Skip to main content

Amazon Web Services

This section provides information to help you prepare your AWS Account to be used with CxLink Backup. Ensure that you have the proper permissions to create or adapt the desired resources to the cxlink backup requirements.

Topics


Overview

CxLink Backup will connect to Amazon S3 to store the backup objects. The instance where the database is running will need granted access to the proper


Create an Amazon S3 bucket for backups

You will need to create a bucket to store your database backups.

VPC endpoints

To obtain the best performance of your backups it is highly recommended to set up S3 Private Endpoints on the VPC where your EC2 instance is running (There is no additional charge for using gateway endpoint). To ensure that you are using endpoint, see S3 Endpoints.

If you don't have one, you can use the Amazon S3 console, Amazon S3 APIs, AWS CLI, or AWS SDKs to create a bucket following the guidelines in https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html:

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/

  2. Choose Create bucket.

  3. In Bucket name, enter a DNS-compliant name for your bucket. The bucket name must:

    • Be unique across all of Amazon S3.
    • Be between 3 and 63 characters long.
    • Not contain uppercase characters.
    • Start with a lowercase letter or number.
    Bucket name compliance

    After you create the bucket, you can't change its name. For information about naming buckets, see Bucket naming rules.

    Avoid including sensitive information, such as account numbers, in the bucket name. The bucket name is visible in the URLs that point to the objects in the bucket.

  4. In Region, choose the AWS Region where you want the bucket to reside.

    Choose a Region close to you to minimize latency and costs and address regulatory requirements. Objects stored in a Region never leave that Region unless you explicitly transfer them to another Region. For a list of Amazon S3 AWS Regions, see AWS service endpoints in the Amazon Web Services General Reference.

  5. In Bucket settings for Block Public Access, choose the Block Public Access settings that you want to apply to the bucket.

    We recommend that you keep all settings enabled unless you know that you need to turn off one or more of them for your use case, such as to host a public website. Block Public Access settings that you enable for the bucket are also enabled for all access points that you create on the bucket. For more information about blocking public access, see Blocking public access to your Amazon S3 storage.

  6. (Optional) If you want to enable S3 Object Lock, do the following:

    • Choose Advanced settings, and read the message that appears.

      Important

      You can only enable S3 Object Lock for a bucket when you create it. If you enable Object Lock for the bucket, you can't disable it later. Enabling Object Lock also enables versioning for the bucket. After you enable Object Lock for the bucket, you must configure the Object Lock settings before any objects in the bucket will be protected. For more information about configuring protection for objects, see Using S3 Object Lock.

    • If you want to enable Object Lock, enter enable in the text box and choose Confirm.

      For more information about the S3 Object Lock feature, see Using S3 Object Lock.

      Note

      To create an Object Lock enabled bucket, you must have the following permissions: s3:CreateBucket, s3:PutBucketVersioning and s3:PutBucketObjectLockConfiguration.

  7. Choose Create bucket


Create a IAM Policy for backups

For CxLink Backup to be able to store and retrieve backups from Amazon S3, you must create an IAM Policy with the following permissions and attach it to your EC2 service role.

Amazon IAM Policies

The following permissions should be granted to use all the configuration options available in CxLink Backup agent setings:

You can use any of the following IAM policy templates as the base for your SAP Server instance profile:

S3 Policy - Expand to see an example

_23
{
_23
"Version": "2012-10-17",
_23
"Statement": [
_23
{
_23
"Sid": "VisualEditor0",
_23
"Effect": "Allow",
_23
"Action": [
_23
"s3:ListAllMyBuckets",
_23
"s3:HeadBucket"
_23
],
_23
"Resource": "*"
_23
},
_23
{
_23
"Sid": "VisualEditor1",
_23
"Effect": "Allow",
_23
"Action": "s3:*",
_23
"Resource": [
_23
"arn:aws:s3:::<YOUR_BUCKET_NAME>/*",
_23
"arn:aws:s3:::<YOUR_BUCKET_NAME>"
_23
]
_23
}
_23
]
_23
}

