# Security
SAP manages the security in AWS account managed by SAP. You can implement additional security mechanisms in your own AWS account.
**Topics**
+ [SSO – SAP Cloud Identity Services and AWS IAM Identity Center](sso-iam.md)
+ [SSO – SAP Cloud Identity Services and Microsoft Entra](sso-entra.md)
+ [SSO – SAPGUI Front-End](sso-sapgui.md)
+ [Advanced security using AWS Services](rise-security-aws-services.md)
+ [Integrating SAP Data Custodian KMS with AWS KMS](aws-kms.md)
+ [How AWS Nitro helps secure RISE with SAP?](aws-nitro.md)
+ [Amazon WorkSpaces as remote access solution](rise-workspaces.md)
# SSO – SAP Cloud Identity Services and AWS IAM Identity Center
One of the security best practices for RISE with SAP is to centralize the user access control through the integration with a corporate Identity Provider (IdP). This makes it easier for you to provision, de-provision and manage your user access across the company including RISE with SAP, AWS services, and others.
AWS IAM Identity Center is one of the IdP that you can integrate with RISE to support Single Sign-On (SSO). IAM Identity Center provides a centralized access points for users to manage AWS account and applications consistently within the AWS Organizations (example in multi accounts setup).
If you already have an existing identity source such as Okta, Ping, Microsoft Windows Active Directory, Microsoft Entra (previously known as Azure Active Directory), or others, you can integrate the identity source to IAM Identity Center through Security Assertion Markup Language (SAML) and System for Cross-Domain Identity Management (SCIM) protocols.
For more information, you can refer to the following references:
+ [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
+ Integration of IAM Identity Center with other identity source, see [Getting started tutorials](https://docs.aws.amazon.com/singlesignon/latest/userguide/tutorials.html).
+ [SAP Cloud Identity Services - Identity Authentication](https://help.sap.com/docs/identity-authentication).
The following image shows the integration between Identity Authentication from SAP BTP and AWS IAM Identity Center in the context of RISE with SAP
![\[SAP Cloud Identity Services with IAM Identity Center\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-security-iam.png)
**Authentication flow**
1. User accesses SAP Fiori via an Internet browser.
1. SAP Fiori will redirect SAML request back to the internet browser.
1. Internet Browser relays the SAML request to SAP Cloud Identity Services.
1. SAP Cloud Identity Service delegate authentication request to IAM Identity Center.
1. If IAM Identity Center integrates with existing identity source such as Okta, Ping, Entra, then IdP will authenticate the user.
1. User is authenticated by IdP and SAML response is provided to the internet browser with user identity information.
1. User can access RISE with SAP systems.
For more information on how to do this, you can refer to [AWS IAM Identity Center (successor to AWS SSO) Integration Guide for SAP Cloud Platform Cloud Foundry](https://static.global.sso.amazonaws.com/app-c1553f5036ecbcd6/instructions/index.htm).
# SSO – SAP Cloud Identity Services and Microsoft Entra
Microsoft Entra (previously Azure AD) or other IdPs can be integrated to SAP Cloud Identity Services directly. This support a direct authentication with Single Sign-On (SSO), when you do not need AWS IAM Identity Center (i.e. no requirement to run a multi account strategy that utilizes AWS Organizations).
![\[SAP Cloud Identity Services with Microsoft Entra\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-security-entra.png)
**Authentication flow**
1. User accesses SAP Fiori via an Internet browser.
1. SAP Fiori will redirect SAML request back to the internet browser.
1. Internet Browser relays the SAML request to SAP Cloud Identity Services.
1. SAP Cloud Identity Service delegate authentication request to IdPs.
1. User is authenticated by IdP and SAML response is provided to the internet browser with user identity information.
1. User can access to SAP S/4HANA in RISE with SAP VPC.
For more information on how to do this, you can refer to [Enable SSO between Azure AD and SAP Cloud Platform using Identity Authentication Service](https://developers.sap.com/mission.cp-azure-ias-single-signon.html).
# SSO – SAPGUI Front-End
SAPGUI is a graphical user interface client in the SAP ERP’s three-tier architecture of database, application servers and clients. It requires installation in a local desktop that run on Windows or macOS or Linux.
