Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
jaskisin
Participant
This is in continuation of my previous Article Compliance Check of SAP Systems Using AWS Config – Part III

4.2.4 Adding AWS Config Rule


To make use of the above create Lambda environment, we need to create AWS Config Rule which is responsible for triggering the above Lambda function and fetch the data. To create Rule, we need to go to Rule and click on Add Rule


We need to specify the rule type, as this is not AWS managed rule, hence we need to select Create Custom Rule and click on Next


Now we need to specify the name of the rule and we need fill up the ARN of the Lambda function that we need to execute to evaluate the results of the execution


Specify the Triggering option which contains the scope of the execution, here we used tag for filtering the AWS resources and Frequency of the evaluation of the compliance data


Now we need to specify the list of SAP parameters that we need Lambda function to evaluate during the execution, here we are using most common security parameters which are login/no_automatic_user_sapstar and gw/acl_mode and provide the value for the same. If parameter and value provided here does not match with the value fetched by Lambda function, then AWS Config highlight this as Non-Compliant. Click Next to proceed


Review all the settings and click on Add Rule


Below screen will appear when Rules are added to the AWS Config


Now rule is ready to evaluate the SAP Security Parameters.

 

 

5. NOTIFICATION


5.1 Setting Up EventBridge Rule


To setup the notification on each non-compliant events, we need to create a rule in EventBridge which will be responsible for sending notification of each non-compliant events. To do the same go to EventBridge and click on Create Rule


Specify the name and description of the Rule


Now we need to define the pattern for the rule. AWS provide very good document which elaborate that  how to design the Custom Event pattern.


Specify the Event Bus for the Rule


Now select the targets to which Rule will hit once the Event Pattern matches. In our case we need to send email hence we select the SNS Topic and Notification


Now we need to use Input transformer to fetch the details from the event and transform the email from that details and send that to inboxes. AWS has provided user guide for the same to understand Input transformer


Specify the resource tags if any and click on Create


Below screen will appear after the successful create of Rule



Similarly, we can create multiple rules for multiple AWS Config Evaluations.

5.2 Email Notification


After setting up EventBridge rules for the AWS Config evaluation we can test the same to check the notification of the evolution of the resources we configured in the AWS Config

Below are the sample emails for 2 AWS EC2 resources which were created with non-compliant instance type is neither approved by AWS nor by SAP


Below is the sample email for the SAP instances which is non-compliant to the SAP Security Parameters i.e login/no_automatic_login_user_sapstar and gw/acl_mode specified in the AWS Config Rules



6. TROUBLESHOOTING LOGS


6.1 Lambda Execution Logs


To check and troubleshoot the Lambda function execution we can see the logs in log group under CloudWatch


Further details can be checked on clicking on the log streams



6.2 AWS Config Logs


To check and troubleshoot the logs of AWS Config we need to go to the S3 Bucket which was created during the Basic settings of AWS Config. There we can see all the logs uploaded in json format


Now we can do automated compliance check of SAP Systems hosted on AWS infra using these solutions.

BEST OF LUCK!!

7. CONCLUSION:


In this 4 parts of article, we have discussed how we can use AWS resources to perform automatic checks on the compliance of the SAP Systems as per organization requirements.

 

THANK YOU..

 
1 Comment
Labels in this area