so this could be a many like more complicated tests where you're actually running the same cs level benchmark script but in a like a audit mode where you're actually seeing if all those are in place or not um but at a minimum you want to make sure that whatever image you're building it's bootable that the server comes up or not so we did this one here and then other things um you know i mean you can go to the like you know next one so i'll show you that yeah so yeah so this is the infrastructure screen which comes comes later on this so we already created an infrastructure where we define the vpc um so you can select that existing configuration as a pcis infrastructure configuration and then or you can you know if you want to like create your own then you can even select this create distribution or settings using default that is for the next phase the after the infrastructure you can select the distribution settings in this case we're just distributing to a specific region uh is one and then it won't be shared with any other account it will be available only in that particular account okay um now that our image has created uh you have um so when you're creating this pipeline so not the image when you're creating the pipeline it's gonna ask you about uh you wanna execute it automatically uh at a predefined schedule or through some you can even execute it through some other uh you know some other events or you can actually have it manually run or so this manual option will always be there so let's say if you want to build some ad hoc image like right now for example you can select that pipeline go to actions and click on run pipeline so once this pipeline starts running like after few minutes normally uh it will come to the status so you can see the status as building so once it is reaching to this build status so behind the scenes it's leveraging the systems manager and that's why like there was a requirement to have the ssm agent running on that particular image part of that image and this basically kicks off and whole ssm automation so after if you want to see like you know what's happening inside that if you're still curious then you know you can go to the systems manager and then you can go and click on this uh image here so sorry this execution id here and then this will actually take you to further details so you can see like there are multiple steps being executed and it shows you the overall status and how many steps have been executed or how many have succeeded and once this completes um it's gonna run for like i mean this particular one had like about 26 steps total it could have many more steps which may be skipped but what you need to look for is this overall status as success so once this is done then this build one is completed and you can see the step 21 right create image so it creates the image verifies and then it it it completes that one but now then it's going to kick off another one this is for the testing phase so you can see the builder image test image document this was the build image document so now the same thing you can go and check the details of that and look for the overall status to be successful which will tell that okay this has completed and then finally you can come back to your pipeline and you can see the status is now available on the output images section here and then if you go further into that images you can actually see the image id which it has created through this pipeline and then if you can go through these other types like distribution configuration distribution settings which is the same thing which we looked earlier and if you go back to our ec2 image images in your ec2 service there also you can see this newly created image now and now from this part you can actually like you know launch launch another ec2 instance or leverage it through easy to launch wizard that's what you're going to see tomorrow that how we can use launch user not to just you know pick up some standard images from marketplace but also uh you know your own custom images and this is how many of the customers do they don't just you know use unless like it is a kind of a very poc or test uh normally they harden those images before they use it for production environment so now we'll talk a little bit about systems manager um and then we'll go to the session manager which is again a specific feature inside systems manager so systems manager actually provides you the uh it's a managed service and it provides you out of the box support for a lot of automation and monitoring for your uh infrastructure and operations and it it can i mean most of these things you can build on your own but then if you use this session manager it can uh significantly reduce that time and and like as i mentioned right so you you you can have we have many like more than 60 uh ssm documents uh which are predefined for you like for example you want to create an image if you want to delete a snapshot or if you want to install a backend agent on your hana instances all those documents are already available for you and you can combine those documents and add your own some custom documents and create like some interesting automations um the systems manager you can also use to manage your hybrid environment it's not just aws you can actually add some servers from your on-prem or even run commands and scripts over there so you can have like a very central view of all of your inventory and then it also helps you maintain your security and compliance because these automations can give things uh like standard okay um so here uh we're gonna see like a lot of uh features of systems manager uh and i'm gonna point out some other we're not gonna go through all of these uh you know this this topic has been covered like in very big much detail in previous reinvents and you can easily find most of this information in our previous recordings but i'm going to highlight few things from this particular group that you can leverage this parameter store and i see many customers using it frequently uh they can use it to store some sensitive information like you know let's say your automation you want to refer to the uh your some passwords to be used what's the master password for unite your installation you want to use it only for installation but you don't want to provide that password like every time you can store it here similarly if you have some other you know like sap specific configurations like your sap sys group which remains constant like throughout your sap installations similarly sap in sd group id so those things can be um you know managed from here and then you can look at the third section here the change management this is where you can define your change control maintenance windows so that in all the automations you're building like patching or you know like start start and stop of systems all that is done only during those specific uh maintenance windows and there's like a very complex workflow there if you want to you know integrate your approval mechanisms all that can be done and on the node management we have like again many features like inventory management run command is pretty useful uh using that you can execute some commands on multiple hosts at a time let's say if you have 50 servers you want to execute that okay let me check my kernel version of sap you can actually run a single command get the output from all at one click like one one run patch manager is there for patching um we're gonna talk more about the session manager in the coming slides so let's go there so one challenge we heard from many customers was that you know uh their ssh is it's required for most of the admin tasks like basically need to go to the server or even the infrastructure os team they need to manage some servers uh so they use uh like some kind of bastion hosts to get to that uh but with session manager it provides you like a one-click secure access to instances without the need to open any inbound port so you don't even have to open your port 22 which which is like crucial pressure if you are using you know your uh ssh you need to use like putty or some client and connect to port 22 but it has to be open but what if you don't want to even expose that one then you can use this one um and it also provides you like a centralized access to uh multiple instances through like a same mechanism so it's not that you have to keep going and adding multiple se

