Skip to Content
Technical Articles

Compliance Check of SAP Systems Using AWS Config – Part III

This is in continuation of my previous Article Compliance Check of SAP Systems Using AWS Config – Part II

4.2 Compliance Check for SAP Instance

4.2.1 Creation of SAP Secrets

We need to store the username and password for the user which will be used to access SAP and fetch the required data. To fulfill the requirement, we will be using AWS Secrets Manager to store the credentials which will be used by Lambda to access SAP. To do the same we need to go to Secrets manager and click on Store a new secret

Now we need to specify the secret type which we need to store

We also need to specify the User and password which we need to store and click Next

Specify the Name of the secret by which we need to store

We also specify other optional values to store the secret and click on Next

Specify the automatic rotation configuration if required and click Next

Review the settings for the secret creation

In same window AWS provide the different codes using which we can access the secrets for executions

Now our SAP Secret is ready to use

4.2.2 Setup of Table in DynamoDB

We also need to store the information about SAP System such as hostname, SID, System No etc… using which we can access the SAP system and fetch out the data that we require for the compliance check.

4.2.2.1 Creating Table

To create the table, we need to go to Amazon DynamoDB and click on Create Table

Specify the name of the table and partition key if any for the table which we need to create to stop SAP Instance information

Specify the settings for the table, cost may vary as per the chosen setting for the table

Specify any secondary index which needs to be created and encryption options. Since our table is not that much big hence, we chose default options and click on Create Table

Creation of table in DynamoDB has been started

Below screen will appear once the table has been created successfully

4.2.2.2 Creating Records in Table

As table has been created, now we need to create the records with the information of each SAP Instance. To do the same go to Table which has been created in above step and click on Create Item under Items tab

Create the attributes and fill up the details as follow and click on Create Item

We need to add all records with the information of instance we have on AWS, we can use Copy Item feature of create similar records and click on Create Item

After adding all the SAP Instance items, we can see the list of those items in the table

Table is now ready for Lambda to use.

4.2.3 Setting Up of Lambda

Lambda offers a lot of coding languages out of which we can use any of the language to which we are comfortable. Lambda supports C#/PowerShell, Go, Java, Nodejs, Python and Ruby. Here we are using Python module to perform all the operations inside the Function as we are more familiar with this language. We can choose any of the language to perform the operations.

4.2.3.1 Creating Lambda Layer

A Lambda layer is a .zip file archive that contains additional code or data. This layer contains libraries, a custom runtime, data, or configuration file. Layers promote code sharing and separation of responsibilities so that we can iterate faster on writing business logic.

We need to create Layer according to the method we choose to fetch details from SAP system, such as if we are going to access SAP from OS level then we may need to consider creating Layer for the Packages which support SSH/RDP such as Paramiko. Here we are using SOAP calls to fetch compliance data from SAP system. To do the SOAP calls we must have SOAP modules using which we can iterate the requests to the SAP System. So, we are using SUDS package which contains the supporting SOAP modules. Suds is a lightweight SOAP python client for consuming Web Services. More details can be seen in this GitHub repository.

We have created a package of suds and make a zip file with name suds.zip which has following contents

AWS also provided this documentation which contains the information of how we can create this zip

So, we need to create a Lambda Layer and import his suds zip. To do so, go to Lambda à Layers and then click on Create layer

Specify the Name of the Layer and upload the zip file by clicking Upload Button and then select compatible runtime. We are selecting Python 3.6 as we have created this package using python 3.6 and then click on Create

After creation of layer we can see that in Layers list

Now we can use this Lambda layer in any of the Lambda Function to perform SOAP calls.

4.2.3.2 Creating Lambda Function

We need to create a Lambda Function so that it can connect to SAP and fetch relevant data for checking the compliance. To create the Lambda Function, we need to go to Lambda → Function and then Click on Create Function

Now we need to specify the function creation option as we are creating our own custom Lambda function hence, we chose option Author from Scratch and then we need to provide basic information on Function name and runtime on which we will use to right our function

Now we need to specify the execution role for the lambda, which will be used only during the execution of the lambda function

We also need to specify the network security details about VPC and NSG with will be used during the Lambda execution

We can click on Create Function after checking the inbound and outbound rule

It will take some time to create the function with the specified network options we have provided

We will get a message once the lambda function is created and ready for further actions

Once Lambda function is created then we need to add the above created Layer to the Lambda Function, to do so, click on Layers under Function Overview Tab

Then click on Add layer

We need to specify the layer details that we have created earlier and click on Add

We can see that Layer has been added to the Lambda Function

Now we need to write the Python code which will first fetch all the details about the SAP Instance from DynamoDB and fetch SAP credentials from Secrets Manager and do a SOAP call to SAP using the same.

Here we have used json module which will be used to manipulate/read the json formatted texts, we are also using boto3 which is AWS SDK for python we can find more details about boto3 in this AWS document. In this code, we need to write the code in accordance with the requirement for the compliance data.

For after fetching the data we need to send that data backup to AWS Config. AWS Config has provided this API documentation by which we can provide data to AWS Config for Evaluation.

To check if we did the perfect settings in Lambda Function, we can invoke the below test event for testing

We can ignore the exception InvalidResultTokenException with text Result Token provided is invalid as Result Token can only be granted when this Lambda function is invoked by the AWS Config.

Now our Lambda Function is ready for AWS Config to execute.

This is end of Part – III, in next part Compliance Check of SAP Systems Using AWS Config – Part IV of this article you can find more information about AWS Config Rules, Notification using EventBridge and Troubleshooting Logs.

2 Comments
You must be Logged on to comment or reply to a post.
  • Hello Jaskirat,

    first of all congratulations to this very detailed blogpost about your very well architected compliance check utilizing AWS capabilities. I had a lot of fun reading this.

    I wonder if you have considered to put the web method "ParameterValue" to the unprotected web methods by adjusting the parameter service/protectedwebmethods on the connected systems. With this it may be a little bit easier to do the querying without dealing with the credentials. Furthermore, with the additional measure to restrict the access to the ports of sapstartsrv, e.g., by maintaining the relevant acl, this will improve the security posture on the connected systems. Remember, whoever is able to take possession of these credentials and has access to the related ports is able to execute all web methods offered by sapstartsrv.

    Best regards

    Joe Goerlich

    • Hello Joe,

      Thanks for explaining the additional measures for the using this method. Here we are using default value of parameter service/protectedwebmethods which is SDEFAULT, so we are allowing one user to access the web methods using parameter service/admin_users. And password for the user will be stored in AWS Secrets which provide all the features to keep our credentails safe.

      Yes, it is good suggestion to maintain relevant ACL for additional measures.

      Best Regards,

      Jaskirat Singh