- SAP Managed Tags:
Introduction:
Security, compliance and auditing are few of the very critical aspects for any organization to secure there SAP or Non-SAP landscape specially it is running in any Cloud Provider Datacenter.
Utilization and access to few of the user credentials are very sensitive and needs to be protected from any unauthorized access. Also whenever they need to be accessed then there must be some logging maintained somewhere so that the access can be audited in future.
In this Blog I am going to draft a process through which one can secure these credentials and it's access in AWS by utilizing services provided by AWS itself. The cost is also minimum as the AWS services which has been utilized are either free or has very less cost.
Pre-Requisite:
Procedure/Steps:
In the above one can see there are two ways to get the necessary detail:
Through LAMBDA one can track the log in CloudWatch and thus help in auditing process.
Create user and assignation of Inline Policies:
Create KMS Customer Managed Key for Data Encryption:
Create Parameter (Credentials/URLs/Sensitive Details) in Parameter Store:
Install AWS CLI and Configure to Access the Credentials:
The above is one of the way through which the SAP Admin team can get the Desired Critical Information, if they need at any point of time during there support/work.
There is another way through which one can access these detail as well and which is LAMBDA function based. This is a serverless technology where access for the execution of this function has been given to SAP Admin team and they can invoke this whenever they need the detail. The best part of this method is, all such API calls are getting registered with CloudWatch and one can utilize this during Security Auditing.
Creation of Lambda Function:
As an example I have created the following code to get the required detail through LAMBDA:
The process to create the Lambda function is shown in the following screen shot:
Now there a need to create Environment variable with the following detail in the Lambda Function:
The Value give an overview of all the value that might be possible and during execution one has to select one value (based on his requirement) by modifying the Value field and then function needs to be executed by clicking on TEST button.
The above step will create a lambda function as well as one AWS Role. That Role needs to be modified so that it has the access to KMS and Parameter Store.
Increase the Time-Out setting to at least 10-15 sec of the Lambda Function as Decryption will need some additional time.
Lambda Function Step is as follows:
Audit the CloudWatch for each execution of the LAMBDA function:
Everytime Lambda function getting executed it creates an entry in the CloudWatch
Pricing Detail:
There are several Products in the market to maintain Critical Credentials like "KeyPass". I have seen customers maintaining such details in password protected documents/excel-sheets as well.
But seeing the advantages (auditing, monitoring, maintenance and secured) and the TCO of using AWS Parameter Store, it is strongly recommended (advisable) to utilize this service from AWS to store all critical credentials and data.
Security, compliance and auditing are few of the very critical aspects for any organization to secure there SAP or Non-SAP landscape specially it is running in any Cloud Provider Datacenter.
Utilization and access to few of the user credentials are very sensitive and needs to be protected from any unauthorized access. Also whenever they need to be accessed then there must be some logging maintained somewhere so that the access can be audited in future.
In this Blog I am going to draft a process through which one can secure these credentials and it's access in AWS by utilizing services provided by AWS itself. The cost is also minimum as the AWS services which has been utilized are either free or has very less cost.
Pre-Requisite:
- Access to AWS Console with IAM, Lambda, SMS, KMS and CloudWatch access
- Basic Knowledge of how to create Roles and assigning Policies
- Basic Knowledge of Lambda
- Basic Knowledge on how to monitor the logs in CloudWatch
Procedure/Steps:
- Create two users and assign the following inline policies through IAM
- One with all admin access for LAMBDA, System Manager, Parameter Store, KMS
- Second with only limited access of LAMBDA, System Manager and KMS
- Create KMS Customer Managed key for Data Encryption
- Create Parameter (SAP Credentials, URL and Database Credentials) in Parameter Store using KMS key to encrypt the detail
- Install AWS CLI on local desktop or Bastion Host and configure it for AWS access
- Use the User with limited access to the service System Manager and KMS to configure AWS CLI and access the detail through CLI commands
- Create LAMBDA function to access the credential
- Execute LAMBDA function for specific values to get required details
- Audit the CloudWatch for each execution of the LAMBDA function
In the above one can see there are two ways to get the necessary detail:
- AWS CLI
- LAMBDA
Through LAMBDA one can track the log in CloudWatch and thus help in auditing process.
