Security - SAP HANA on AWS


The AWS Cloud provides a scalable, highly reliable platform that helps enable customers to deploy applications and data quickly and securely.

When you build systems on the AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. In turn, you assume responsibility and management of the guest operating system (including updates and security patches), other associated application software such as SAP HANA, as well as the configuration of the AWS-provided security group firewall. For more information about security on AWS, visit the AWS Security Center.

Network Security

The default network security setup of this solution follows security best practices of AWS. The provisioned SAP HANA instances can only be accessed in three ways:

  • By connecting to either the SAP HANA Studio Windows instance by using a remote desktop client, or to the bastion host by using SSH.

  • From the CIDR block specified as RemoteAccessCIDR during the provisioning process.

  • Alternatively, access can be restricted to a known CIDR block if a provisioned VPN tunnel exists between your own data center and AWS.

AWS Identity and Access Management (IAM)

This solution leverages an IAM role with least privileged access. It is not necessary or recommended to store SSH keys, secret keys, or access keys on the provisioned instances.

Operating System Security

The root user on Linux or the administrator on the Windows RDP instance can be accessed only by using the SSH key specified during the deployment process. AWS doesn't store these SSH keys, so if you lose your SSH key you can lose access to these instances.

Operating system patches are your responsibility and should be performed on a periodic basis.

Security Groups

A security group acts as a firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time. The new rules are automatically applied to all instances that are associated with the security group.

The security groups created and assigned to the individual instances as part of this solution are restricted as much as possible while allowing access to the various functions of SAP HANA. See Appendix c for a complete list of ports and protocols configured as part of this solution.