Original Description

AWS allows you to strengthen the security posture of SAP workloads by providing comprehensive, industry-leading security and compliance controls. In this session, we will start by walking through AWS security essentials for SAP applications. Then, you will select an OS image from AWS Marketplace and put your learnings into practice to the harden the image in accordance with a CIS level 1 benchmark before deployment, including account level settings, encryption, security groups, router configuration, and more. What you learn in Episode 1: * AWS security fundamentals for SAP applications. * Selecting an OS Image from AWS Marketplace to support your S/4HANA deployment. * Hardening the image to meet AWS security best practices. Subscribe to AWS Online Tech Talks On AWS: https://www.youtube.com/@AWSOnlineTechTalks?sub_confirmation=1 Follow Amazon Web Services: Official Website: https://aws.amazon.com/what-is-aws Twitch: https://twitch.tv/aws Twitter: https://twitter.com/awsdevelopers Facebook: https://facebook.com/amazonwebservices Instagram: https://instagram.com/amazonwebservices ☁️ AWS Online Tech Talks cover a wide range of topics and expertise levels through technical deep dives, demos, customer examples, and live Q&A with AWS experts. Builders can choose from bite-sized 15-minute sessions, insightful fireside chats, immersive virtual workshops, interactive office hours, or watch on-demand tech talks at your own pace. Join us to fuel your learning journey with AWS. #AWS
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from AWS Developers · AWS Developers · 0 of 60