Create user and assignation of Inline Policies:
- Create user with following Inline Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"ssm:GetParametersByPath",
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": [
"arn:aws:kms:*:*:key/*",
"arn:aws:ssm:*:*:parameter/sap*"
]
}
]
}
User which will be used in AWS CLI to access the Credentials
Now verify that the above user has no access to KMS and Parameter Store through AWS Console. The screen of verification is as follows:
No KMS Access Through AWS Console
No Parameter Store Access Through AWS Console
- Create second Lambda User with following Inline Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionEventInvokeConfig",
"lambda:UpdateEventSourceMapping",
"kms:Decrypt",
"lambda:UpdateFunctionCodeSigningConfig",
"lambda:InvokeFunction",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:UpdateFunctionConfiguration",
"lambda:InvokeAsync",
"lambda:GetFunctionConfiguration",
"ssm:GetParameters",
"ssm:GetParameter",
"lambda:UpdateCodeSigningConfig",
"lambda:UpdateFunctionCode",
"ssm:GetParametersByPath"
],
"Resource": [
"arn:aws:lambda:*:802160044962:codesigningconfig:*",
"arn:aws:lambda:*:802160044962:event-source-mapping:*",
"arn:aws:lambda:*:802160044962:function:*",
"arn:aws:kms:*:*:key/*",
"arn:aws:ssm:*:*:parameter/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "lambda:CreateFunction",
"Resource": "arn:aws:lambda:*:802160044962:function:*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:GetAccountSettings"
],
"Resource": "*"
}
]
}
User with Lambda Function Execute Access
Verify that the above user has no additional access after login with AWS Console:
No KMS Access
No Parameter Store Access through AWS Console
Lambda Function Access through AWS Console
Create KMS Customer Managed Key for Data Encryption:
Go to KMS->Customer Managed Key->Create Key->Symmetric
KMS Customer Managed Key Creation Process
Create Parameter (Credentials/URLs/Sensitive Details) in Parameter Store:
Go to Parameter Store and Create different credentials and URL whose detail is given in the following screen shot:
Parameter Store Detail Creation
Please make sure that you plan for proper Hierarchy planned before maintaining your credential in the Parameter store. This is essential because based on this hierarchy your access through Lambda Code will be defined. Also it will give a standard approach of maintaining your credentials or URL. Please have a look into the following screen shot which will give you one such example:
Install AWS CLI and Configure to Access the Credentials:
If you are using AWS EC2 server as Bastion host and trying to access the parameters store then there is no need for fresh installation of AWS CLI as EC2 is already coming with default AWS CLI installed.
If the SAP admin team is using it's own Laptop or Desktop then they need to install this tool separately. Please follow the following link to get this tool installed:
https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-windows.html
Once AWS CLI installed then use AWS Configure command to configure your Command line to communicate with your AWS account. Here you need to ask for "Access Key ID" and "Secret access Key" of the users which has been created above by your security team. The example of the credential file (.csv) is as follows:
AWS Configure command:
Now one can access the required details using the following commands:
aws ssm get-parameters --names <name of the parameter> --with-decryption --region <region_name>
EXAMPLE: aws ssm get-parameters --names /sap/abap/ecc/dev/ddic --with-decryption --region us-east-2
Command to get Encrypted Credential One at a time
One can use the following command to get the detail of all the Credentials/URL which are available in a particular path:
aws ssm get-parameters-by-path --path <path_detail> --recursive --with-decryption --region <region_name>
EXAMPLE: aws ssm get-parameters-by-path --path /sap/ --recursive --with-decryption --region us-east-2
Getting Credentials Based on Path
The above is one of the way through which the SAP Admin team can get the Desired Critical Information, if they need at any point of time during there support/work.
There is another way through which one can access these detail as well and which is LAMBDA function based. This is a serverless technology where access for the execution of this function has been given to SAP Admin team and they can invoke this whenever they need the detail. The best part of this method is, all such API calls are getting registered with CloudWatch and one can utilize this during Security Auditing.
Creation of Lambda Function:
As an example I have created the following code to get the required detail through LAMBDA:
import json
import boto3
import os
ssm = boto3.client('ssm', region_name="us-east-2")
abap_or_java = os.environ['ABAP_OR_JAVA']
ecc_or_srm = os.environ['ECC_OR_SRM']
sap_env = os.environ['DEV_OR_UAT_OR_PRD']
sap_usr = os.environ['USER_NAME']
def lambda_handler(event, context):
user_password = ssm.get_parameters(Names=["/sap/" +abap_or_java+"/"+ecc_or_srm +"/"+sap_env +"/"+sap_usr], WithDecryption=True)
print(user_password)
return "done!"
Lambda Function
The process to create the Lambda function is shown in the following screen shot:
Lambda Function Creation
Now there a need to create Environment variable with the following detail in the Lambda Function:
Variable detail
The Value give an overview of all the value that might be possible and during execution one has to select one value (based on his requirement) by modifying the Value field and then function needs to be executed by clicking on TEST button.
The above step will create a lambda function as well as one AWS Role. That Role needs to be modified so that it has the access to KMS and Parameter Store.
Lambda Function Automatically Generated Role
Lambda Role Modification for addition of Inline Policy
Increase the Time-Out setting to at least 10-15 sec of the Lambda Function as Decryption will need some additional time.
Time Out Setting
Lambda Function Step is as follows:
Lambda Function Execution and Result
Audit the CloudWatch for each execution of the LAMBDA function:
Everytime Lambda function getting executed it creates an entry in the CloudWatch
Auditing and Monitoring
Pricing Detail:
Parameter Store Pricing Tier
Lambda Function Execution Pricing Detail
KMS Pricing Detail
There are several Products in the market to maintain Critical Credentials like "KeyPass". I have seen customers maintaining such details in password protected documents/excel-sheets as well.
But seeing the advantages (auditing, monitoring, maintenance and secured) and the TCO of using AWS Parameter Store, it is strongly recommended (advisable) to utilize this service from AWS to store all critical credentials and data.
1 Comment
| User | Count |
|---|---|
| 15 | |
| 5 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 |
