Simplifying SAP Password Rotation with AWS Secrets Manager

Introduction

In today’s dynamic IT landscape, security is paramount, and effective password management is crucial to ensuring data integrity and safeguarding sensitive information. This blog post explores how to use AWS Secrets Manager, which protects access to your apps, services, and IT resources without requiring you to pay for upfront infrastructure maintenance or ongoing expenditures, in conjunction with SAP password rotation.

Why Password Rotation Matters?

Regular password rotation is a fundamental security practice that helps mitigate the risk of unauthorized access and potential security breaches. As the backbone of many enterprise operations, SAP systems require robust password management to comply with security best practices and regulatory requirements.

AWS Secrets Manager Overview

Benefits of AWS Secrets Manager for SAP Password Rotation

• Automation: By automating the entire password rotation process, AWS Secrets Manager lowers the possibility of human error and guarantees that passwords are changed automatically regularly.
• Enhanced Security: The automatic rotation of SAP passwords enhances security by minimizing the risk associated with static credentials. This proactive approach aligns with security best practices and regulatory compliance requirements.
• Centralized Management: AWS Secrets Manager provides a centralized location to manage and secure secrets, simplifying the storage, retrieval, and rotation of SAP passwords.
• Audit Trails: Detailed audit trails and logging capabilities offered by AWS Secrets Manager help organizations track changes, monitor access, and maintain compliance with regulatory standards.

Architecture

Figure 1 depicts the architecture of this approach. Passwords for SAP users are kept in AWS Secrets Manager as secrets. These secrets are set up to cycle following the timetable you establish. AWS Secrets Manager calls the AWS Lambda function to rotate a secret. Once the secret has been successfully rotated, the AWS Lambda function connects to SAP over RFC using PyRFC and the SAP NetWeaver RFC SDK. It then calls a regular SAP ABAP function to modify the user’s password.

Note that the AWS Identity and Access Management (IAM) role attached to the AWS Lambda function provides the authorization needed to create an Elastic Network Interface (ENI). The Amazon Virtual Private Cloud (Amazon VPC), home of SAP systems, and the AWS Lambda function are connected over the network via this ENI. This ENI’s security group is equipped with egress rules. Permissions are also required for the AWS Lambda function to use an AWS Key Management Service (KMS) key for secret encryption and decryption. The following sections cover the automatic creation of an AWS IAM role and security group throughout the deployment process.

Prerequisites

• SAP NetWeaver ABAP (SAP BW/4HANA, SAP S/4HANA, and SAP ECC, for instance).
• A user of the SAP ABAP service who is authorized to update or modify passwords. We’ll refer to this as the administrator of the SAP password.
• SAP ABAP user for testing purposes.
• Your SAP NetWeaver systems can receive inbound network traffic because of the Amazon VPC security group.
• An Amazon Key Management Service (KMS) key that the user handles.
• Make two AWS Lambda layers, as shown in the AWS Lambda Layer for PyRFC and AWS Lambda Layer for SAP NetWeaver RFC SDK.

Integration Steps

1. Go to AWS Secrets Manager by opening the AWS Management Console.
2. Keep the administrator credentials for the SAP password in an AWS Secrets Manager secret. Apart from the password, the secret must contain the SAP connection details.
3. Keep the SAP user’s credentials in another AWS Secrets Manager secret that you want to cycle.
4. To manage the secret rotation, create the AWS Lambda function. Look up SAP-ABAP-secret-rotation online. Ensure the Show apps that create custom IAM roles or resource policy options are selected.
5. Select ABAP-secret-rotation-SAP.
6. After entering the appropriate parameters, launch the application
7. Select Edit rotation after opening the AWS Secrets Manager secret associated with the SAP user.
8. Turn on the option for automatic rotation. Give a schedule for the rotation.
9. The AWS Lambda rotation function matches the AWS Lambda function installed by the AWS Serverless Application Repository.
10. Save Changes.
11. Monitor and Review: Regularly monitor Amazon CloudWatch logs and AWS Secrets Manager activity to review password rotations and ensure compliance.

Conclusion

Integrating SAP password rotation with AWS Secrets Manager streamlines the management of credentials, enhances security, and aligns with best practices for privileged access management. By automating password rotation, organizations can reduce the risk of security breaches, improve overall compliance, and ensure the integrity of their SAP systems in the ever-evolving landscape of cybersecurity threats.

Drop a query if you have any questions regarding AWS Secrets Manager and we will get back to you quickly.

About CloudThat