AWS for SAP

Automated Security Monitoring for RISE with SAP and SAP BTP on AWS

This blog was co-authored by Amos Wendorff, Senior Cyber Security Design Specialist at SAP

Introduction:

At AWS, we are committed to providing our customers with robust security solutions that enable them to use cloud services with confidence. In this post, we’ll explore SAP provide secure and compliant RISE with SAP and SAP BTP (Business Technology Platform) environments running on AWS for their customers, and how they have implemented an automated solution for security monitoring and alerting using AWS Services.

RISE with SAP is a comprehensive offering that provides businesses with a path to transform their Enterprise Resource Planning (ERP) systems and migrate to the cloud. It combines SAP’s intelligent enterprise software with cloud infrastructure and services, allowing customers to simplify their IT landscapes, innovate faster, and drive digital transformation. By adopting RISE with SAP, customers can leverage the power of SAP applications, such as SAP S/4HANA, while benefiting from the scalability, security, and cost-efficiency of the cloud.

Background:

The number of AWS accounts used by SAP has grown exponentially due to the rapid adoption of RISE with SAP and SAP BTP. SAP currently operates in 33 AWS regions and is expanding to new regions as they launch, managing over 7,000 AWS accounts, at the time of publication of the blog post. Manually monitoring and securing these numerous accounts would be an immense challenge. To address this, SAP required a scalable, secure, and automated solution that could scale with their customers’ needs while leveraging AWS’s robust security services.

Technical Implementation:

A technical architecture diagram showing the security integration between SAP AWS and monitoring tools. The diagram displays a SAP AWS Organization at the top, containing SGSC Delegated Admin Account with AWS CloudTrail, Amazon GuardDuty, and S3 Bucket for audit logging. These components connect to Cribl and Splunk for data processing. The center shows Orca Security with 70+ Security Controls, connected to automated mitigation of security findings, automated notification, and SAP MasterData Cloud Database. AWS Account Users are shown on the right side of the diagram. All components are connected by directional arrows indicating data flow and interactions.

SAP’s Global Security & Cloud Compliance (SGSC) team has built a robust “Secure by Default” framework that leverages a combination of AWS services and third-party tools to ensure comprehensive security across more than 7,000 AWS accounts. At the heart of this architecture is Amazon GuardDuty, which provides continuous monitoring of AWS environments for malicious or unauthorized activities. Amazon GuardDuty integrates seamlessly with AWS, utilizing machine learning, anomaly detection, and threat intelligence to deliver real-time threat detection. All Amazon GuardDuty findings and security logs are aggregated in Amazon S3, which acts as a central repository for logs across the AWS Organization. This setup allows SAP to maintain visibility and control over its vast cloud infrastructure.

To handle the high volume of data, SAP employs Cribl to process logs by filtering, enriching, and normalizing them before routing to destinations like Splunk for advanced analysis and visualization. This ensures that the security team can efficiently manage and analyze the data, identifying and responding to threats quickly. SAP also maintains a MasterData Cloud Database that holds metadata for each AWS account, including contact information for account owners and security operators, enabling targeted notifications and responses when security issues are detected. This is crucial for maintaining clear accountability and rapid response capabilities.

In addition to detection and analysis, SAP uses AWS Lambda functions to automate the remediation of specific security findings. For example, if GuardDuty flags an open port that violates security policies, an AWS Lambda function is triggered to automatically remediate the issue, by adjusting security group rules. This automation reduces the need for manual intervention and ensures compliance across all AWS accounts. For RISE with SAP and SAP BTP customers, whose environments are operated by SAP, this architecture ensures that their cloud resources are continuously monitored and protected under these stringent security controls, providing peace of mind and operational continuity.

Overall, SAP’s approach integrates AWS-native security capabilities with advanced data processing tools to create an automated, scalable, and secure cloud environment, tailored specifically for the needs of SAP applications on AWS.

Overview of Security Controls:

SAP’s “Secure by Default” controls encompass various measures to ensure a secure cloud environment by leveraging AWS’s native security capabilities. These include enforcing all accounts into the AWS organization for uniform policy application, integration with SAP Active Directory, preventing non-SAP domain users, and mandatory MFA for cloud administrators. Centralized logging is applied across all accounts, ensuring that API audit logs and storage access logs cannot be deactivated and are continuously ingested into the SIEM (Security Information and Event Management). This approach not only protects against common cloud misconfigurations, like publicly accessible resources or unencrypted data, but also utilizes AWS’s organizational governance features to enforce advanced network controls such as block-listing specific ports and enforcing TLS 1.2+ for secure communications.

Phased Rollout Using Deployment Rings:

New preventive controls are rolled out in four deployment rings. This staggered approach allows teams to test policies and minimize disruption. Account owners can choose their account placement in the deployment rings and receive at least two weeks’ notice before policy enforcement. SAP considers potential disruptions and contemplates exceptions or delays for specific controls to ensure minimal impact.

Notification and Remediation Process:

The automated security monitoring triggers a notification process based on the severity of the detected control violation. High-severity alerts are automatically remediated through SAP’s automation processes, leveraging AWS Lambda.

Automated Account Provisioning and Security Standards:

SAP’s automated account provisioning process ensures that each new AWS account adheres to predefined security standards and best practices from the outset. This includes implementing required IAM roles, AWS security tools, and compliance with SGSC security policies.