← Previous Next →
1 Using Microsoft Active Directory across On-premises and Cloud Workloads
Using Microsoft Active Directory across On-premises and Cloud Workloads
AWS Developers
2 What is Cloud Computing with AWS? | Hebrew Webinar
What is Cloud Computing with AWS? | Hebrew Webinar
AWS Developers
3 Best Practices for Getting Started with AWS | Hebrew Webinar
Best Practices for Getting Started with AWS | Hebrew Webinar
AWS Developers
4 Best Practices for Using AWS Identity and Access Management (IAM) Roles
Best Practices for Using AWS Identity and Access Management (IAM) Roles
AWS Developers
5 Building Scalable Web Apps | Hebrew Webinar
Building Scalable Web Apps | Hebrew Webinar
AWS Developers
6 Dev & Test on the AWS Cloud | Hebrew Webinar
Dev & Test on the AWS Cloud | Hebrew Webinar
AWS Developers
7 Storage & Backup on AWS | Hebrew webinar
Storage & Backup on AWS | Hebrew webinar
AWS Developers
8 Disaster Recovery on AWS | Hebrew Webinar
Disaster Recovery on AWS | Hebrew Webinar
AWS Developers
9 AWS Israel News  | Episode 1
AWS Israel News | Episode 1
AWS Developers
10 Security Best Practices on AWS | Hebrew Webinar
Security Best Practices on AWS | Hebrew Webinar
AWS Developers
11 Ready: Introduction to AI on AWS | Hebrew Webinar
Ready: Introduction to AI on AWS | Hebrew Webinar
AWS Developers
12 Set: What is ML for developers? | Hebrew Webinar
Set: What is ML for developers? | Hebrew Webinar
AWS Developers
13 Go!: Building your own ChatBot with Amazon Lex | Hebrew Webinar
Go!: Building your own ChatBot with Amazon Lex | Hebrew Webinar
AWS Developers
14 And Beyond: Amazon Sagemaker | Hebrew Webinar
And Beyond: Amazon Sagemaker | Hebrew Webinar
AWS Developers
15 Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech Talks
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech Talks
AWS Developers
16 Understanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech Talks
AWS Developers
17 Best Practices for Building Enterprise Grade APIs with Amazon API Gateway - AWS Online Tech Talks
Best Practices for Building Enterprise Grade APIs with Amazon API Gateway - AWS Online Tech Talks
AWS Developers
18 Build, Train and Deploy Machine Learning Models on AWS with Amazon SageMaker - AWS Online Tech Talks
Build, Train and Deploy Machine Learning Models on AWS with Amazon SageMaker - AWS Online Tech Talks
AWS Developers
19 AWS Israel News | Episode 2 | re:Invent
AWS Israel News | Episode 2 | re:Invent
AWS Developers
20 AWS Floor28 News - January
AWS Floor28 News - January
AWS Developers
21 AWS Floor28 News - February - Hebrew
AWS Floor28 News - February - Hebrew
AWS Developers
22 AWS Floor28 News - March - Hebrew
AWS Floor28 News - March - Hebrew
AWS Developers
23 AWS Floor28 News - April - Hebrew
AWS Floor28 News - April - Hebrew
AWS Developers
24 AWS Floor28 News - May - Hebrew
AWS Floor28 News - May - Hebrew
AWS Developers
25 Authentication for Your Applications: Getting Started with Amazon Cognito - AWS Online Tech Talks
Authentication for Your Applications: Getting Started with Amazon Cognito - AWS Online Tech Talks
AWS Developers
26 AWS Floor28 News - June - Hebrew
AWS Floor28 News - June - Hebrew
AWS Developers
27 AWS Floor28 News - July - Hebrew
AWS Floor28 News - July - Hebrew
AWS Developers
28 Enriching your app with Image Recognition and AWS AI Services - AWS Webinar - Hebrew
Enriching your app with Image Recognition and AWS AI Services - AWS Webinar - Hebrew
AWS Developers
29 Personalize, Forcast, and Textract - AWS Webinar - Hebrew
Personalize, Forcast, and Textract - AWS Webinar - Hebrew
AWS Developers
30 Managing Your ML Development Lifecycle with Amazon SageMaker - AWS Webinar - Hebrew
Managing Your ML Development Lifecycle with Amazon SageMaker - AWS Webinar - Hebrew
AWS Developers
31 Running your ML code in Amazon Sagemaker - AWS Webinar - Hebrew
Running your ML code in Amazon Sagemaker - AWS Webinar - Hebrew
AWS Developers
32 Get Started in Minutes with Amazon Connect in Your Contact Center - AWS Online Tech Talks
Get Started in Minutes with Amazon Connect in Your Contact Center - AWS Online Tech Talks
AWS Developers
33 AWS Floor28 News - August - Hebrew
AWS Floor28 News - August - Hebrew
AWS Developers
34 AWS Floor28 News - September - Hebrew
AWS Floor28 News - September - Hebrew
AWS Developers
35 Deep Dive on Amazon EventBridge - AWS Online Tech Talks
Deep Dive on Amazon EventBridge - AWS Online Tech Talks
AWS Developers
36 Advanced Serverless Orchestration with AWS Step Functions - AWS Online Tech Talks
Advanced Serverless Orchestration with AWS Step Functions - AWS Online Tech Talks
AWS Developers
37 Living on the Edge - an Introduction to  Amazon CloudFront and Lambda@Edge  - Hebrew Webinar
Living on the Edge - an Introduction to Amazon CloudFront and Lambda@Edge - Hebrew Webinar
AWS Developers
38 AWS Floor28 News - October - Hebrew - YouTube
AWS Floor28 News - October - Hebrew - YouTube
AWS Developers
39 What's New with AWS Storage - AWS Online Tech Talks
What's New with AWS Storage - AWS Online Tech Talks
AWS Developers
40 How to Build a Compelling Migration Business Case Using TSO Logic - AWS Online Tech Talks
How to Build a Compelling Migration Business Case Using TSO Logic - AWS Online Tech Talks
AWS Developers
41 Configuring and Managing Amazon S3 Replication - AWS Online Tech Talks
Configuring and Managing Amazon S3 Replication - AWS Online Tech Talks
AWS Developers
42 AWS Floor28 News - November - Hebrew
AWS Floor28 News - November - Hebrew
AWS Developers
43 Using Relational Databases with AWS Lambda - Easy Connection Pooling - AWS Online Tech Talks
Using Relational Databases with AWS Lambda - Easy Connection Pooling - AWS Online Tech Talks
AWS Developers
44 AWS Floor28 News - December 2019 - Hebrew
AWS Floor28 News - December 2019 - Hebrew
AWS Developers
45 AWS Floor28 News - January 2020 - Hebrew
AWS Floor28 News - January 2020 - Hebrew
AWS Developers
46 Top 10 Data Migration Best Practices - AWS Online Tech Talks
Top 10 Data Migration Best Practices - AWS Online Tech Talks
AWS Developers
47 How to Use Azure Active Directory with AWS SSO - AWS Online Tech Talks
How to Use Azure Active Directory with AWS SSO - AWS Online Tech Talks
AWS Developers
48 AWS Tips & Tricks - Amazon Redshift Advisor - Hebrew
AWS Tips & Tricks - Amazon Redshift Advisor - Hebrew
AWS Developers
49 AWS Tips & Tricks - Amazon Redshift Elastic Resize - Hebrew
AWS Tips & Tricks - Amazon Redshift Elastic Resize - Hebrew
AWS Developers
50 AWS Tips & Tricks - Amazon Redshift Spectrum - Hebrew
AWS Tips & Tricks - Amazon Redshift Spectrum - Hebrew
AWS Developers
51 AWS Tips & Tricks - Savings Plans & Cost Explorer - Hebrew
AWS Tips & Tricks - Savings Plans & Cost Explorer - Hebrew
AWS Developers
52 AWS Tips & Tricks - Amazon Redshift Concurrency Scaling - Hebrew
AWS Tips & Tricks - Amazon Redshift Concurrency Scaling - Hebrew
AWS Developers
53 AWS Tips & Tricks - Training Models with Amazon SageMaker - Hebrew
AWS Tips & Tricks - Training Models with Amazon SageMaker - Hebrew
AWS Developers
54 AWS Tips & Tricks - Auto Model Tuning with Amazon SageMaker - Hebrew
AWS Tips & Tricks - Auto Model Tuning with Amazon SageMaker - Hebrew
AWS Developers
55 AWS Tips & Tricks - Amazon Comprehend - Hebrew
AWS Tips & Tricks - Amazon Comprehend - Hebrew
AWS Developers
56 Understanding High Availability and Disaster Recovery Features for Amazon RDS for Oracle
Understanding High Availability and Disaster Recovery Features for Amazon RDS for Oracle
AWS Developers
57 Amazon Forecast  – Forecasting  - From Months to Days (Hebrew)
Amazon Forecast – Forecasting - From Months to Days (Hebrew)
AWS Developers
58 Visualize your data with Amazon QuickSight (Hebrew)
Visualize your data with Amazon QuickSight (Hebrew)
AWS Developers
59 Amazon Kendra (Hebrew)
Amazon Kendra (Hebrew)
AWS Developers
60 AWS Floor28 News - AI/ML Special Edition
AWS Floor28 News - AI/ML Special Edition
AWS Developers

