Best Practice 1.4 – Implement workload configuration monitoring

Design and configure your workload to provide information about its current configuration and changes to this configuration. Some examples are new or removed EC2 instances, scaling events, code change, patch levels, security group configuration, and resource deletion. Use this information to determine when a response is required and to decide whether a change was expected or permitted. Monitor the cost implications of configuration changes and adjust or analyze budgets if required.

Suggestion 1.4.1 - Implement workload configuration monitoring

Set up and configure AWS CloudTrail to monitor high priority and critical events, particularly in your SAP production accounts. Example events include new Amazon EC2 instances, Amazon EC2 decommissioning or changes, security group changes, and AWS KMS and IAM security change events. Use these events to configure CloudWatch Log Alarms (if required) and take action in the event of an unexpected change.

AWS Documentation: What Is AWS CloudTrail?
AWS Service: AWS CloudTrail
AWS Documentation: Monitoring CloudTrail Log Files with Amazon CloudWatch Logs
AWS Documentation: AWS CloudTrail Security Best Practices

Suggestion 1.4.2 - Implement workload configuration enforcement and remediation

Set up and configure AWS Config to track, evaluate, and enforce configuration policy of your AWS resources supporting your SAP production applications. Common examples include enforcing read-only protection on S3 buckets containing SAP backups, mandatory Amazon EBS encryption, blocking common network ports, and checking that all resources have required tags. Use AWS Config Managed Rules to improve the security and change control posture of your AWS environment supporting SAP. Use AWS tags to enforce configuration rules and apply automated remediation where possible.

AWS Service: AWS Config
AWS Documentation: Getting started with AWS Config
AWS Documentation: Using AWS Config Rules
SAP on AWS Blog: Audit your SAP systems with AWS Config – Part I
SAP on AWS Blog: Audit your SAP systems with AWS Config – Part II
SAP on AWS Blog: Tagging Recommendations for SAP on AWS

Suggestion 1.4.3 - Implement workload cost monitoring

Set up and configure AWS Budgets with custom budgets that alert you when you exceed (or are forecasted to exceed) your billing thresholds. Align budgets with your projected SAP environment spend and monitor for any anomalies to prevent cost overruns. Monitor your use and coverage of Reserved Instances and Savings Plans by using budget reports. Use AWS tags to assist in understanding cost allocation and usage across your SAP workload.

AWS Blog: Getting Started with AWS Budgets
AWS Blog: AWS Budgets Reports
AWS Documentation: AWS Cost Explorer
AWS Documentation: AWS Cost Anomaly Detection
SAP on AWS Blog: Tagging Recommendations for SAP on AWS

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Best Practice 1.3 – Implement application and database monitoring for SAP

Best Practice 1.5 – Implement user activity monitoring