In order to achieve Single-Sign-On (SSO) for SAPGUI in RISE with SAP, we must use either Kerberos or X.509 method. Kerberos is not recommended by AWS, because it requires user to always be connected to the corporate network and authenticated against a Microsoft Active Directory which reduce their mobility. Due to this, X509 is recommended.
SAPGUI Single-Sign-On with X509 can be achieved with [SAP Secure Login Service on BTP](https://help.sap.com/docs/SAP%20SECURE%20LOGIN%20SERVICE?version=Cloud), the image below describes how the integration works.
![\[SSO for SAPGUI Front-End\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-security-sso-sapgui.png)
**Authentication flow**
1. User accesses SAPGUI on their desktop.
1. SAP S/4HANA will redirect authentication request to SAP Secure Login Service.
1. SAP Secure Login Service will delegate the authentication to SAP Cloud Identity Service.
1. When SAP Cloud Identity Service is integrated to IdP (i.e. Azure AD, Okta, Ping, etc.), then IdP will authenticate the user.
1. User is authenticated by IdP and X509 is provided by SAP Secure Login Service to the SAPGUI.
1. User can access to SAP S/4HANA in RISE with SAP VPC.
For more information on how to do this, you can refer to [Securing SAP GUI with SAP Secure Login Service](https://community.sap.com/t5/technology-blogs-by-sap/explore-securing-sap-gui-with-sap-secure-login-service/ba-p/13579130).
# Advanced security using AWS Services
AWS offers a comprehensive suite of security services that can act as a multi-layered security envelope around RISE with SAP deployments on AWS. These services act as an additional security barrier, intercepting and mitigating potential threats before they can reach the RISE account, providing robust protection and assisting with compliance with industry-standard security best practices.
**Topics**
+ [AWS Network Firewall](networkfirewall.md)
+ [Amazon Macie](macie.md)
+ [Amazon GuardDuty](guardduty.md)
+ [Security Hub, Detective, Audit Manager and EventBridge](securityhub.md)
+ [Using All AWS Security Services](allawssecurity.md)
# AWS Network Firewall
AWS Network Firewall is a managed firewall service that provides essential network protection for Amazon Virtual Private Cloud (VPC) environments. AWS Network Firewall acts as a first line of defence, filtering and inspecting all network traffic to and from RISE resources, effectively creating a protective perimeter around a RISE environment.
Key features of AWS Network Firewall include:
+ Stateful Firewall Capabilities. AWS Network Firewall offers advanced stateful firewall features to monitor and control network traffic. It can inspect the complete context of a network connection, including source, destination, ports, and protocols, to detect and block malicious or unauthorized traffic.
+ Threat Signature Matching. AWS Network Firewall comes pre-loaded with a comprehensive set of threat detection rules and signatures, continuously updated by AWS, to identify and mitigate known threats, malware, and other malicious activity targeting RISE deployments.
+ Custom Rule Definition. In addition to the pre-defined threat signatures, customers can create and deploy custom firewall rules to address specific security requirements or policies unique to connections hitting SAP systems in the RISE environment.
+ Centralized Policy Management. AWS Network Firewall allows to define and manage firewall policies centrally, which can then be easily deployed across multiple VPCs including non-SAP VPCs and VPCs associated with the SAP-managed RISE VPC, ensuring consistent security enforcement.
+ Scalability and High Availability. As a fully managed service, AWS Network Firewall automatically scales to handle changes in network traffic volume and patterns, ensuring RISE environment remains protected without the need for complex infrastructure management.
In the context of RISE with SAP, AWS Network Firewall can be leveraged for the following:
+ Centralized Firewall Management. AWS Network Firewall provides a centralized, managed firewall service to control and monitor network traffic travelling to and from the SAP-managed RISE VPC.
+ Stateful Packet Inspection. AWS Network Firewall performs stateful packet inspection, allowing it to detect and mitigate advanced threats by analysing the context of network connections to/from SAP systems within the RISE VPC.
+ Regulatory Compliance. AWS Network Firewall helps organizations meet compliance requirements by enforcing security policies and providing logging/auditing capabilities for the RISE with SAP landscape.
