# Extensions You can extend RISE with SAP by using AWS services to improve performance, security, agility, and reduce costs. The following table provides recommended AWS services based on use case. | Category | Use case | AWS services | | --- | --- | --- | | [Performance](rise-performance.md) | SAP Fiori and SAP GUI access with proactive observability | [Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html), [Accelerated Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/accelerated-vpn.html), [AWS Internet Monitor](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-InternetMonitor.html) | | [Application integration](application-integration.md) | Application Integration | [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) and [Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html) | | [Archiving and Document Management](document-management.md) | Archiving and Document Management | [Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html), [AWS S3 File Gateway](https://docs.aws.amazon.com/filegateway/latest/files3/what-is-file-s3.html), [Amazon EFS](https://docs.aws.amazon.com/efs/latest/ug/whatisefs.html) | | [Development and Extension](development-extension.md) | Development, Compatibility packs and alternatives | [AWS SDK for SAP ABAP](https://docs.aws.amazon.com/sdk-for-sapabap/latest/developer-guide/home.html), [AWS Marketplace](https://docs.aws.amazon.com/marketplace/) | | [Security Extension](security-extension.md) | Single Sign On, Zero Trust Access | [mTLS Authentication through Amazon ALB](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html), [AWS Verified Access for SAP](https://docs.aws.amazon.com/verified-access/latest/ug/what-is-verified-access.html) | | [Artificial Intelligence](artificial-intelligence.md) | Generative AI | [Amazon Q for Business](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/what-is.html), [Amazon Quick Sight](https://docs.aws.amazon.com/quicksuite/latest/userguide/quicksight-gen-bi.html), [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html) | # Performance **Enhance SAP Fiori performance with Amazon CloudFront** [Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html) is a Content Delivery Network service to increase performance and reduce latency of SAP Fiori launchpad in RISE with SAP. CloudFront creates a cache for the static content and accelerates dynamic content through edge computing. Global SAP systems accessed by users from across multiple geographical regions, can use [Amazon CloudFront VPC (Virtual Private Cloud) Origins](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html) to reduce network latency and improve the SAP end-user experience. CloudFront VPC Origins is a feature that enhances security and streamlines operations for web applications such as SAP Fiori, hosted in private subnets within the Amazon VPC. This architecture allows CloudFront to serve as the single entry point for SAP Fiori, eliminating the need for public exposure of the SAP servers. CloudFront VPC Origins is deployed in the customer-managed AWS account, directing SAP users coming through the CloudFront to an internal, [AWS Application Load Balancer (ALB)](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html). The ALB routes Fiori traffic directly to the SAP systems hosted in the SAP RISE AWS account through the AWS Transit Gateway. The AWS Web Application Firewall (WAF) is optional but recommended to improve security posture. ![\[Request routing with Amazon CloudFront\]](http://docs.aws.amazon.com/sap/latest/general/images/performance.png) Data flow 1. User accesses SAP Fiori launchpad via Internet browser or mobile device 1. The request is routed to Amazon CloudFront to the closest edge compute of the user location 1. Optionally, AWS Web Application Firewall (WAF) evaluates the request based on the customer’s configured rules to block malicious traffic. Additionally, [Distributed Denial of Service (DDOS) protection](https://aws.amazon.com/developer/application-security-performance/articles/ddos-protection/) is also provided by [AWS Shield Standard](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-standard-summary.html) which is automatically included at no extra cost when you use CloudFront with AWS WAF 1. The request is then parsed to the AWS ALB which forwards the traffic to the SAP system hosted in the SAP managed RISE account. This improves the security posture of SAP systems by: + Eliminating direct exposure of SAP servers to the public internet + Reducing the attack surface as CloudFront becomes the only ingress point + Simplified security management with centralized control through CloudFront + Easy integration with AWS WAF & AWS Shield Standard for additional protection Integrating CloudFront VPC Origins with SAP can lead to performance improvements: + Global users benefit from CloudFront’s worldwide edge locations + Traffic is optimized using the [AWS global network backbone](https://aws.amazon.com/about-aws/global-infrastructure). CloudFront traffic stays on the high-throughput AWS global network backbone all the way to your SAP servers, providing optimized performance and low latency + Static SAP Fiori content is cached at CloudFront edge locations and dynamic SAP Fiori content is accelerated through CloudFront’s global edge network To implement CloudFront VPC Origins for SAP: 1. The applications in RISE with SAP are by default hosted in private VPC subnets, in an AWS account – managed by SAP 1. In the AWS account – managed by customer, create an AWS ALB pointing to the SAP system in the RISE account 1. Create a CloudFront distribution with VPC Origins pointing to the AWS ALB 1. Update the security group for your VPC private origin (AWS ALB in this case) to