Prepare your AWS Account

Utilizing the Cxlink Suite provides an efficient way to securely store your business documents, manage archive sessions, and handle data exported from your SAP server. Whether you're storing files in S3 buckets, streaming real-time data through Kinesis, or managing access with IAM, it's imperative to ensure that everything is configured correctly.

This guide will walk you through:

• Overview
• Resources and Permissions for Documents and Archive
  • 1. Create a KMS key
  • 2. Create an Amazon S3 bucket
  • 3. Create IAM policy
• Resources and Permissions for Datalakes
  • 1. Create a KMS key
  • 2. Create an Amazon S3 bucket
  • 3. Create an Amazon Kinesis Data Stream
  • 4. Create an IAM Policy
• Attach policy to an IAM entity
  • Attach the policy to an IAM role for Amazon EC2
  • Attach the policy to an IAM User

---

Overview

Cxlink Suites integrates nativelly with AWS IAM and it offers authentication by using both an IAM User for those servers running outside AWS Cloud or IAM Instance Profile for those servers hosted in AWS.

Resources and Permissions for Documents and Archive

This is an example

The steps outlined in this process illustrate the creation of a basic and functional environment following best security practices. You may need to adapt the security measures to your company's global policies.

Consider these steps as a reference guide.

1. Create a KMS key

AWS Documentation

Find more details in hwo to create KMS keys in Creating keys - AWS Key Management Service

Follow this steps to create an encyption key:

1. In the AWS Console, select KMS
2. Navigate to Customer-managed keys and select Create key
3. In the Configure key section, leave default values and select Next.
4. In the Add labels section, define a Alias for the key and a Description that helps you identify the key in later operations.
5. Add additional Tags if needed and select Next
6. In the Define key administrative permissions, select who within your organization will be responsible for this key and press Next.
7. In the Define key usage permissions, select who within your organization will be able to use the key for encrypt/decrypt operations. For this process, leave all user/roles unselected and press Next.
8. In the Review section, ensure that all parameters are correct and press Finish to create the key.
9. Back in the Customer-managed keys, search for the newly created key and open its properties.
10. In the key General configuration note down its ARN for later operations.

---

2. Create an Amazon S3 bucket

AWS Documentation

Find more information in how to create buckets in Creating a bucket - Amazon documentation

Follow this steps to create an Amazon S3 bucket:

1. In the AWS Console, select S3 service.
2. Navigate the Buckets and select Create bucket.
3. In the Create bucket section:
   1. Select a Bucket name for the documents/archiving storage. Remember that the bucket name must be unique.
   2. Select the AWS Region where you want to store the documents/archiving objets.
   3. Leave ACL disabled as recommended.
   4. Leave Block all public access by default to ensure your documents are not publicly available.
   5. Enable Bucket versioning to avoid documents overwriting. (Recommended approach but can be kept as disabled if needed).
   6. Add Tags as per your tagging policy.
   7. In the Default Encryption section, select Server-side encryption with AWS Key Management Service keys (SSE-KMS) and search for the previously created key. Ensure that Bucket Key is enabled.
   8. Leave other options as default and select Create bucket.
4. Back to the Buckets section, search for the newly created bucket and note down its arn for later operations

---

3. Create IAM policy

To grant access to the created S3 bucket to the SAP Server, you will need to create an IAM policy that grants the proper permissions.

IAM best practices

The following examples are a basic but functional implementation of a secure IAM Policy for s3 bucket access permissions. You may need to adapt it depending to meet your company requirements. You will need to ensure that the created policy grants access to the SAP server to store, read and delete existing files in the proper bucket.

Follow this steps to create the bucket where you will store the generated objects:

1. Go to the IAM Console: https://console.aws.amazon.com/iam/

2. In the navigation pane, choose Policies then click Create policy.

3. In the visual editor, go the JSON tab and copy the following contents:

   Change Bucket and Key ARNs

   If you plan to use the below example, remember to change the <<kms_key_arn>> and <<s3_bucket_arn>> fields for the values previously obtained.