Below is example architecture of AWS Network Firewall inspecting network traffic before it reaches RISE with SAP
![\[Network Firewall inspecting network traffic before it reaches RISE with SAP\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-security-network-firewall.png)
In the diagram above
1. A malicious actor exploits network misconfiguration to get access to SAP system on RISE.
1. Traffic is first routed through AWS Transit Gateway.
1. Packet inspection by AWS Network Firewall catches abnormal connection attempts..
It is worth noting that AWS Network Firewall can be also used by customers who want to consume SAP BTP services hosted by AWS connecting first to an AWS Transit Gateway with AWS Direct Connect, so that their end-to-end stay on the AWS backbone.
For instructions to configure AWS Network Firewall, see [Getting started with AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/getting-started.html).
# Amazon Macie
Amazon Macie is a data security service that helps customers discover, classify, and protect sensitive data stored in Amazon S3 buckets by continuously monitoring and alerting on potential data risks and unauthorized access attempts.
In the context of RISE with SAP, Amazon Macie can protect Amazon S3 buckets in customer-managed AWS account fed by a RISE with SAP environment, for instance:
+ as a RISE customer, backups can be copied from the SAP-managed AWS account to a customer-managed environment and S3 bucket.
+ SAP data can be extracted from or a RISE environment (see [Architecture Options for extracting SAP Data with AWS Services](https://aws.amazon.com/blogs/awsforsap/architecture-options-for-extracting-sap-data-with-aws-services/)) to a customer-managed S3 bucket, to enable advanced analytics, machine learning, and business intelligence using other AWS services like Amazon Athena, AWS Glue, and Amazon Sagemaker;
+ Certain industries and regulations, such as GDPR, HIPAA, or PCI-DSS, may require long-term storage and preservation of sensitive data. Exporting this data to a customer-managed S3 can help meet these compliance requirements, as S3 provides robust security and durability features.
+ Centralized Policy Management. AWS Network Firewall allows to define and manage firewall policies centrally, which can then be easily deployed across multiple VPCs including non-SAP VPCs and VPCs associated with the SAP-managed RISE VPC, ensuring consistent security enforcement.
+ Customers can also consume security event logs out of their RISE environment, so ingest in their own S3 buckets or SIEM systems.
Below is example architecture of Amazon Macie continuously scanning an S3 bucket with SAP data extracted from RISE
![\[Amazon Macie continuously scanning an S3 bucket with SAP data extracted from RISE\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-security-macie.png)
In the diagram above
1. Data is written to S3 bucket for data lake/compliance reporting purposes.
1. Amazon Macie continuously analyzes bucket to detect Privately Indentifiable Information.
For instructions to configure Amazon Macie, see [What is Macie ?](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html).
# Amazon GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behaviour within an AWS environment. It combines machine learning, anomaly detection, and integrated threat intelligence to identify potential threats and protect AWS account linked to RISE with SAP environments, workloads, and data.
Amazon GuardDuty monitors the following:
+ AWS CloudTrail Logs: Amazon GuardDuty monitors API activity across AWS account to detect suspicious API calls, unauthorized deployments, and unauthorized access attempts to resources. Amazon GuardDuty identifies attempts to access AWS services from unauthorized IP addresses or regions. Amazon GuardDuty detects unusual behaviour in Identity and Access Management (IAM) users, roles, and policies, such as privilege escalation.
+ VPC Flow Logs. Amazon GuardDuty analyses network traffic within a Virtual Private Cloud (VPC) to detect unexpected traffic patterns, data exfiltration attempts, or unauthorized access alongside identifying communications between AWS resources and known malicious IP addresses or domains. In the context of RISE with SAP on AWS, the inspection takes places on a VPC fronting the RISE SAP-managed account;
+ DNS Logs. Amazon GuardDuty monitors DNS queries made by an AWS resource to detect attempts to connect to malicious domains or unusual DNS request patterns. Amazon GuardDuty also detects the use of Domain Generation Algorithms (DGA) for generating domain names associated with Command and Control servers.