explicitly allow the CloudFront managed prefix list. This restricts traffic coming to the VPC origin 1. Ensure the same fully qualified domain name is used by CloudFront, ALB, and SAP 1. Configure CloudFront to handle both static and dynamic content from SAP systems 1. Optionally, implement AWS WAF for additional security at the edge Refer to AWS documentation [Restrict access with VPC origins](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html) for more information. **Optimize performance with Accelerated Site-to-Site VPN connections** When you deploy RISE with SAP on AWS for a global roll-out, you can reduce the network latency by leveraging [AWS Global Accelerator](https://aws.amazon.com/global-accelerator/) based [Accelerated Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/accelerated-vpn.html). This service complements the foundational Transit Gateway and Direct Connect to address performance challenges for geographically dispersed users while ensuring efficient and secure access to mission-critical RISE with SAP. It supports both SAP Fiori (HTTPs based) traffic and SAP GUI (TCP based) traffic. [AWS Global Accelerator](https://aws.amazon.com/global-accelerator/) is a service which create accelerators to improve the performance of applications for local and global users. It operates as a Layer 4 TCP/UDP proxy, optimizing traffic routing through AWS’s global network infrastructure. It terminates client TCP connections at AWS edge locations and establishes new TCP connections to backend endpoints over AWS’s private backbone. Thus, reduces latency (up to 75% varying by locations) by bypassing public internet hops and ensures congestion-free routing for globally distributed users. [Accelerated Site-to-Site VPN connections](https://docs.aws.amazon.com/vpn/latest/s2svpn/accelerated-vpn.html) combines traditional [AWS Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html) with AWS Global Accelerator to optimize traffic routing. It routes the traffic from on-premises network to an AWS edge location that is closest to customer gateway device, leveraging the AWS backbone. This will reduce latency by up to \$130%-60% compared to standard VPNs. ![\[Accelerated Site-to-Site VPN\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-accelerated-s2s-vpn.png) **Enhancing observability of RISE with SAP using AWS Internet Monitor** [AWS Internet Monitor](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-InternetMonitor.html) continuously analyses internet traffic between end users and AWS-hosted applications, detecting network anomalies that may impact RISE with SAP performance. It provides insights into issues like increased latency, packet loss, or regional connectivity disruptions, allowing organizations to proactively address potential outages before they affect SAP workloads. RISE with SAP relies on stable and predictable network performance, AWS Internet Monitor helps by: + Identifying ISP or regional network disruptions that impact SAP response times. + Providing early warnings and actionable recommendations to mitigate network-related service degradation. + Distinguishing between AWS infrastructure issues and external internet disruptions and streamlining troubleshooting. + Improving observability of Internet routing, which is dynamic and lacks predictable service-level agreements (SLAs). + Proactive management of external ISPs and transit providers which may introduce unpredictable latency, packet loss, and congestion issues. To implement you can refer to the Getting started with [Internet Monitor](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-get-started.html). # Application integration Deploy [Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html) to extract data out of SAP S/4HANA via `HTTP` API. API Gateway can consume data from IDOC, BAPI, and RFC. These need to be translated to a web service call. For more information, see [AWS blogs](https://aws.amazon.com/blogs/awsforsap/category/application-services/amazon-api-gateway-application-services/). The following image shows this scenario. ![\[Data flow with Amazon API Gateway\]](http://docs.aws.amazon.com/sap/latest/general/images/data-integration.png) Data flow 1. RISE with SAP VPC is connected to your AWS account not managed by SAP, via AWS Transit Gateway. 1. Amazon API Gateway is configured to route the authentication to AWS Lambda and Amazon Cognito 1. Amazon Cognito authenticates the session. 1. Once authenticated, Amazon API Gateway routes the package to AWS Lambda. 1. AWS Lambda stores the data in an Amazon S3 bucket. # Archiving and Document Management SAP Data Archiving and Document Management System (DMS) plays a crucial role both before and after migrating to RISE with SAP. It helps businesses effectively manage database growth and optimize overall costs. Before migrating to S/4HANA, archiving reduces migration expenses, minimizes downtime, and lowers risk by decreasing data volume. After moving to S/4HANA, it helps control operational costs and ensures optimal system performance. Additionally, businesses can decommission legacy SAP ECC systems, eliminating unnecessary expenses while retaining access to historical data Data archiving for structured data. Data archiving is about moving closed business transactions data from a live SAP systems to an offline or secondary storage. The key aspect of data archiving is to set a process and strategy to reduce manual efforts while ensuring compliance with legal data retention requirements. Document management for unstructured data. The difference between data and document archiving is the type of data that you are archiving. Document archiving relates to unstructured data likes invoices, sales orders, delivery