Compliance Check of SAP Systems Using AWS Config – Part II
This is in continuation of my previous Article Compliance Check of SAP Systems Using AWS Config – Part I
4.1 Compliance Check for SAP Infrastructure
4.1.1 Creation of AWS Config Rule
First, we need to create a Rule for AWS Config to define the type of operation, to do so, go to AWS Config → Rules and click on Add Rule
Select Add Managed Rules and search for instance type and select desired-instance-type and click on Next
Specify the Required Name for the Rule
Now we need to specify the Trigger, we can define trigger as per our ease. Here we are choosing the resources with specific tags
Now we need to define the Value for all the instance types which are compliant to create under the account. As we are hosting SAP server here hence, we can get the list of the instance types from sap note 1656099 – SAP Applications on AWS: Supported DB/OS and AWS EC2 products and fill out each instance type as comma separated and click on Next
Review all the settings and then click on Add Rule
Once the rule is successfully created then below screen will appear
Now Rule is ready to evaluate the machine on which SAP systems are hosts
4.1.2 Creation of Remediation Action
We can also specify the Remediation Action once the AWS Config hit with the non-compliant status. To do so we need to select the Rule → Actions and then click on Manage Remediation
Further we need to specify if we it is required to trigger Remediation Actions automatically or manually if any resource gets non-compliant.
Now specify the action which will be performed once any of the AWS resource found non-compliant, here we are asking remediation rule to stop the EC2 instance which is non-compliant
Now we need to specify the Resource ID as parameter which needs remediation action and the role which will used to perform that actions and click Save Changes
We can see the information once the remediation actions have been setup in the rule
Now Remediation action is placed to perform the actions.
4.1.3 AWS Config Dashboard When Compliant
After creating AWS Config Rules, it will take some time to Rules to get executed and evaluated the resources which are specified in the Rule. Once Rule evaluated the resources, we can see the below status in front of Rule
We can get more details on the Config Dashboard in which we can see 1 rule and 8 resources are compliant
When we click further on the compliant rule details then we can see the details on all the 8 resources
This way we can check manually about the compliance details
4.1.4 AWS Config Dashboard When Non-Compliant
After evaluation of the resources by AWS Config, if any non-compliant resource detected, then we can see that status of the rule gets changed. We can also see that there are 2 resources which are not compliant with the Rule we have defined
Further details on this can be seen on the AWS Config Dashboard where we can see that 1 rule and 2 resources are non-compliant
We can see further details on each resource when we click on the rule.
This way we can check manually about the non-compliant resource
4.1.5 Checking Resource Timelines
For checking time-based details, we can explore timelines of the rules which provide time-based changes of the resources.
Below is the screen when the resource is compliant with the AWS Config Rule, we have the option to filter the Events
Once AWS Config detects the non-compliant of the resource then it gets updated in the timeline which we can see as below
This way we can track the changes in the compliance of the system.
4.1.6 Similar Managed Rules which can be used for SAP Compliance
AWS Config provides over 160 managed rules, which are rules that have been authored by AWS. Below are some of the most common rules for SAP workloads to ensure our SAP systems are well architected on AWS below.
Common managed rules specifically for SAP Workloads are:
- Desired Instance Type – AWS provides specific instance types that are certified to run SAP workloads as mentioned in SAP note 1656099 – SAP Applications on AWS: Supported DB/OS and AWS EC2 products
- Instance Detailed Monitoring – Detailed monitoring is required for full support by SAP as mentioned in SAP note 1656250 – SAP on AWS: Support prerequisites
Other managed rules which are common for customers to ensure security compliance and cost savings measures are:
- EC2 Volume in Use Check – Validates that EBS volumes are not lingering around after EC2 instances were terminated.
- EC2 Volume Encryption Check – Validates that the EBS volumes attached to an EC2 instance are encrypted.
- EC2 Public IP – Validates that the EC2 instance does not have a public IP address assigned.
- EBS Encryption by Default – Validates all EBS volumes are encrypted.
- EFS Encrypted Check – Validates all EFS structures are encrypted.
- S3 Public Read – Validates that our S3 bucket is not available for public read access.
- S3 Public Write – Validates that S3 buckets do not allow the public to write access
- S3 Server Side Encrypt – Validates that our S3 buckets have encryption enabled.
- Restricted SSH – Validates that the security groups in use disallow unrestricted SSH traffic.
- EC2 Security Group Attached to ENI – Validates that security groups are attached to EC2 instances or elastic network interfaces.
- Cloudtrail Enabled – Checks whether AWS CloudTrail is enabled in our AWS account.
This is end of Part – II, in next part Compliance Check of SAP Systems Using AWS Config – Part III of this article you can find more information about Checking compliance on SAP Instance by configuring Secrets, DynamoDB and Lambda.