Attach permissions for Amazon EC2 Amazon EC2 tag Register credentials in AWS Secrets Manager Verify SSM Agent Verify setup Backup and restore – optional

Get started with AWS Systems Manager for SAP

To get started with using AWS Systems Manager for SAP, ensure that you complete the following prerequisites for setup. You must run these steps on all Amazon EC2 instances in your setup.

Prerequisites

Attach AWS Systems Manager for SAP permissions to Amazon EC2 instance running SAP HANA database
Amazon EC2 tag
Register SAP HANA database credentials in AWS Secrets Manager
Verify AWS Systems Manager Agent (SSM Agent) is running
Verify setup before registering your SAP HANA database
Backup and restore – optional

Attach AWS Systems Manager for SAP permissions to Amazon EC2 instance running SAP HANA database

AWS Systems Manager for SAP communicates with the Amazon EC2 instance where your SAP HANA database running via policies. Attach the following IAM policies to the IAM role used by your Amazon EC2 instance.

AmazonSSMManagedInstanceCore – this Amazon managed policy allows an instance to use Systems Manager service core functionality. For more information, see About policies for a Systems Manager instance profile.
AWSSystemsManagerForSAPFullAccess – this Amazon managed policy grants full access to AWS Systems Manager for SAP. For more information, see AWS managed policy: AWSSystemsManagerForSAPFullAccess.

Amazon EC2 tag

SSMForSAPManaged – add this tag on your Amazon EC2 instance to enable AWS Systems Manager for SAP to access your Amazon EC2 instance.

Key	`SSMForSAPManaged`
Value	`True`

Register SAP HANA database credentials in AWS Secrets Manager

You must create a secret with the username and password of a database. A separate secret is required for each one of your databases running on an Amazon EC2 instance.

The following special characters are not allowed in a SAP HANA password:

angle brackets (<>)
backslashes (/)
double quotes (")
pipelines (|)
question marks (?)
semicolons (;)

Use the following steps to register your SAP HANA database credentials in AWS Secrets Manager.

Sign in to https://console.aws.amazon.com/secretsmanager/.
On the AWS Secrets Manager page, select Store a new secret.
For Secret type, select Other type of secret and create the following key value pairs.

Key Value

username example_SAP_HANA_db_username

password example_SAP_HANA_db_password
Select Next and enter a Secret name. Note this Secret name for use while following the steps in Register your SAP HANA databases with AWS Systems Manager for SAP.
In the Resource permissions container, choose Edit permissions, and paste the following policy with your Amazon Resource Name for the Amazon EC2 instance role.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::AccountId:role/EC2RoleToAccessSecrets"
                ]
            },
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*"
        }
    ]
}
```
This policy enables the IAM role used by your Amazon EC2 instance access to this secret. For more details, see Attach a permissions policy to an AWS Secrets Manager secret.

Note
You must attach this policy to each secret that you create for your SAP HANA database credentials.
Select Next and then, select Store.

Verify AWS Systems Manager Agent (SSM Agent) is running

Use the following command to verify the status of the SSM Agent on your instance.


sudo systemctl status amazon-ssm-agent

Your output should display active (running) as seen here.


amazon-ssm-agent.service - amazon-ssm-agent
     Loaded: loaded (/usr/lib/systemd/system/amazon-ssm-agent.service; enabled; vendor preset: disabled)
     Active: active (running) since Tue 2022-02-15 18:56:26 UTC; 12s ago
     ^^^^^^^^^^^^^^^^^^^^^^^^ You should expect to see "active (running)".
   Main PID: 16061 (amazon-ssm-agen)
      Tasks: 36
     CGroup: /system.slice/amazon-ssm-agent.service
             ├─16061 /usr/sbin/amazon-ssm-agent
             └─16069 /usr/sbin/ssm-agent-worker

AWS Systems Manager Agent (SSM Agent) is pre-installed in several Amazon Machine Images (AMIs) provided by AWS. For more information, see Working with SSM Agent.

Verify setup before registering your SAP HANA database

Ensure that you are running SAP HANA 2.x.
Ensure that your Amazon EC2 instance has /run mount point mounted on tmpfs. Use the df | grep tmpfs command for verification.
Ensure that your Amazon EC2 instance has Python 3.5 or higher version installed.
Ensure that the hdbcli Python library is installed in the /opt/aws/ssm-sap/ directory on your Amazon EC2 instance, if the revision of your SAP HANA 2.0 server is below 056.00.
Ensure that the boto3 version is higher than 1.7.0 if boto3 is installed.

To register your database, see Register your SAP HANA database with AWS Systems Manager for SAP.

Backup and restore – optional

After registering your database, you can optionally choose to complete the prerequisites required to backup and restore your database. You must run these steps on all Amazon EC2 instances in your setup.

Topics

Set up required permissions for Amazon EC2 instance for backup and restore of SAP HANA database
Install AWS Backint Agent for SAP HANA with AWS Systems Manager Agent (SSM Agent) on your SAP application server

Set up required permissions for Amazon EC2 instance for backup and restore of SAP HANA database

To backup and restore your SAP HANA databases running on Amazon EC2 instance, attach the following IAM policies to the IAM role used by your Amazon EC2 instance.

AWSBackupDataTransferAccess – this Amazon managed policy must be attached to the IAM role of Amazon EC2 instance where AWS Backint Agent for SAP HANA is located. AWS Backint Agent uses this IAM role to transfer data for backup and restore. For more information about the policy, see Managed policies for AWS Backup.
AWSBackupRestoreAccessForSAPHANA – this Amazon managed policy enables access to restore your SAP HANA database using AWS Backup.
- If you are going to use AWS Backup console for the restore process, attach this policy to the IAM role using the console.
- If you are going to use AWS API for the restore process, attach this policy to the IAM role performing the API call.
- Follow the recommended best practice of granting least privilege necessary for each role by attaching the AWSBackupRestoreAccessForSAPHANA policy only to the SAP HANA resource owner.

AWSBackupServiceRolePolicyForBackup – this Amazon managed policy must be attached to the role that will passed to StartBackupJob or DefaultRole. For more information, see Service-linked role permissions for AWS Backup. The policy must contain the following trust relation.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "backup.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Install AWS Backint Agent for SAP HANA with AWS Systems Manager Agent (SSM Agent) on your SAP application server

Follow along the steps described in AWS Backint Agent for SAP HANA documentation. For more information, see Install and configure AWS Backint Agent for SAP HANA.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Setting up

Tutorials

Key	Value
username	`example_SAP_HANA_db_username`
password	`example_SAP_HANA_db_password`