   
   

   _57

   {

   _57

   "Version": "2012-10-17",

   _57

   "Statement": [

   _57

   {

   _57

   "Effect": "Allow",

   _57

   "Action": [

   _57

   "s3:ListAllMyBuckets",

   _57

   "kms:ListKeys",

   _57

   "kms:ListAliases"

   _57

   ],

   _57

   "Resource": "*"

   _57

   },

   _57

   {

   _57

   "Action": [

   _57

   "s3:DeleteObject",

   _57

   "s3:GetAccessPoint",

   _57

   "s3:GetBucketLocation",

   _57

   "s3:GetEncryptionConfiguration",

   _57

   "s3:GetIntelligentTieringConfiguration",

   _57

   "s3:GetLifecycleConfiguration",

   _57

   "s3:GetObject",

   _57

   "s3:GetObjectLegalHold",

   _57

   "s3:GetBucketObjectLockConfiguration",

   _57

   "s3:GetObjectRetention",

   _57

   "s3:ListAccessPoints",

   _57

   "s3:ListBucket",

   _57

   "s3:PutBucketObjectLockConfiguration",

   _57

   "s3:PutBucketTagging",

   _57

   "s3:PutEncryptionConfiguration",

   _57

   "s3:PutIntelligentTieringConfiguration",

   _57

   "s3:PutLifecycleConfiguration",

   _57

   "s3:PutObject",

   _57

   "s3:PutObjectLegalHold",

   _57

   "s3:PutObjectRetention",

   _57

   "s3:PutObjectTagging"

   _57

   ],

   _57

   "Effect": "Allow",

   _57

   "Resource": [

   _57

   "<<s3_bucket_arn>>",

   _57

   "<<s3_bucket_arn>>/*"

   _57

   ]

   _57

   },

   _57

   {

   _57

   "Action": [

   _57

   "kms:Decrypt",

   _57

   "kms:DescribeKey",

   _57

   "kms:Encrypt",

   _57

   "kms:ListAliases",

   _57

   "kms:ListKeys"

   _57

   ],

   _57

   "Effect": "Allow",

   _57

   "Resource": [

   _57

   "<<kms_key_arn>>"

   _57

   ]

   _57

   }

   _57

   ]

   _57

   }

   
   

4. Review the policy and name it, then click Create policy.

   AWS Documentation

   For additional details, check the official IAM documentation: Creating IAM policies (console).

---

Resources and Permissions for Datalakes

1. Create a KMS key

AWS Documentation

Find more details in hwo to create KMS keys in Creating keys - AWS Key Management Service

Follow this steps to create an encyption key:

1. In the AWS Console, select KMS
2. Navigate to Customer-managed keys and select Create key
3. In the Configure key section, leave default values and select Next.
4. In the Add labels section, define a Alias for the key and a Description that helps you identify the key in later operations.
5. Add additional Tags if needed and select Next
6. In the Define key administrative permissions, select who within your organization will be responsible for this key and press Next.
7. In the Define key usage permissions, select who within your organization will be able to use the key for encrypt/decrypt operations. For this process, leave all user/roles unselected and press Next.
8. In the Review section, ensure that all parameters are correct and press Finish to create the key.
9. Back in the Customer-managed keys, search for the newly created key and open its properties.
10. In the key General configuration note down its ARN for later operations.

---

2. Create an Amazon S3 bucket

AWS Documentation

Find more information in how to create buckets in Creating a bucket - Amazon documentation

Follow this steps to create an Amazon S3 bucket:

1. In the AWS Console, select S3 service.
2. Navigate the Buckets and select Create bucket.
3. In the Create bucket section:
   1. Select a Bucket name for the documents/archiving storage. Remember that the bucket name must be unique.
   2. Select the AWS Region where you want to store the documents/archiving objets.
   3. Leave ACL disabled as recommended.
   4. Leave Block all public access by default to ensure your documents are not publicly available.
   5. Enable Bucket versioning to avoid documents overwriting. (Recommended approach but can be kept as disabled if needed).
   6. Add Tags as per your tagging policy.
   7. In the Default Encryption section, select Server-side encryption with AWS Key Management Service keys (SSE-KMS) and search for the previously created key. Ensure that Bucket Key is enabled.
   8. Leave other options as default and select Create bucket.
4. Back to the Buckets section, search for the newly created bucket and note down its arn for later operations

3. Create an Amazon Kinesis Data Stream

AWS Documentation

Find more information in how to create buckets in Creating a Stream via the AWS Management Console

Follow this steps to create an Amazon Kinesis Data Stream:

1. In the AWS Console, select S3 service.
2. Navigate the Data streams and select Create data stream.
3. Define a Data Stream Name and select Create data stream. Leave all other options by default.
4. Once created, you will need to define the consumer of this data stream.
5. In the data stream properties, note down the data stream ARN for later purposes.