In the context of RISE with SAP, Amazon GuardDuty can be leveraged for the following:
+ Intrusion Detection: GuardDuty enables early detection of intrusion attempts into an RISE environment fronted by a customer-managed AWS account by identifying malicious activities such as unauthorized API calls, network reconnaissance, and access attempts from known malicious IP addresses;
+ Compliance Validation: For organizations with stringent compliance requirements, GuardDuty helps ensure adherence by continuously monitoring for policy violations and unauthorized access attempts, providing detailed logs and reports for audit purposes. This can be achieved when the SAP RISE environment is accessed from a customer-managed AWS account. See [Compliance Validation](https://docs.aws.amazon.com/guardduty/latest/ug/compliance-validation.html) for more details
+ Automated Incident Response. GuardDuty can be integrated with AWS Lambda and AWS Security Hub to automate incident response workflows. Upon detecting a threat, these services can trigger automated remediation actions, such as isolating compromised resources or notifying security teams.
Below is example architecture of GuardDuty monitoring CloudTrail trails of a RISE with SAP deployment on AWS
![\[GuardDuty monitoring CloudTrail trails of a RISE with SAP deployment\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-security-guardduty.png)
In the diagram above
1. Data is written to S3 bucket for data lake/compliance reporting purposes.
1. A malicious actor changes IAM rules and IAM permissions on S3 bucket to obtain access.
1. IAM changes are intercepted by AWS CloudTrail.
1. GuardDuty detects suspicious activity and alerts administrators.
Below is example architecture of GuardDuty monitoring DNS logs of a RISE with SAP deployment on AWS
![\[GuardDuty monitoring DNS logs of a RISE with SAP deployment\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-security-guardduty-dnslogs.png)
In the diagram above
1. A malicious actor introduces rogue DNS redirecting users to makeshift SAP systems.
1. The rogue DNS entries are detected by GuardDuty and reported to administrators.
Below is example architecture of GuardDuty monitoring VPC Flow Logs of RISE with SAP VPC
![\[GuardDuty monitoring VPC Flow Logs of RISE with SAP VPC\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-security-guardduty-vpcflowlogs.png)
In the diagram above
1. A malicious actor attempts to access SAP systems from VPC managed by customer peered to RISE VPC or scan ports.
1. The connection attempt from malicious actor IP logged in VPC Flow Logs.
1. The suspicious connection attempt is detected by Amazon GuardDuty and reported to administrators.
For instructions to configure Amazon GuardDuty, see [Getting Started](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html).
# Security Hub, Detective, Audit Manager and EventBridge
Building on implementation of GuardDuty and Amazon Macie, AWS Security Hub acts as a central hub, consolidating and prioritizing security findings AWS security services. AWS Security Hub provides a unified view of the security posture across services surrounding a RISE with SAP deployment, allowing too quickly identify and address any security issues.
To further investigation and incident response capabilities, Amazon Detective analyses security incidents by gathering and processing relevant log data from AWS resources. This service helps quickly identify the root cause of issues, enabling to take appropriate actions to mitigate the impact.
Maintaining compliance is also a critical aspect of securing a RISE with SAP environment. AWS Audit Manager automates the assessment of AWS resources against industry standards and regulations, helping demonstrate compliance and reduce the risk of non-compliance.
Finally, Amazon EventBridge enables real-time response to security events by triggering custom automated workflows and remediation actions. This service allows to quickly and efficiently address security incidents, minimizing the potential impact on RISE with SAP deployment
Below is example architecture of AWS Security Hub, Amazon Detective, AWS Audit Manager and Amazon EventBridge paired to RISE with SAP
![\[Security Hub\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-security-securityhub.png)
# Using All AWS Security Services
Combining together all services described above allow for an architecture monitoring multiple areas of a RISE on AWS deployment: network traffic, DNS logs, CloudTrail API activity, sensitive information extracted SAP data. Amazon GuardDuty and AWS Security Hub are fed from multiple services and uses AIML intelligence to detect malicious activities and anomalies. Findings are passed to Amazon Detective for a deeper RCA analysis or sent to Amazon EventBridge for custom reporting and alerting.
Below is example architecture of GuardDuty, AWS Network Firewall, Amazon Macie, AWS Security Hub and Amazon Detective combined together to improve security posture of RISE with SAP on AWS deployment
![\[GuardDuty\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-security-allawssecurity.png)
# Integrating SAP Data Custodian KMS with AWS KMS
SAP Data Custodian Key Management Service enables customer-managed encryption keys for data stored in SAP services. Please note that SAP Data Custodian Key Management Service is not the same as AWS Key Management Service (KMS).