notes, and others, which usually come in the format such as pdf, words, excels. This archiving occurs in real-time and it can be stored on any content server and linked to the related SAP transactions. We shall discuss on the available options for your data archiving and document management systems within SAP. **Option 1 : SAP Content Server running on MaxDB** Many customers migrating to RISE with SAP choose to keep their SAP Content Server on AWS until they transition to [SAP BTP Document Management System](https://help.sap.com/docs/document-management-service?locale=en-US) or [OpenText Archiving solution](https://www.sap.com/documents/2015/08/5217be37-427c-0010-82c7-eda71af511fa.html). [SAP Content Server](https://help.sap.com/docs/document-management-service/sap-document-management-service/content-server) is a standalone component designed to store large volumes of electronic documents in various formats. These documents can be securely saved in one or more SAP MaxDB instances or within the file system. Common examples of documents stored in SAP Content Server include sales invoices, purchase orders, salary slips, emails, agreements, and others. This approach ensures seamless document management integrated into SAP business processes while maintaining accessibility and compliance. ![\[SAP Content Server running on MaxDB.scaledwidth=100%\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-content-server-maxdb.png) Architecture Description 1. RISE with SAP VPC is connected to an AWS account which you managed via AWS Transit Gateway. 1. [SAP Content Server](https://help.sap.com/docs/SLTOOLSET/31c5526375554d1b9f4b339fc9012685/2548be9ba8fd4e8eb55ae6ae53b76782.html?version=CURRENT_VERSION) is setup in your AWS account and [configured](https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/4d/002cc784ed5c4be10000000a42189e/content.htm?no_cache=true) to serve as the destination for data archiving. 1. SAP MaxDB is setup in your AWS account and [configured](https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/4d/002cc784ed5c4be10000000a42189e/content.htm?no_cache=true) to run on AWS EC2 instance. 1. [SAP Content Server High Availability](https://aws.amazon.com/blogs/awsforsap/sap-content-server-high-availability-using-amazon-efs-and-suse/) using Amazon EFS. You can consider [EFS Infrequent Access](https://aws.amazon.com/efs/features/infrequent-access/) for documents which are not frequently accessed. **Option 2: SAP Content Server on Amazon S3** SAP Content Server, along with [Amazon S3](https://aws.amazon.com/s3/) can both meet SAP Data Archiving needs by providing scalable and secure storage for archived data. They offer features like versioning, access control, immutability, and integration with SAP systems. This section is relevant for customers experiencing SAP database growth, seeking performance improvements, aiming to reduce storage costs, or needing to meet compliance requirements for long-term data retention in their SAP environment. The following image shows an SAP Content Server integrated with Amazon S3. ![\[SAP Content Server running on Amazon S3\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-content-server-s3.png) Architecture Description 1. RISE with SAP VPC is connected to an AWS account which you managed via AWS Transit Gateway. 1. [SAP Content Server](https://help.sap.com/docs/SLTOOLSET/31c5526375554d1b9f4b339fc9012685/2548be9ba8fd4e8eb55ae6ae53b76782.html?version=CURRENT_VERSION) is setup in your AWS account and [configured](https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/4d/002cc784ed5c4be10000000a42189e/content.htm?no_cache=true) to serve as the destination for data archiving. 1. The SAP Content Server integrates with [Amazon S3 File Gateway](https://aws.amazon.com/storagegateway/file/s3/), which acts as a storage gateway to facilitate file-based storage. [S3 File Gateway](https://aws.amazon.com/storagegateway/file/s3/) enables mounting of [Amazon S3](https://docs.aws.amazon.com/filegateway/latest/files3/GettingStartedAccessFileShare.html) as Network File System (NFS). 1. An Amazon S3 bucket stores the necessary archive files. You can use [S3 Lifecycle configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) to manage lifecycle of the objects. For enhanced data protection or regulatory compliance, you can implement [retention policies using S3 Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html). You can move files to different S3 storage classes using automated Lifecycle Management. For more information, see [Using Amazon S3 storage classes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html). SAP Content Server, in conjunction with Amazon S3, provides a mechanism for transferring archived data to long-term S3 storage such as [Amazon S3 Glacier](https://aws.amazon.com/s3/storage-classes/glacier/). This archived data can then be accessed using SAP’s standard archive read programs. However, if you require more extensive integration with SAP, third-party solutions like [Syntax CxLink](https://www.syntax.com/software/cxlink/) or [OpenText](https://www.sap.com/documents/2015/08/5217be37-427c-0010-82c7-eda71af511fa.html) offer additional libraries. These enhance the integration capabilities, providing more advanced functionalities for managing and accessing archived data directly within the SAP environment. For organizations employing SAP Information Lifecycle Management (ILM) to manage data retention and governance, see how [Syntax Cxlink for ILM](https://aws.amazon.com/blogs/apn/syntax-cxlink-for-ilm-simplify-sap-data-lifecycle-management-on-aws/) can enhance your ILM strategy by using Amazon S3 as a secondary storage solution for SAP ILM. This approach leverages the scalability and