---

4. Create an IAM Policy

To grant access to the created S3 bucket to the SAP Server, you will need to create an IAM policy that grants the proper permissions.

IAM best practices

The following examples are a basic but functional implementation of a secure IAM Policy for kinesis bucket access permissions. You may need to adapt it depending to meet your company requirements. You will need to ensure that the created policy grants access to the SAP server to populate data into the Kinesis Data Stream.

Follow this steps to create the bucket where you will store the generated objects:

1. Go to the IAM Console: https://console.aws.amazon.com/iam/

2. In the navigation pane, choose Policies then click Create policy.

3. In the visual editor, go the JSON tab and copy the following contents:

   Change Data Steream Arns

   If you plan to use the below example, remember to change the <<kinesis_data_stream_arn>> field for the values previously obtained.

   
   

   _34

   {

   _34

   "Version": "2012-10-17",

   _34

   "Statement": [

   _34

   {

   _34

   "Effect": "Allow",

   _34

   "Action": [

   _34

   "s3:ListAllMyBuckets",

   _34

   "kinesis:ListStreams"

   _34

   ],

   _34

   "Resource": "*"

   _34

   },

   _34

   {

   _34

   "Effect": "Allow",

   _34

   "Action": "s3:PutObject",

   _34

   "Resource": "arn:aws:s3:::<bucket_name>/*"

   _34

   },

   _34

   {

   _34

   "Action": [

   _34

   "kms:Decrypt",

   _34

   "kms:Encrypt"

   _34

   ],

   _34

   "Effect": "Allow",

   _34

   "Resource": "arn:aws:kms:eu-west-1:012345678901:key/<key_id>"

   _34

   },

   _34

   {

   _34

   "Effect": "Allow",

   _34

   "Action": [

   _34

   "kinesis:PutRecord",

   _34

   "kinesis:PutRecords"

   _34

   ],

   _34

   "Resource": "arn:aws:kinesis:eu-west-1:012345678901:stream/<data_stream>"

   _34

   }

   _34

   ]

   _34

   }

   
   

4. Review the policy and name it, then click Create policy.

   AWS Documentation

   For additional details, check the official IAM documentation: Creating IAM policies (console).

---

Attach policy to an IAM entity

Attach the policy to an IAM role for Amazon EC2

To attach the policy to the IAM role for Amazon EC2:

1. Go to the IAM Console: https://console.aws.amazon.com/iam/.
2. In the Roles (1) section, select the desired role (2).
3. In the Permissions (3) tab, open the Add permissions drop down and select Attach policy (4).
4. On the Attach policy to ... page, on the Other permissions policies, search for the previously created IAM policy (1), ensure that the policy is checked (2) and select Add permissions.
5. You are now ready to go. Ensure again that the IAM role for EC2 (instance profile) is attached to all SAP application servers where the Cxlink addon will run.

---

Attach the policy to an IAM User

Max IAM User name lenght

Maximum IAM User length must be 27 characters

Prerequisites

You will need to access the IAM console and select the user to whom the policy will be attached. If you don't have an IAM user for Cxlink Suite:

• Create a new IAM user: Creating an IAM in your AWS Account
• Ensure that the user has Programmatic credentials and you have its Access Key and Secret Keys for later usage: Managing access keys for IAM users

To add the policy to the IAM User:

1. Go to the IAM Console: https://console.aws.amazon.com/iam/.
2. In the Users (1) section, select the desired user (2).
3. In the Permissions (3) tab, open the Add permissions drop down and select Add permissions (4).
4. On the Add permissions page, select Attach policies directly (1), search for the previously created IAM policy (2), ensure that the policy is checked (3) and select Next.
5. In the Review panel, check that all parameters are valid and select Add Permissions.

---