Using AWS KMS as the keystore in [HYOK (Hold Your Own Key) scenario](https://help.sap.com/docs/sap-data-custodian/key-management-service/amazon-web-services-hyok?locale=en-US), SAP Data Custodian Key Management Service provides a consistent and centralized approach to key management especially if AWS KMS is already employed for other AWS workloads, enabling seamless integration, streamlined key lifecycle management, and enhanced security through AWS robust encryption and access control mechanisms.
This integration allows customers to manage and control the encryption keys used to protect their sensitive data, ensuring greater security and compliance. SAP Data Custodian Key Management Service can be interfaced with AWS KMS in HYOK (Hold Your Own Key) scenario with the following supported key:
| Area | AWS KMS (HYOK Scenario) | Supported Key Types and Key Sizes |
| --- | --- | --- |
| AES (256), RSA (3072, 4096) | Key Management | Key is created and stored in AWS KMS keystore |
Below is the SAP KMS integration with AWS KMS - HYOK
![\[The SAP KMS integration with KMS - BYOK\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-security-hyok.png)
In the diagram above:
+ Key is created in AWS KMS keystore
+ Key is stored in AWS KMS and retrieved by SAP KMS when required
+ SAP KMS encrypts SAP data at application level
# How AWS Nitro helps secure RISE with SAP?
AWS Nitro System is the underlying technology used for [Amazon Elastic Compute Cloud](https://aws.amazon.com/ec2/) (Amazon EC2) instances in RISE with SAP. AWS Nitro System offers a unique set of capabilities that support the most sensitive workloads in a multi-tenanted, hyper-scale cloud environment.
A traditional virtualization architecture consists of "hypervisor" or "Virtual Machine Monitor (VMM)" and what is commonly known as ['Dom0’](https://docs.aws.amazon.com/whitepapers/latest/security-design-of-aws-nitro-system/traditional-virtualization-primer.html#:~:text=Xen%20Project%20calls%20the%20system%E2%80%99s%20dom0) in Xen project or ["parent partition"](https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/hyper-v-architecture) in Hyper-V. More details on traditional virtualization architecture is available [here](https://docs.aws.amazon.com/whitepapers/latest/security-design-of-aws-nitro-system/traditional-virtualization-primer.html).
In Nitro System virtualization architecture, the management or control domain components (with privileged access to the hardware and device drivers) are fragmented into independent purpose-built service processor units (SoC - System on Chip) which are known as Nitro cards. While the "hypervisor" layer remains, the design has been minimized to include only those services and features which are strictly necessary for its task. Additionally, there is also a "Nitro Security Chip" introduced to enhance the security while ensuring there is no overhead on performance.
Below is the Nitro High Level Architecture
![\[Nitro High Level Architecture\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-nitro-1.png)
The resulting Nitro System has been divided into the following components:
**Nitro Cards**
Nitro Controller - This is the sole outward facing management interface between the physical server and the control planes for EC2, Amazon EBS, and Amazon VPC. It is implemented as passive API endpoints where each action is logged and all attempts to call an API are cryptographically authenticated and authorized using a fine-grained access control model.Nitro Controller also provides the hardware root of trust for the overall system and is responsible for managing all other components of the server system including the firmware loaded in the system. Firmware for the system is stored on an encrypted SSD that is attached directly to the Nitro Controller. The encryption key for the SSD is designed to be protected by the combination of a Trusted Platform Module (TPM) and the secure boot features of the SoC.Nitro Cards purpose-built for specific functions Nitro Cards purpose-built for specific functions:
Networking - The newer generation of Nitro cards for VPC transparently encrypt all VPC traffic to other EC2 instances running on hosts also equipped with encryption compatible Nitro Cards. It uses Authenticated Encryption with Associated Data (AEAD) algorithms, with 256-bit encryption. In RISE with SAP, depending on customer’s requirements, different families of compute instances are selected. While AWS provides secure and private connectivity between EC2 instances of all types, in-transit traffic encryption is available between the later generation instances only. Please check whether your RISE with SAP instances are supported for this feature [here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html#encryption-transit).