cost-effectiveness of cloud storage while maintaining the robust data management capabilities of SAP ILM. **Option 3: SAP OpenText Archiving in RISE** SAP OpenText Archiving is enabling secure document storage, compliance, and cost-efficient data management for RISE with SAP. SAP OpenText Archiving is a cloud-based document management and archiving solution that integrates with SAP to store, retrieve, and manage unstructured content (e.g., invoices, contracts, purchase orders). It ensures compliance with regulatory requirements, reduces database footprint, and optimizes SAP S/4HANA performance. Within RISE with SAP, OpenText is included as an optional component in the RISE BOM. **Option 4: OpenText infoArchive for RISE** OpenText InfoArchive is a modern archive solution and cloud-based service for compliant archiving of both structured and unstructured information that is highly-accessible, scalable, and economical. It’s a centralized platform which enables flexible storage options for unstructured content, including storage on [Amazon Simple Storage Service (Amazon S3)](https://aws.amazon.com/s3/). InfoArchive Cloud Edition on AWS is offered as [customer-deployed](https://aws.amazon.com/blogs/apn/manage-your-business-complete-data-with-opentext-infoarchive-and-aws/) or as a managed solution by OpenText running on AWS. OpenText infoArchive is a general-purpose archiving platform designed to retire legacy SAP applications and store structured and unstructured data from multiple systems. This beyond supports SAP ECC, CRM, HR, and industry-specific systems (Healthcare, Banking, etc.) OpenText infoArchive can be used to Archive inactive data and decommission retired SAP legacy applications. This comes with pre-built SAP views. Key Features 1. Application Decommissioning – Retires legacy applications while keeping data accessible. 1. Structured and Unstructured Data Archiving – Stores documents, emails, records, and databases. 1. Multi-System Support – Works with SAP, Oracle, Salesforce, Microsoft, and custom applications. 1. Advanced Search & Analytics – Uses AI/ML for insights into archived data. 1. Regulatory Compliance – HIPAA, GDPR, SEC 17a-4, etc. You can deploy an OpenText infoArchive Server integrated with Amazon S3 for SAP data decommissioning. The following image shows this scenario with AWS services. OpenText InfoArchive on AWS is deployed on [Amazon Elastic Kubernetes Service](https://aws.amazon.com/eks/) (EKS) for hosting its web application, OpenText Directory Service for authentication and authorization, and the InfoArchive server. Customers can also procure it through [AWS marketplace](https://aws.amazon.com/marketplace/pp/prodview-srfvrykqva2zo?sr=0-1&ref_=beagle&applicationId=AWSMPContessa). ![\[OpenText infoArchive for RISE\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-opentext-infoarchive.png) Architecture Description 1. RISE with SAP VPC is connected to your AWS account via AWS Transit Gateway. 1. OpenText InfoArchive on AWS is deployed on [Amazon Elastic Kubernetes Service (Amazon EKS)](https://aws.amazon.com/eks/) in your AWS account and [configured](https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/4d/002cc784ed5c4be10000000a42189e/content.htm?no_cache=true) to serve as the destination for data archiving. 1. OpenText InfoArchive integrates with [Amazon S3 File Gateway](https://aws.amazon.com/storagegateway/file/s3/), which acts as a storage gateway to facilitate file-based storage. [S3 File Gateway](https://aws.amazon.com/storagegateway/file/s3/) enables mounting of [Amazon S3](https://docs.aws.amazon.com/filegateway/latest/files3/GettingStartedAccessFileShare.html) as Network File System (NFS). 1. An Amazon S3 bucket stores the necessary archive files. You can use [S3 Lifecycle configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) to manage lifecycle of the objects. For enhanced data protection or regulatory compliance, you can implement [retention policies using S3 Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html). 1. Older documents can be moved to [Amazon S3 Glacier](https://aws.amazon.com/s3/storage-classes/glacier/) for long-term archival. 1. You can move files to different Amazon S3 storage classes using automated Lifecycle Management. For more information, see Using [Amazon S3 storage classes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html). # Development and extension ## AWS SDK for SAP ABAP Deploy AWS SDK for SAP ABAP on RISE with SAP VPC to avail AWS services using the ABAP language. For more information, see [What is AWS SDK for SAP ABAP?](https://docs.aws.amazon.com/sdk-for-sapabap/latest/developer-guide/home.html) You can authenticate AWS SDK for SAP ABAP with IAM access key. The following image shows this scenario. ![\[Data flow for SAP ABAP SDK\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-abap.png) Data flow 1. AWS SDK for SAP ABAP is installed via a set of transports in SAP S/4HANA within RISE with SAP VPC. 1. SAP S/4HANA is configured with IAM access key for authenticating access to AWS services. For more information, see [Managing access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html). 