EC2 Instance - Expand to see an example

_14
{
_14
"Version": "2012-10-17",
_14
"Statement": [
_14
{
_14
"Sid": "VisualEditor0",
_14
"Effect": "Allow",
_14
"Action": [
_14
"ec2:DescribeInstances",
_14
"ec2:DescribeRegions"
_14
],
_14
"Resource": "*"
_14
}
_14
]
_14
}

Amazon KMS - Expand to see an example

_31
{
_31
"Version": "2012-10-17",
_31
"Statement": [
_31
{
_31
"Sid": "VisualEditor0",
_31
"Effect": "Allow",
_31
"Action": [
_31
"kms:GetPublicKey",
_31
"kms:Decrypt",
_31
"kms:Encrypt",
_31
"kms:GenerateDataKey",
_31
"kms:DescribeKey",
_31
"kms:Verify"
_31
],
_31
"Resource": [
_31
"arn:aws:kms:eu-west-1:${AWS::AccountId}:key/<KMS_KEY_NAME>",
_31
"arn:aws:kms:eu-west-1:${AWS::AccountId}:alias/<KMS_KEY_ALIAS>"
_31
]
_31
},
_31
{
_31
"Sid": "VisualEditor1",
_31
"Effect": "Allow",
_31
"Action": [
_31
"kms:ListKeys",
_31
"kms:GenerateRandom",
_31
"kms:ListAliases"
_31
],
_31
"Resource": "*"
_31
}
_31
]
_31
}

Amazon SNS - Expand to see an example

_11
{
_11
"Version": "2012-10-17",
_11
"Statement": [
_11
{
_11
"Sid": "VisualEditor0",
_11
"Effect": "Allow",
_11
"Action": "sns:Publish",
_11
"Resource": "arn:aws:sns:eu-west-1:${AWS::AccountId}:CxLink Backup-Topic-Name"
_11
}
_11
]
_11
}

Assume Role - Expand to see an example

_11
{
_11
"Version": "2012-10-17",
_11
"Statement": [
_11
{
_11
"Sid": "AssumeCrossAccountRole",
_11
"Effect": "Allow",
_11
"Action": "sts:AssumeRole",
_11
"Resource": "arn:aws:iam::<REMOTE_AWS_ACCOUNT_ID>:role/<RemoteRole>"
_11
}
_11
]
_11
}


Attach IAM Policy to the EC2 Instance as a Service Role

Ensure that the IAM Policies have been added to the EC2 instance profile of your SAP Database server.


Allow access to remote accounts (optional)

If you want to access AWS Resources (S3 & KMS or SNS Topic) in a different account, you will need to generate an IAM policy on remote account to grant the proper permissions.

  1. Create an IAM policy in the AWS Account where the SAP Server resiteds that allow assume role in the remote account.


    _11
    {
    _11
    "Version": "2012-10-17",
    _11
    "Statement": [
    _11
    {
    _11
    "Sid": "AssumeCrossAccountRole",
    _11
    "Effect": "Allow",
    _11
    "Action": "sts:AssumeRole",
    _11
    "Resource": "arn:aws:iam::<REMOTE_AWS_ACCOUNT_ID>:role/<RemoteRole>"
    _11
    }
    _11
    ]
    _11
    }

  2. Attach the newly created policy to the EC2 Service Role.

  3. Grant access to the role. Create a new role on remote account that must have a Trust Relationship to allow the resources to be accesed from remote Role, the one that you attach to your Database EC2 Instances.


    _13
    {
    _13
    "Version": "2012-10-17",
    _13
    "Statement": [
    _13
    {
    _13
    "Sid": "TrustingPolicy",
    _13
    "Effect": "Allow",
    _13
    "Principal": {
    _13
    "AWS": "arn:aws:iam::<DATABASE_SERVER_AWS_ACCOUNT>:role/<EC2InstanceRole>"
    _13
    },
    _13
    "Action": "sts:AssumeRole"
    _13
    }
    _13
    ]
    _13
    }