Best practice for Amazon EC2 instance profile IAM roles for SAP users

Best practices for IAM Security

The IAM administrator will be responsible for the following three key areas.

Ensuring that the SAP system can authenticate itself with Amazon EC2 metadata or Secret Key credentials.
Ensuring that the SAP system has the permissions it needs to elevate itself with sts:assumeRole.
For each logical IAM role, creating an IAM role for SAP users with the permissions required to perform the business functions (for example, the necessary permissions for Amazon S3, DynamoDB, or other services). These are the roles that SAP users will assume.

For more information, see the Security chapter in the SAP Lens: AWS Well-Architected Framework.

Topics

Best practice for Amazon EC2 instance profile
IAM roles for SAP users

Best practice for Amazon EC2 instance profile

The Amazon EC2 instance on which your SAP system runs has a set of authorizations based on its instance profile. Generally, the instance profile only needs to have permissions to call sts:assumeRole, to allow the SAP system to assume business-specific IAM roles as needed. This elevation to other roles ensures that an ABAP program can assume a role that gives the user the least privilege needed to do their job. For example, an instance profile might contain the following statement.



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::0123456789:role/finance-cfo",
                "arn:aws:iam::0123456789:role/finance-auditor",
                "arn:aws:iam::0123456789:role/finance-reporting"
            ]
        }
    ]
}

This preceding example allows the SAP system to assume the IAM roles for the CFO, AUDITOR, or REPORTING user. AWS SDK will choose the correct IAM role for the user based on the user’s PFCG role in SAP.

Amazon EC2 instance profile can also be used for other functions.

These solutions may also require sts:assumeRole permissions to roles specific to backup or failover or they may require permissions to be assigned directly to the instance profile.

IAM roles for SAP users

The ABAP program needs permissions to perform the user’s job: read a DynamoDB table, invoke Amazon Textract on a PDF object in Amazon S3, run an AWS Lambda function. The same security model is used in all AWS SDKs. You can use an existing IAM role that was used for another AWS SDK.

The SAP business analyst will ask the IAM administrator for the arn:aws: of an IAM role for each logical role needed. For example, in a financial scenario, the business analyst may define the following logical IAM roles.

CFO
AUDITOR
REPORTING

The IAM administrator will define IAM roles for each logical IAM role.

CFO

arn:aws:iam::0123456789:role/finance-cfo
read and write permissions to an Amazon S3 bucket
read and write permissions to a DynamoDB database

AUDITOR

arn:aws:iam::0123456789:role/finance-auditor
read permissions to an Amazon S3 bucket
read permissions to a DynamoDB database

REPORTING

arn:aws:iam::0123456789:role/finance-reporting
read permissions to a DynamoDB database
no permission for the Amazon S3 bucket

The business analyst will enter the IAM roles into a mapping table to map the logical IAM roles with the physical IAM roles.

IAM roles for SAP users need to allow the sts:assumeRole action for trusted principals. The trusted principals can vary based on how the SAP system is authenticated on AWS. For more details, see Specifying a principal.

The following are some examples of the most common SAP scenarios.

SAP system running on Amazon EC2 with an instance profile assigned – here, an Amazon EC2 instance profile is attached to an IAM role.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Principal": { 
                "AWS": "arn:aws:iam::123456789012:role/SapInstanceProfile" 
            }
        }
    ]
}

SAP systems running on Amazon EC2 without an instance profile – here, Amazon EC2 assumes roles for SAP users.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Principal": { 
                "Service": [ "ec2.amazonaws.com" ] 
            }
        }
    ]
}

SAP systems running on-premises – SAP systems that run on-premises can only authenticate using the Secret Access Key. For more information, see SAP system authentication on AWS.

Here, any IAM role assumed by an SAP user must have a trust relationship that trusts the SAP user.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Principal": { 
                "AWS": "arn:aws:iam::123456789012:user/SAP_SYSTEM_S4H" 
            }
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

System authentication

SAP authorizations