EBS (SSD) storage - The Nitro Card for EBS provide encryption of remote EBS volumes without any practical impact on their performance.
Local instance storage (ephemeral) – Similar to Nitro Card for EBS, the Nitro Card for instance storage provides encryption to local instance storage. All EC2 instances do not have local instance storage and this would depend on the instance types chosen for your RISE with SAP workloads. Details can be found [here](https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-instance-type-specifications.html).
The encryption keys used for VPC, EBS and Instance Storage are only ever present on the system in plaintext within the protected memory of a Nitro Card.
**Nitro Security Chip**
While the Nitro Controller and other Nitro Cards operate as one domain, the system main board on which SAP workloads runs make up the second domain. While the Nitro Controller and its secure boot process provide the hardware root of trust between the Nitro System components, Nitro Security chip is used to extend that trust and control over the system main board. The Nitro Security Chip is the link between those two domains that extends the control of the Nitro Controller to the system main board, making it a subordinate component of the system, thus extending the Nitro Controller chain of trust to cover it. To maintain the root of trust, all write access to non-volatile storage is blocked in hardware.
Below is when Nitro blocked write access to non-volatile storage
![\[Nitro blocked write access to non-volatile storage\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-nitro-2.png)
**Nitro Hypervisor**
Unlike traditional hypervisors, Nitro Hypervisor is not a general-purpose system and does not have a shell nor any type of interactive access mode. Some of the key exclusions in the Nitro Hypervisor which enhances its security posture are networking stack, general purpose file system implementations, peripheral driver support, ssh server, shell etc. Primary functions of Nitro Hypervisor are restricted to:
1. Receive virtual machine management commands (start, stop and so on) sent from Nitro Controller
1. Partition memory and CPU resources by utilizing hardware virtualization features of the server processor
1. Assign SR-IOV virtual functions provided by Nitro hardware interfaces (NVMe block storage for EBS and instance storage, Elastic Network Adapter [ENA] for network, and so on) through PCIe to the appropriate VM
This simplicity of the Nitro Hypervisor is a significant security benefit compared to conventional hypervisors.
**Key Benefits of AWS Nitro System**
+ Nitro chips offload virtualization tasks from the main CPUs, reducing the attack surface and improving overall system security.
+ AWS personnel do not have access to Your Content on AWS Nitro System EC2 instances. There are no technical means or APIs available to AWS personnel to access you content on an AWS Nitro System EC2 instance or encrypted-EBS volume attached to an AWS Nitro System EC2 instance. Access to AWS Nitro System EC2 instance APIs – which enable AWS personnel to operate the system without access to your content - is always logged, and requires authentication and authorization. Please find more information [here](https://aws.amazon.com/service-terms/).
+ Tenancy protection and prevention of side channel attacks - The Nitro Hypervisor is directed by the Nitro Controller to allocate the full complement of physical cores and memory for the instance. These hardware resources are "pinned" to that particular instance. The CPU cores are not used to run other customer workloads, nor are any instance memory pages shared in any fashion across instances. No sharing of CPU cores means that instances never share CPU core-specific resources, including Level 1 or Level 2 caches thereby providing strong mitigation against side channel attacks. Please find more information [here](https://docs.aws.amazon.com/whitepapers/latest/security-design-of-aws-nitro-system/the-ec2-approach-to-preventing-side-channels.html).
+ The Nitro architecture allows for secure boot and runtime integrity verification, ensuring the AWS infrastructure is running in a trusted and verified state.
+ Both the Nitro Card firmware and the hypervisor are designed to be live-updatable (zero downtime for customer instances). This eliminates the need for carefully balanced tradeoffs around updates yielding improved security posture. Please find more information [here](https://d1.awsstatic.com/events/Summits/awsreinforce2023/DAP401_Security-design-of-the-AWS-Nitro-System.pdf).
+ Data encryption for both data at rest and in transit using hardware offload engines with secure key storage integrated in the SoC.
