Skip to Content
Technical Articles

Compliance Check of SAP Systems Using AWS Config – Part IV

This is in continuation of my previous Article Compliance Check of SAP Systems Using AWS Config – Part III

4.2.4 Adding AWS Config Rule

To make use of the above create Lambda environment, we need to create AWS Config Rule which is responsible for triggering the above Lambda function and fetch the data. To create Rule, we need to go to Rule and click on Add Rule

We need to specify the rule type, as this is not AWS managed rule, hence we need to select Create Custom Rule and click on Next

Now we need to specify the name of the rule and we need fill up the ARN of the Lambda function that we need to execute to evaluate the results of the execution

Specify the Triggering option which contains the scope of the execution, here we used tag for filtering the AWS resources and Frequency of the evaluation of the compliance data

Now we need to specify the list of SAP parameters that we need Lambda function to evaluate during the execution, here we are using most common security parameters which are login/no_automatic_user_sapstar and gw/acl_mode and provide the value for the same. If parameter and value provided here does not match with the value fetched by Lambda function, then AWS Config highlight this as Non-Compliant. Click Next to proceed

Review all the settings and click on Add Rule

Below screen will appear when Rules are added to the AWS Config

Now rule is ready to evaluate the SAP Security Parameters.




5.1 Setting Up EventBridge Rule

To setup the notification on each non-compliant events, we need to create a rule in EventBridge which will be responsible for sending notification of each non-compliant events. To do the same go to EventBridge and click on Create Rule

Specify the name and description of the Rule

Now we need to define the pattern for the rule. AWS provide very good document which elaborate that  how to design the Custom Event pattern.

Specify the Event Bus for the Rule

Now select the targets to which Rule will hit once the Event Pattern matches. In our case we need to send email hence we select the SNS Topic and Notification

Now we need to use Input transformer to fetch the details from the event and transform the email from that details and send that to inboxes. AWS has provided user guide for the same to understand Input transformer

Specify the resource tags if any and click on Create

Below screen will appear after the successful create of Rule

Similarly, we can create multiple rules for multiple AWS Config Evaluations.

5.2 Email Notification

After setting up EventBridge rules for the AWS Config evaluation we can test the same to check the notification of the evolution of the resources we configured in the AWS Config

Below are the sample emails for 2 AWS EC2 resources which were created with non-compliant instance type is neither approved by AWS nor by SAP

Below is the sample email for the SAP instances which is non-compliant to the SAP Security Parameters i.e login/no_automatic_login_user_sapstar and gw/acl_mode specified in the AWS Config Rules


6.1 Lambda Execution Logs

To check and troubleshoot the Lambda function execution we can see the logs in log group under CloudWatch

Further details can be checked on clicking on the log streams

6.2 AWS Config Logs

To check and troubleshoot the logs of AWS Config we need to go to the S3 Bucket which was created during the Basic settings of AWS Config. There we can see all the logs uploaded in json format

Now we can do automated compliance check of SAP Systems hosted on AWS infra using these solutions.



In this 4 parts of article, we have discussed how we can use AWS resources to perform automatic checks on the compliance of the SAP Systems as per organization requirements.




Be the first to leave a comment
You must be Logged on to comment or reply to a post.