This video teaches how to create a secure foundation for SAP on AWS using various AWS services and tools. It covers topics such as security controls, compliance, and infrastructure automation. By following the steps and using the tools demonstrated in the video, viewers can implement a secure and compliant SAP environment on AWS.

Key Takeaways
  1. Create a secure foundation for SAP on AWS using AWS Config and Conformance Packs
  2. Automate OS configuration using EC2 Image Builder
  3. Implement security controls using AWS Config service
  4. Create custom rules for specific security requirements
  5. Use AWS Systems Manager for automation and monitoring
  6. Store sensitive information using AWS Systems Manager Parameter Store
💡 Using AWS services and tools, such as AWS Config and Conformance Packs, EC2 Image Builder, and AWS Systems Manager, can help create a secure and compliant SAP environment on AWS.

Related Reads

📰
Stop Using 6 Chrome Tabs for Code Reviews—Do It in Your Terminal
Streamline code reviews by using terminal-based tools instead of multiple Chrome tabs
Dev.to · Learn AI Resource
📰
Roadmap for infrastructure/backend development in the .NET ecosystem?
Learn to build infrastructure and backend development projects in the .NET ecosystem with a focus on DevOps tools and technologies
Reddit r/devops
📰
Your NOC Video Wall Is Just a Linux Box Now (Architecture + the 5-Year Math)
Learn how to repurpose a Linux box as a NOC video wall and calculate the 5-year cost savings
Dev.to · Pavel Suchkov
📰
AWS CodePipeline Tutorial: Deploy to EC2 with CodeCommit, CodeBuild & CodeDeploy
Learn to deploy to EC2 using AWS CodePipeline with CodeCommit, CodeBuild, and CodeDeploy in this step-by-step tutorial
Dev.to · Guna SantoshDeep Srivastava
Up next
AWS, Azure, GCP: The One Thing Every Business Gets Wrong
AI Daily
Watch →