# Amazon WorkSpaces as remote access solution
Using [Amazon WorkSpaces](https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces.html) provides a secure, scalable, and managed virtual desktop environment for accessing SAP systems. This virtual desktop can be used as a centrally managed hosting platform for SAP end user software such as SAPGUI and be connected to your SAP S/4HANA environment in RISE with SAP.
[Amazon WorkSpaces Personal](https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces.html#personal-pools) offers persistent virtual desktops, tailored for users who need a highly-personalized desktop provisioned for their exclusive use, similar to a physical desktop computer assigned to an individual.
[Amazon WorkSpaces Pool](https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces.html#personal-pools) offers non-persistent virtual desktops, tailored for users who need access to highly-curated desktop environments hosted on ephemeral infrastructure.
The following image shows the use of Amazon WorkSpaces as remote access solution for RISE with SAP.
![\[Amazon WorkSpaces as remote access solution for RISE with SAP\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-workspaces.png)
**Traffic flow**
1. User initiates a connection to the AWS WorkSpaces URL via a Web browser or [WorkSpaces Client](https://clients.amazonworkspaces.com/).
1. User authenticated through the authentication gateway within the AWS Managed VPC. When an end-user logs in, the Authentication Gateway verifies user against Directory Services and once the user is authenticated, the gateway establishes a secure session for the user to access their virtual desktops. This session management ensures that the user’s WorkSpaces remains accessible during their active session and helps maintain session integrity and security. This part of architecture uses Secure Socket Layer (SSL) with TCP protocol on port 443.
1. The connection is routed through another VPC Attachment to reach the Domain Controller in a separate Amazon VPC. The Domain Controller manages permissions and access control policies for users. It ensures that users have the appropriate access to resources based on their roles and group memberships. This is typically done through integration (such as AWS Managed Microsoft AD or an on-premises AD connected via AWS Directory Service)
1. Transit Gateway manages the routing between VPCs and Direct Connect or VPN. AWS Direct Connect or VPN provides a secure connection from AWS to the SAP RISE environment.
1. A secure session is established between the user’s device and the SAP managed RISE VPC.
1. The streaming service gateway within the AWS managed VPC begins to stream the virtual desktop environment to the user’s device. This streaming is secured and managed within AWS infrastructure. The streaming gateway securely transmits the desktop stream over the internet to the user’s device. The user’s device now can access SAP applications like SAP S/4 hosted in the RISE environment through SAP end user software such as SAPGUI.
1. Amazon WorkSpaces allows you to access the following 2 types of WorkSpaces, depending on your organization and user needs
**WorkSpaces Pool**, in a pooled configuration, WorkSpaces are dynamically assigned to users from a shared pool. When a user logs in, they may not always connect to the same machine, and changes such as installed applications or user configurations are generally not persistent between sessions
**WorkSpaces Personal**, in this configuration, each user is assigned their own dedicated virtual desktop, where they can install applications, save files, and have their settings and data persist between sessions.
**Set up Amazon WorkSpaces for SAP RISE Access**
1. To use or setup Amazon WorkSpaces to connect to SAP RISE, follow the [Get started with WorkSpaces](https://docs.aws.amazon.com/workspaces/latest/adminguide/getting-started.html).
1. For more information about integrating Amazon WorkSpaces with SAP Single-sign-on, see [How to integrate Amazon WorkSpaces with SAP Single Sign-On](https://aws.amazon.com/blogs/awsforsap/how-to-integrate-amazon-workspaces-with-sap-single-sign-on/)
1. [Install SAPGUI on your WorkSpaces from SAP Software download](https://help.sap.com/doc/2e5792a2569b403da415080f35f8bbf6/770.00/en-US/sap_frontend_inst_guide.pdf)
1. [Connect to SAP system via the SAPGUI client](https://help.sap.com/doc/saphelp_em92/9.2/en-US/4e/1260dd1e3d2287e10000000a15822b/content.htm) in WorkSpaces using your SAP System details
**Amazon Workspaces Operational Best Practices**
1. Monitoring: Use [AWS CloudWatch to monitor the performance and health of your WorkSpaces](https://docs.aws.amazon.com/workspaces/latest/adminguide/cloudwatch-metrics.html).
1. Backup and Recovery: Ensure that critical data on your WorkSpaces is backed up and that you have a [recovery plan in place](https://docs.aws.amazon.com/workspaces/latest/adminguide/restore-workspace.html).