1. Access to AWS services with AWS SDK for SAP ABAP has been established. ## Compatibility packs and alternatives Compatibility packs (CP) are temporary use rights to classic functionality within S/4HANA, created in 2016. It is part of every SAP S/4HANA contract either on-premises and private cloud. This was done with the goal of ensuring a smooth transition for SAP installed-base customers and gaining time to finalize the new simplified application architecture. During the transition from SAP Business Suite to S/4HANA, business functions moved through these paths in the process. You can find out more from [presentation by Michael Deller (SAP) and Roland Hamm (SAP)](https://assets.dm.ux.sap.com/webinars/sap-user-groups-k4u/pdfs/230927_call_to_action_for_saps4hana_customers_compatibility_packs.pdf). In [SAP Note 2269324](https://me.sap.com/notes/2269324), SAP defines categories to help organizations plan their strategy for compatibility packs. These categories guide decisions for transitioning away from SAP business suite to SAP S/4HANA. + Alternative Exists + Alternative Exists with Roadmap - Alternative exists providing core functionality; comprehensive coverage is on roadmap + Alternative Planned - Planning of development scope and timeline is work in progress + No Alternative Planned - No intention or plan to provide an alternative beyond 2025 + Clarification - Clarification of strategy in progress **How can AWS helps customers to find alternatives ?** Organizations should evaluate their current SAP landscape and plan their transition strategy considering both SAP compatibility pack expiration dates and available alternatives. When compatibility packs lack alternatives, you can leverage combined AWS and SAP services. This approach aligns with the [AWS Refactor and re-architect](https://docs.aws.amazon.com/prescriptive-guidance/latest/large-migration-guide/migration-strategies.html#refactor) migration strategy, which focuses on reimagining applications and processes. Here are the details + [SAP and AWS joint reference architecture](https://community.sap.com/t5/technology-blogs-by-sap/sap-and-aws-joint-reference-architectures-to-maximize-utilization-and/ba-p/13549809) was developed to address common questions from joint customers and partners on how to utilize SAP BTP and/or AWS services for different business solution scenarios. Refer also to this [blog](https://aws.amazon.com/blogs/awsforsap/amplify-the-value-of-your-sap-investment-with-aws-and-sap-joint-reference-architecture/) for more details. + [The AWS SDK for SAP ABAP](https://aws.amazon.com/sdk-for-sap-abap/) simplifies the use of 200 plus AWS services alongside SAP applications with a client library of modules that are consistent and familiar to ABAP developers. + [SAP Products and AWS Partner Solutions](https://aws.amazon.com/marketplace/search/results?searchTerms=SAP) on AWS Marketplace + [You can contact our SAP on AWS expert team](https://aws.amazon.com/sap/) to help you guide if needed. One example “SAP Tax Classification and Reporting” has been tagged as “No Alternative Planned” in the [SAP Note 2269324](https://me.sap.com/notes/2269324) (refer to S4HANA CompScope – Way Forward – Info – 06032025.xlsx), in this case, you can explore alternative such as the [Thomson Reuters ONESource Indirect Tax Determination](https://aws.amazon.com/marketplace/seller-profile?id=14aa4071-a059-43f9-a854-968597951447) at AWS Marketplace. # Security Extension ## mTLS Authentication Mutual Transport Layer Security (mTLS) Authentication establishes a secure, two-way encrypted connection between client and server. Unlike standard TLS, where only the server provides a certificate, mTLS requires both parties to present digital certificates. The mTLS authentication process works in four steps: 1. The client requests a connection to the server 1. The server presents its certificate 1. The client verifies the server’s certificate 1. The client presents its certificate for server verification and authentication **Why is mTLS Authentication for SAP** The implementation of mutual TLS (mTLS) authentication for SAP systems will enhance security, improve user experience, and reduce operational overhead. It will modernize user authentication infrastructure to support digital transformation while ensuring compliance with security standards. mTLS address below security requirements in SAP environments: 1. Enhanced Security: mTLS provides two-way authentication, ensuring both the client and server verify each other’s identity. This significantly reduces the risk of unauthorized access and man-in-the-middle attacks. 1. Seamless User Experience with Single Sign On (SSO): mTLS can be integrated with SSO solutions, allowing users to access multiple SAP applications and services without repeatedly entering credentials. This creates a smoother, more efficient user experience across the SAP ecosystem. 1. Automated Certificate Rotation: mTLS allows for automated rotation of certificates, enhancing security by regularly updating authentication credentials without manual intervention. This reduces the risk of using expired or compromised certificates and minimizes administrative overhead. 1. Principal Propagation for Interfaces: mTLS enables secure principal propagation across different SAP interfaces and systems. This eliminates the need for generic and privileged accounts (like SAP user with SAP\$1ALL authorization) for system-to-system communication, significantly improving security and auditability. 1. Scalability and Performance: mTLS can be implemented at the network level, offloading authentication processes from application servers. This can lead to improved performance and scalability of SAP systems. 