Prerequisites - SAP HANA on AWS

Prerequisites

After your SAP HANA system is successfully running on an Amazon EC2 instance, verify the following prerequisites to install AWS Backint agent using the Amazon EC2 Systems Manager document or using AWS Backint installer.

AWS Identity and Access Management

  1. To access the AWS resources required to install AWS Backint agent with AWS Systems Manager, you must attach the AmazonSSMManagedInstanceCore managed policy to your IAM role.

    Note

    If you choose to install the AWS Backint agent using the AWS Backint installer, you can skip this step.

  2. To allow your Amazon EC2 instance to access your target Amazon S3 bucket, you must create or update an inline IAM policy with the following permissions and attach it to your EC2 service role. Replace the resource names, such as the S3 bucket name, to match your resource name. You must provide the AWS Region and Amazon S3 bucket owner account ID along with the Amazon S3 bucket name.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:GetBucketPolicyStatus", "s3:GetBucketLocation", "s3:ListBucket", "s3:GetBucketAcl", "s3:GetBucketPolicy" ], "Resource": [ "arn:aws:s3:::<Bucket Name>/*", "arn:aws:s3:::<Bucket Name>" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "<KMS Arn>" }, { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutObjectTagging", "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::<bucket name>/<folder name>/*" } ] }
    Note

    If you want to allow cross-account backup and restore, you must add your account details under a principal element in your policy. For more information about principal policies, see AWS JSON Policy Elements: Principal in the AWS Identity and Access Management User Guide. In addition, you must ensure that the S3 bucket policies allow your account to perform the actions specified in the IAM policy example above. For more information, see the example for Bucket owner granting cross-account bucket permissions in the Amazon S3 Developer Guide.

    For more information about managed and inline policies, see the IAM User Guide.

Amazon EC2 Systems Manager

To install the AWS Backint agent with the Amazon EC2 Systems Manager Agent (SSM) document, you must install the Amazon EC2 Systems Manager Agent (SSM Agent) version 2.3.274.0 or later, and your instance must be a managed instance that is configured for AWS Systems Manager. If you want to install the AWS Backint agent using AWS Backint installer, you can skip this step. For more information about managed instances, see AWS Systems Manager Managed Instances. To update the SSM Agent, see Update SSM Agent by using Run Command.

Note

The SSM Agent will not work if you do not attach the AmazonSSMManagedInstanceCore policy to your EC2 instance role.

Amazon S3 bucket

When you install the AWS Backint agent, you must provide the name of the S3 bucket where you want to store your SAP HANA backups. Only Amazon S3 buckets created after May 2019 are compatible with AWS Backint agent. If you do not own a bucket created after May 2019, create a new S3 bucket in your target Region. Additionally, ensure that the Amazon S3 bucket where you want to store your backups doesn’t have public access enabled. If the S3 bucket has public access enabled, backups will fail.

AWS Backint agent supports backing up to Amazon S3 with VPC endpoints. For more information, see VPC Endpoints.

S3 storage classes —AWS Backint agent supports backing up your SAP HANA database to an Amazon S3 bucket with the S3 Standard, S3 Standard-IA, S3 One Zone-IA, and S3 Intelligent-Tiering storage classes. S3 Reduced Redundancy, Deep Archive, and Glacier storage classes are not supported by AWS Backint agent. By default, the S3 Standard storage class is used to store your backups. You can change the storage class to use for backups by modifying the AWS Backint agent configuration file. Alternatively, you can change your backup files to one of the supported storage classes through S3 LifeCycle configuration or directly using APIs. To learn more about Amazon S3 storage classes, see Amazon S3 Storage Classes in the Amazon S3 Developer Guide.

Note

S3 Intelligent-Tiering storage class enables movement of objects between four access tiers. It can also move objects to the archival tiers. However, AWS Backint agent for SAP HANA does not support backup and recovery from archival tiers. To recover or delete objects from the archival tiers, you must first restore the archived S3 objects before initiating a recovery or deletion with the AWS Backint agent.

Encryption— AWS Backint agent supports encrypting your SAP HANA backup files while storing them in Amazon S3, using server-side encryption with AWS KMS (KMS). You can encrypt your backups with a aws-managed-key called aws/s3 or you can use your own custom symmetrical AWS KMS key stored in KMS. To encrypt your backup files with keys stored in KMS (AWS-managed or custom), you must provide the KMS ARN during the install, or update the AWS Backint agent configuration file at a later time. To learn more about encrypting your S3 objects using AWS KMS, see How Amazon S3 uses AWS KMS in the AWS Key Management Service Developer Guide. Alternatively, you can enable default encryption for your Amazon S3 bucket using keys managed by Amazon S3. To learn more about enabling default encryption for your bucket, see How do I enable default encryption for an Amazon S3 bucket? in the Amazon S3 Console User Guide.

Object locking— You can store objects using a write-once-read-many (WORM) model with S3 Object Lock. Use S3 Object Lock if you want to prevent your SAP HANA backup files from being accidentally deleted or overwritten for a specific time period or indefinitely. If S3 Object Lock is enabled, you can't delete your SAP HANA backups stored in Amazon S3 using SAP HANA Cockpit, SAP HANA Studio, or SQL commands until the retention period expires. To learn about S3 Object Lock, see Locking objects using S3 Object Lock in the Amazon S3 Developer Guide.

Object tagging — By default, AWS Backint agent adds a tag called AWSBackintAgentVersion when it stores your SAP HANA backup files in your S3 bucket. This tag helps to identify the AWS Backint version and the SAP HANA version used when backing up your SAP HANA database. You can list the value of the tags from S3 console or using APIs. To disable default tagging, modify the AWS Backint agent configuration file.