The process involves a sophisticated vending system that manages the automated lifecycle of accounts. The first layer of security is implemented through Service Control Policies (SCPs), which block specific actions and resources. Detection mechanisms are put in place using Amazon GuardDuty and AWS CloudTrail. Orca Security enhances SAP’s cloud security posture through automated, agentless scanning and remediation of vulnerabilities, misconfigurations, and compliance risks. By embedding security directly into the SAP AWS full Organization, SAP adopts a proactive approach to identifying and mitigating risks early in the lifecycle. This integration ensures a robust security foundation for customer workloads, minimizing attack surfaces and aligning with best practices for cloud-native environments.

In addition to the standard security measures, SAP leverages several AWS features to enhance the security of RISE with SAP environments at the account level:

  • EBS Snapshot Lock used for Backups for RISE with SAP: To better protect its clients’ data, SAP adopted Amazon Elastic Block Store (Amazon EBS) Snapshot Lock. This feature locks new and existing Amazon EBS Snapshots using a lock duration that can range from 1 day to about 100 years. This protects stored data from being unintentionally deleted, providing SAP’s enterprise customers with greater peace of mind. SAP uses the Amazon Data Lifecycle Manager to automate the creation, retention, and deletion of snapshots based on predefined schedules and retention guidelines. Then, it uses Amazon EBS Snapshot Lock to secure these backups under stringent compliance controls. The feature’s compliance mode verifies that the snapshots cannot be deleted, even by authorized users. After an optional cooling-off period of up to 72 hours, neither the snapshot nor the lock can be deleted until the lock duration expires, and the mode cannot be changed. SAP’s customers also have the option of customizing how long they would like to lock their snapshots, which has ranged from a few weeks to up to 2 years.
  • Bring Your Own Key (BYOK) for RISE with SAP: Customers can enhance security by using their own AWS KMS customer master key (CMK) to encrypt data in their RISE with SAP environment. By creating a CMK in the same region and granting RISE with SAP AWS account permission, customers can leverage their key for encrypting EFS, data volumes, and backups. This approach provides greater control over data encryption, allows key access revocation, and ensures cryptographic requirements are met, all while benefiting from AWS KMS’s 99.999% availability SLA.
  • AWS WAF for RISE with SAP: AWS WAF (Web Application Firewall) is an integral security component of RISE with SAP environments, providing automatic protection for web applications and APIs against common web exploits, and resource abuse through geo-blocking. Automated deployment and configuration during environment provisioning ensure consistent protection without requiring customer intervention. This setup delivers enterprise-grade web application security, enhancing the overall security posture of RISE with SAP environments.
  • Mutual TLS (mTLS) Verification for AWS Customers in RISE: Mutual TLS (mTLS) Verification is an advanced security feature available to AWS customers within the RISE with SAP environment. This feature provides an additional layer of authentication and security for network communications, offering enhanced protection for sensitive workloads and applications. The key benefits of mTLS include enhanced security through stronger authentication than traditional TLS, client verification to ensure that only authorized clients can connect to your services, and data integrity through the maintenance of confidentiality and integrity of data in transit. Furthermore, mTLS helps meet strict regulatory requirements in industries such as finance and healthcare, ensuring compliance with relevant standards. By incorporating mTLS, RISE with SAP customers benefit from a highly secure and compliant cloud environment, further enhancing the overall security posture of their applications and workloads.
  • SAP BTP Private Link for RISE with SAP: SAP BTP Private Link, a service based on AWS PrivateLink, establishes a secure, private network connection between SAP BTP and RISE with SAP environment, routing traffic through AWS’s internal network and eliminating public internet exposure while maintaining low-latency, high-performance communication.

Benefits of the Automated Solution:

  1. Enhanced Security Posture: Real-time detection and alerting of security violations enable quick action and prevent security incidents.
  2. Scalability: Scales security controls across thousands of AWS accounts, ensuring comprehensive coverage and protection.
  3. Automation: Automated security monitoring reduces the need for manual interventions and increases the efficiency of SAP’s security operations.

For organizations looking to implement a similar approach, a key starting point is to adopt a cloud-native mindset and fully utilize AWS’s built-in security features. This includes setting up AWS Organizations to manage accounts centrally, applying service control policies (SCPs) for security guardrails. By using cloud-native tools such as Amazon GuardDuty for threat detection, AWS CloudTrail for audit logging, and AWS Key Management Service (KMS) for secure key management, organizations can build a Zero Trust Architecture that significantly reduces their attack surface and enhances overall security posture. Ensuring encryption standards, enforcing password policies, and enabling MFA at all access points are practical steps to follow. For a comprehensive guide on implementing these security best practices, organizations should refer to the AWS Well-Architected Framework’s Security Pillar documentation . Additionally, specific guidance on leveraging AWS Security Services alongside RISE with SAP can be found in the AWS Security Considerations for RISE with SAP.

Conclusion:

By adopting a cloud-native security strategy that leverages AWS’s robust security services, automation capabilities, and organizational policy engines, SAP’s “Secure by Default” solution allows customers using RISE with SAP, SAP BTP, and other SAP solutions on AWS to focus on their core business objectives with confidence in their security posture. This approach integrates the principles of Zero Trust Architecture (ZTA), where continuous validation of user access, strict governance of cloud resources, and enforced compliance through AWS-native tools are paramount. SAP minimizes risks by employing real-time detection through, alert and automated remediation. This enables SAP customers to maximize the value of their cloud investments, assured that their sensitive data and workloads are safeguarded by SAP’s comprehensive and scalable security framework on AWS.