1. Updates and Maintenance: Regularly update the software and systems on your WorkSpaces to ensure security and compliance. [By default, Windows WorkSpaces will automatically update weekly](https://docs.aws.amazon.com/workspaces/latest/adminguide/workspace-maintenance.html).
1. Optimizing Performance
Scaling and Performance Tuning: You can switch a WorkSpaces between the Standard, Power, Performance, and compute types dependent on user needs.
1. Cost Management
WorkSpaces Bundles: Consider purchasing virtual desktop bundles inclusive of your end user software needs. Generally, for simple SAPGUI access a "Value" user will save on costs. See the [AWS WorkSpaces Pricing page](https://aws.amazon.com/workspaces-family/workspaces/pricing/) for further details
Monitoring Usage: Use AWS Cost Explorer and budgets to monitor and manage costs effectively.
For non-persistent, secure desktop access consider WorkSpaces Pools as a highly cost-effective option.
By following these steps, you can set up Amazon WorkSpaces as an effective remote access solution for RISE with SAP systems, ensuring secure, scalable, and efficient operations.
**WorkSpaces Benefits to RISE**
Using Amazon WorkSpaces as a remote access solution in a RISE with SAP deployment offers several benefits, particularly around security, access control, and operational efficiency. Here are the key benefits of this approach:
1. **Enhanced Security and Controlled Access**
Isolated Environment: WorkSpaces provide an isolated environment where access to SAP systems in a RISE deployment can be tightly controlled. This helps prevent unauthorized direct access to critical systems
No Direct Internet Exposure: By using WorkSpaces as a remote access solution, you can restrict internet access to the SAP environment. External users or administrators must first connect to a secure WorkSpaces, limiting exposure to SAP systems.
Secure Protocols (PCoIP/WSP): WorkSpaces use secure streaming protocols like PCoIP or WSP, ensuring that data is encrypted during transmission.
Reduced Attack Surface: By utilizing WorkSpaces as the only point of access to SAP systems, you can reduce the attack surface by isolating SAP environments from direct access over the internet or corporate networks.
VPC Integration: WorkSpaces can be deployed in private subnets within an Amazon Virtual Private Cloud (VPC), ensuring secure and direct connectivity to the RISE with SAP infrastructure.
AWS Direct Connect or VPN: You can use AWS Direct Connect or VPN connections to provide a secure network path between the WorkSpaces and SAP environments, further enhancing security.
1. **Centralized Management**
Unified Access Point: Amazon WorkSpaces serve as a single point of access to manage and operate the RISE with SAP environments, simplifying monitoring and control.
Audit and Logging: AWS services such as AWS CloudTrail and Amazon CloudWatch can log user actions and monitor activities on the WorkSpaces. This helps with security audits and tracking access to SAP systems.
Integration with AWS IAM: Role-based access control (RBAC) through AWS Identity and Access Management (IAM) ensures fine-grained access to WorkSpaces and SAP resources. This minimizes the risk of unauthorized access and supports compliance requirements.
1. **Improved Operational Efficiency:**
On-Demand Scalability: WorkSpaces can be provisioned quickly and scaled on-demand, making it easy to provide access to administrators or developers needing to access the SAP environment without lengthy setup processes.
Minimal Maintenance: Amazon WorkSpaces are fully managed, which reduces the overhead of maintaining physical servers or traditional remote desktop infrastructure. Updates and patches are handled by AWS, freeing up time for more critical operations.
Cost Efficiency: WorkSpaces can be configured to charge only when in use (hourly pricing), making it a cost-effective solution for temporary or infrequent access, especially when not in continuous operation.
Remote Access: With WorkSpaces, administrators and users can access the SAP environment securely from any location with an internet connection. This is particularly useful for distributed teams or remote workers supporting SAP environments.
Resilience and Availability: WorkSpaces can be integrated with AWS backup solutions and spread across multiple AWS Availability Zones (AZs), ensuring redundancy and high availability.
Quick Recovery: In case of failure or disaster in the SAP environment, WorkSpaces provide a quick and scalable way to reconnect to alternative environments or backup systems.