Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
jaskisin
Participant
859
This is in continuation of my previous Article Compliance Check of SAP Systems Using AWS Config – Part II

4.2 Compliance Check for SAP Instance


4.2.1 Creation of SAP Secrets


We need to store the username and password for the user which will be used to access SAP and fetch the required data. To fulfill the requirement, we will be using AWS Secrets Manager to store the credentials which will be used by Lambda to access SAP. To do the same we need to go to Secrets manager and click on Store a new secret


Now we need to specify the secret type which we need to store


We also need to specify the User and password which we need to store and click Next


Specify the Name of the secret by which we need to store


We also specify other optional values to store the secret and click on Next


Specify the automatic rotation configuration if required and click Next


Review the settings for the secret creation


In same window AWS provide the different codes using which we can access the secrets for executions


Now our SAP Secret is ready to use

4.2.2 Setup of Table in DynamoDB


We also need to store the information about SAP System such as hostname, SID, System No etc... using which we can access the SAP system and fetch out the data that we require for the compliance check.

4.2.2.1 Creating Table


To create the table, we need to go to Amazon DynamoDB and click on Create Table


Specify the name of the table and partition key if any for the table which we need to create to stop SAP Instance information


Specify the settings for the table, cost may vary as per the chosen setting for the table


Specify any secondary index which needs to be created and encryption options. Since our table is not that much big hence, we chose default options and click on Create Table


Creation of table in DynamoDB has been started


Below screen will appear once the table has been created successfully



4.2.2.2 Creating Records in Table


As table has been created, now we need to create the records with the information of each SAP Instance. To do the same go to Table which has been created in above step and click on Create Item under Items tab


Create the attributes and fill up the details as follow and click on Create Item


We need to add all records with the information of instance we have on AWS, we can use Copy Item feature of create similar records and click on Create Item


After adding all the SAP Instance items, we can see the list of those items in the table


Table is now ready for Lambda to use.

4.2.3 Setting Up of Lambda


Lambda offers a lot of coding languages out of which we can use any of the language to which we are comfortable. Lambda supports C#/PowerShell, Go, Java, Nodejs, Python and Ruby. Here we are using Python module to perform all the operations inside the Function as we are more familiar with this language. We can choose any of the language to perform the operations.

4.2.3.1 Creating Lambda Layer


A Lambda layer is a .zip file archive that contains additional code or data. This layer contains libraries, a custom runtime, data, or configuration file. Layers promote code sharing and separation of responsibilities so that we can iterate faster on writing business logic.

We need to create Layer according to the method we choose to fetch details from SAP system, such as if we are going to access SAP from OS level then we may need to consider creating Layer for the Packages which support SSH/RDP such as Paramiko. Here we are using SOAP calls to fetch compliance data from SAP system. To do the SOAP calls we must have SOAP modules using which we can iterate the requests to the SAP System. So, we are using SUDS package which contains the supporting SOAP modules. Suds is a lightweight SOAP python client for consuming Web Services. More details can be seen in this GitHub repository.

We have created a package of suds and make a zip file with name suds.zip which has following contents


AWS also provided this documentation which contains the information of how we can create this zip

So, we need to create a Lambda Layer and import his suds zip. To do so, go to Lambda à Layers and then click on Create layer


Specify the Name of the Layer and upload the zip file by clicking Upload Button and then select compatible runtime. We are selecting Python 3.6 as we have created this package using python 3.6 and then click on Create


After creation of layer we can see that in Layers list


Now we can use this Lambda layer in any of the Lambda Function to perform SOAP calls.

4.2.3.2 Creating Lambda Function


We need to create a Lambda Function so that it can connect to SAP and fetch relevant data for checking the compliance. To create the Lambda Function, we need to go to Lambda → Function and then Click on Create Function


Now we need to specify the function creation option as we are creating our own custom Lambda function hence, we chose option Author from Scratch and then we need to provide basic information on Function name and runtime on which we will use to right our function


Now we need to specify the execution role for the lambda, which will be used only during the execution of the lambda function


We also need to specify the network security details about VPC and NSG with will be used during the Lambda execution


We can click on Create Function after checking the inbound and outbound rule


It will take some time to create the function with the specified network options we have provided


We will get a message once the lambda function is created and ready for further actions


Once Lambda function is created then we need to add the above created Layer to the Lambda Function, to do so, click on Layers under Function Overview Tab


Then click on Add layer


We need to specify the layer details that we have created earlier and click on Add


We can see that Layer has been added to the Lambda Function


Now we need to write the Python code which will first fetch all the details about the SAP Instance from DynamoDB and fetch SAP credentials from Secrets Manager and do a SOAP call to SAP using the same.


Here we have used json module which will be used to manipulate/read the json formatted texts, we are also using boto3 which is AWS SDK for python we can find more details about boto3 in this AWS document. In this code, we need to write the code in accordance with the requirement for the compliance data.

For after fetching the data we need to send that data backup to AWS Config. AWS Config has provided this API documentation by which we can provide data to AWS Config for Evaluation.

To check if we did the perfect settings in Lambda Function, we can invoke the below test event for testing


We can ignore the exception InvalidResultTokenException with text Result Token provided is invalid as Result Token can only be granted when this Lambda function is invoked by the AWS Config.


Now our Lambda Function is ready for AWS Config to execute.

This is end of Part – III, in next part Compliance Check of SAP Systems Using AWS Config – Part IV of this article you can find more information about AWS Config Rules, Notification using EventBridge and Troubleshooting Logs.
2 Comments
Labels in this area