1. Support for Zero Trust Architecture: mTLS aligns well with zero trust security models, where trust is never assumed and always verified. **mTLS Client Authentication with Application Load Balancer** [Application Load Balancer (ALB)](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html) supports mTLS authentication. It offers two modes: verify and passthrough mode. **Prerequisite** To ensure seamless communication, all SSL (Secure Socket Layer) or TLS certificates used across the infrastructure, including those at the ALB, SAP Web Dispatcher, and S/4HANA systems should originate from a single and trusted root certificate authority to ease the implementation and maintenance of these certificates. **mTLS Architecture Diagram** The diagram below describes a basic SAP on AWS architecture that is adapted to align with the RISE with SAP SKU offering. ![\[mTLS Architecture Diagram\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-mtls-authentication.png) **mTLS Verify Mode** To enable mTLS verify mode, create a trust store containing a CA certificate bundle. This can be accomplished using [AWS Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html), AWS Private CA, or by importing your own certificates. Manage revoked certificates using Certificate Revocation Lists (CRLs) stored in Amazon S3 and linked to the trust store. ALB handles client certificate verification against the trust store, effectively blocking unauthorized requests. This approach offloads mTLS processing from backend targets, improving overall system efficiency. ALB imports CRLs from S3 and performs checks without repeated S3 fetches, minimizing latency. Beyond client authentication, ALB transmits client certificate metadata through [HTTP Headers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html) (e.g., X-Amzn-Mtls-Clientcert-Leaf) to the backend SAP Web Dispatcher via HTTP headers. This allows for additional logic implementation on backend targets based on certificate details, to meet the requirement for SAP Servers to preserve original “Host Header” information. This enables the server to process client certificate metadata consistently, even when originating from non-SAP sources like an AWS load balancer terminating the SSL connection. In the event that you are implementing end-to-end encryption through ALB – SAP Web Dispatcher – SAP Servers, you must configure SAP Web Dispatcher profile parameters such as icm/HTTPS/client\$1certificate\$1header\$1name for more details you can refer to [this link](https://help.sap.com/docs/ABAP_PLATFORM_NEW/683d6a1797a34730a6e005d1e8de6f22/48477e7fe9d771b9e10000000a421937.html). **mTLS Passthrough Mode** In mTLS passthrough mode, ALB forwards the client’s entire certificate chain to backend targets. This is done via an HTTP header named X-Amzn-Mtls-Clientcert. The chain, including the leaf certificate, is sent in URL-encoded PEM format with \$1, =, and / as safe characters. Below are the consideration while using mTLS Passthrough Mode: + ALB adds no headers if client certificates are absent; backends must handle this. + Backend targets are responsible for client authentication and error handling. + For HTTPS listeners, ALB terminates client-ALB TLS and initiates new ALB-backend TLS using target-installed certificates. + ALB’s TLS termination allows use of any ALB routing algorithm for load balancing. **NLB Passthrough** When you have stringent security compliance rules requiring server-side termination of client TLS connections, you can utilize a [Network Load Balancer (NLB)](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html). Key points to note: 1. NLB operates at the transport layer (Layer 4 of the OSI model). 1. It provides low-latency load balancing for TCP/UDP connections. 1. NLB allows the backend servers to handle TLS termination, which can be crucial for certain security compliance scenarios. This approach ensures that sensitive decryption processes occur on your controlled server environment, potentially meeting specific security mandates while maintaining efficient traffic distribution. **Comparison of mTLS verify mode vs mTLS passthrough mode vs NLB passthrough.** | Considerations | ALB with mTLS Verify mode | ALB with mTLS passthrough mode | NLB | | --- | --- | --- | --- | | OSI Layer | Layer 7 (Application) | Layer 7 (Application) | Layer 4 (Transport) | | Integration with AWS WAF | Supported | Supported | Not Supported | | Client Authentication | Done by ALB (AWS managed) | Done by backend (Customer managed) | Done by backend (Customer managed) | | Client SSL/TLS Termination | At ALB (AWS managed) | At ALB (AWS managed) | At backend target (Customer managed) | | Header Based Routing | Supported | Supported | Not Supported | | Trust Store | Required at ALB | Not required at ALB | Not required at NLB | | Certification Revocation List | Managed at ALB | Managed by backend (if required) | Managed by backend (if required) | | Backend Processing Load | Lower | Lower | Higher | | Error Handling | Managed by ALB | Managed by backend | Managed by backend | Note: RISE with SAP on AWS supports ALB with mTLS Verify Mode. ## Zero Trust Access AWS Verified Access is a Zero Trust security solution that replaces traditional VPNs for corporate application security. It validates each access request by checking user identity, device health, and location. The service integrates with Okta, Azure Active Directory, and IAM Identity Center while providing detailed access logging and monitoring. See [AWS Verified Access for more information](https://docs.aws.amazon.com/verified-access/latest/ug/what-is-verified-access.html). **Key Features and Benefits of AWS Verified Access for SAP** This solution secures SAP landscapes through Zero Trust security, managing both SAPGUI and web-based (HTTPs) access through a unified framework. It encrypts SAPGUI TCP connections and HTTPs access for Fiori applications, eliminating Traditional VPN while maintaining security standards. Users can access RISE with SAP systems faster (before the VPN connectivity is setup). It allows you to grant secure access to remote users and external consultants, which do not have a VPN access to your corporate network 1. Identity-Centric Security Verified access integrates with existing identity providers (IdP), such as Microsoft Azure AD (Entra), Okta, Ping, and others. It provides real-time user authentication and authorization that support for SAML 2.0 and AWS IAM Identity Center 1. Contextual Access Control Verified Access is able to implement device security posture assessment, location-based access policies, role-based access management and dynamic policy evaluation. 1. Enhanced Performance Verified Access provides a direct and optimized connection paths to SAP systems, thus reducing network latency, improve performance and provide more consistent user experience to SAP systems. 1. Simplified Administration Verified Access provides centralized policy management through [AWS Cedar Policy Language](https://docs.aws.amazon.com/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/cedar.html) and authorization engine. It provides automated compliance reporting, real-time access monitoring and reduced infrastructure maintenance **Implementation Guide** **Prerequisites** + AWS IAM Identity Center enabled in the AWS Region that you prefer. For more information, see [Enable AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html). + A [security group](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html) to allow network access to SAP applications. + SAP application running behind an internal AWS Elastic Load Balancer. Associate your security group with the load balancer. (you can use a Network Load Balancer for both SAP GUI and SAP Fiori access, or Application Load Balancer for SAP Fiori access only). + A public TLS certificate in [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/) when configuring AWS Verified Access for HTTP(s) based access (i.e. SAP Fiori). Use an RSA certificate with a key length of 1,024 or 2,048. + A public hosted domain and the permissions required to update DNS records for the domain. (example: Amazon Route 53) + An IAM policy with the permissions required to create an AWS Verified Access instance. For more information, see [Policy for creating Verified Access instances](https://docs.aws.amazon.com/verified-access/latest/ug/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-create-instance). + Set the system environment variable **SAP\$1IPV6\$1ACTIVE=1** as per [SAP note 1346768](http://me.sap.com/notes/1346768) (requires a SAP S-user ID to access), this is needed when accessing SAP application using Verified Access endpoint from SAP GUI. **How to Implement AWS Verified Access for SAP** 1. Create a Verified Access Trust Provider. After IAM Identity Center is enabled on your AWS account, you can use the following [procedure](https://docs.aws.amazon.com/verified-access/latest/ug/user-trust.html#identity-center) to set up IAM Identity Center as your trust provider for Verified Access. 1. Create a Verified Access instance. You use a Verified Access instance to organize your trust providers and Verified Access groups. Use the following [procedures](https://docs.aws.amazon.com/verified-access/latest/ug/create-verified-access-instance.html) to create a Verified Access instance, and then attach or detach a trust provider from Verified Access. 1. Create a Verified Access group. You use Verified Access groups to organize endpoints by their security requirements. When you create a Verified Access endpoint, you associate the endpoint with a group. Use the following [procedure](https://docs.aws.amazon.com/verified-access/latest/ug/create-verified-access-group.html) to create a Verified Access group 1. Create a load balancer endpoint for Verified Access. Verified Access endpoint represents an application. Each endpoint is associated witha Verified Access group and inherits the access policy for the group. Use the following [procedure](https://docs.aws.amazon.com/verified-access/latest/ug/create-load-balancer-endpoint.html) to create a load balancer endpoint for Verified Access for SAP application. 1. Configure DNS for the Verified Access endpoint. For this step, you map your SAP application’s domain name (for example, www.myapp.example.com) to the domain name of your Verified Access endpoint. To complete the DNS mapping, create a Canonical Name Record (CNAME) with your DNS provider. 1. Add a Verified Access group-level access policy. AWS Verified Access policies allow you to define rules for accessing your SAP applications hosted in AWS. Refer to the following sample [statements](https://docs.aws.amazon.com/verified-access/latest/ug/auth-policies-policy-statement-struct.html) to derive one for your application as per your requirements. 1. Test the connectivity to your application. You can now test connectivity to your application by entering your SAP application’s domain name into your web browser, for HTTP(S) based access such as SAP Fiori. ![\[Verified Access for RISE\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-verified-access.png) The preceding diagram describes on how AWS verified Access deployed and integrated with RISE with SAP # Artificial Intelligence **Generative AI for SAP on AWS ** Generative AI refers to intelligent systems capable of creating new content like text, images, audio, or code based on the data they have been trained on. These systems employ machine learning techniques, particularly deep learning and neural networks, to identify patterns and relationships within the training data, and then generate novel outputs that resemble the learned information. As organizations embrace generative AI for their employees and customers, cybersecurity practitioners must rapidly assess the risks, governance, and controls associated with this evolving technology. As security leaders working with the largest, most complex customers at [Amazon Web Services (AWS)](https://aws.amazon.com/), we’re regularly consulted on trends, best practices, and the rapidly evolving landscape of generative AI and the associated security and privacy implications. Generative AI solutions cover multiple use cases that affect your security scope. To better understand the scope and corresponding key security disciplines, see the AWS blog post [Securing generative AI: An introduction to the Generative AI Security Scoping Matrix](https://aws.amazon.com/blogs/security/securing-generative-ai-an-introduction-to-the-generative-ai-security-scoping-matrix/). SAP and AWS have co-innovated services which help customers to combine SAP’s AI innovations and enterprise expertise with Amazon’s cutting-edge AI capabilities and technological solutions, thereby unlocking significant opportunities for business enhancement. RISE customers can accelerate their AI adoption through [SAP Business Technology Platform (BTP)](https://www.sap.com/products/technology-platform.html) AI services like Generative AI Hub and AWS enterprise GenAI services including [Amazon Bedrock](https://aws.amazon.com/bedrock/), and [Amazon Q](https://aws.amazon.com/q/) enabling secure, scalable AI solutions. **SAP Data Integration and Management on AWS ** Data serves as the cornerstone for the success of any generative AI solution. The quality, quantity, and diversity of data are critical factors that directly influence the performance and efficacy of AI models. We recommend reviewing our [Guidance for SAP Data Integration and Management on AWS](https://aws.amazon.com/solutions/guidance/sap-data-integration-and-management-on-aws/), which provides the essential data foundation for empowering customers to build AI solutions. It shows how to integrate data from SAP ERP source systems and AWS in real-time or batch mode, with change data capture, using AWS services, SAP products, and AWS Partner Solutions. This includes an overview reference architecture showing how to ingest SAP systems to AWS in addition to detailed architectural patterns that complement SAP-supported mechanisms using AWS services, SAP products, and AWS Partner Solutions. **Ways to implement Generative AI Solutions for RISE on AWS ** This architectural guidance helps you build advanced AI solutions. It shows you how to effectively combine RISE with SAP and AWS's AI services to create powerful and innovative systems. **Amazon Q for Business** RISE customers can leverage [Amazon Q Business](https://aws.amazon.com/q/business/) to answer questions, provide summaries, generate content, and complete tasks based on enterprise data. End users receive immediate, permission-aware responses from enterprise data sources with citations. Q Business is a fully managed generative-AI powered assistant with 40\$1 pre-built connectors to various enterprise applications and data sources. Customers who choose to break data silos by creating data warehouse or data lake solutions can use SAP and other enterprise data as source for Q Business to : + Create a unified search experience across systems and data thereby extracting key insights + Create and share lightweight applications either to select users or add them to an organization’s application library + Perform actions across popular business applications and platforms + Create and automate complex business workflows ![\[Amazon Q for Business\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-amazon-q-business.png) The diagram above illustrates a design framework for Q Business based search for RISE customers. It illustrates how SAP data can be extracted utilizing AWS services and using pre-built connectors from Q Business organizations can create a unified search experience. Solution Flow: 1. Establish connectivity with RISE environment by creating AWS Glue connection for SAP OData 1. Ingest relevant SAP data by creating ETL jobs 1. Utilize pre-built connectors to various data sources and applications to connect with Q Business. Ingest the relevant content while inheriting the existing identities, roles and permissions. 1. End users can interact in natural language to derive business insights from data across multiple applications **Amazon Quick Sight** [Amazon Quick Sight](https://aws.amazon.com/quicksuite/quicksight/) revolutionizes SAP data analysis through its advanced 'Generative business intelligence' capabilities, empowering business users with intuitive self-service reporting tools. Using natural language prompts, RISE customers can effortlessly create sophisticated visual dashboards and data narratives without requiring SQL or programming expertise. This democratization of data analysis dramatically reduces report generation time from days to hours, eliminating dependencies on specialized ABAP developers and/or analytics teams. The system’s AI-driven automation intelligently generates contextual titles, organized sections, coherent story flows, and actionable insights with specific recommendations. For RISE customers, this translates into accelerated decision-making processes, with deeper more accessible insights from their enterprise data. ![\[Amazon Quick Sight\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-amazon-q-in-quicksight.png) The diagram illustrates a framework of Amazon Quick Sight with SAP Data. Solution Flow: 1. SAP report to process business logic and upload data to [Amazon S3](https://aws.amazon.com/s3/). 1. With [AWS SDK for SAP ABAP](https://aws.amazon.com/sdk-for-sap-abap/), it will create an [Amazon Athena](https://aws.amazon.com/athena/) query linked to the SAP report data on S3. 1. Create an Quick Sight dataset and topic based on the Athena query. 1. Now using Q in Quick Sight, you can interact with the data generated by SAP reports using natural language and get insights of data, to build dashboard and generate stories.