Skip to main content
Version: Next

Amazon Web Services

Utilizing the Cxlink Suite provides an efficient way to securely store your business documents, manage archive sessions, and handle data exported from your SAP server. Whether you're storing files in S3 buckets, streaming real-time data through Kinesis, or managing access with IAM, it's imperative to ensure that everything is configured correctly.

Cxlink Suites integrates nativelly with AWS IAM and it offers authentication by using both an IAM User for those servers running outside AWS Cloud or IAM Instance Profile for those servers hosted in AWS.

Resources and Permissions for Documents and Archive

To start working with Cxlink Suite for Documents and Archive you just need to provision a storage location for your documents and the proper permissions for both the location and the encryption key if you decide to encrypt your documents with a custom key.

This is an example

The steps outlined in this process illustrate the creation of a basic and functional environment following best security practices. You may need to adapt the security measures to your company's global policies.

Consider these steps as a reference guide.

Create an encryption key

AWS Documentation

Find more details in hwo to create KMS keys in Creating keys - AWS Key Management Service

Follow this steps to create an encyption key:

  1. In the AWS Console, select KMS
  2. Navigate to Customer-managed keys and select Create key Create key
  3. In the Configure key section, leave default values and select Next.
  4. In the Add labels section, define a Alias for the key and a Description that helps you identify the key in later operations.
  5. Add additional Tags if needed and select Next
  6. In the Define key administrative permissions, select who within your organization will be responsible for this key and press Next.
  7. In the Define key usage permissions, select who within your organization will be able to use the key for encrypt/decrypt operations. For this process, leave all user/roles unselected and press Next.
  8. In the Review section, ensure that all parameters are correct and press Finish to create the key.
  9. Back in the Customer-managed keys, search for the newly created key and open its properties. AWS KMS Key List
  10. In the key General configuration note down its ARN for later operations. AWS KMS Key properties

Create an storage bucket

AWS Documentation

Find more information in how to create buckets in Creating a bucket - Amazon documentation

Follow this steps to create an Amazon S3 bucket:

  1. In the AWS Console, select S3 service.
  2. Navigate the Buckets and select Create bucket. Create bucket
  3. In the Create bucket section:
    1. Select a Bucket name for the documents/archiving storage. Remember that the bucket name must be unique.
    2. Select the AWS Region where you want to store the documents/archiving objets.
    3. Leave ACL disabled as recommended.
    4. Leave Block all public access by default to ensure your documents are not publicly available.
    5. Enable Bucket versioning to avoid documents overwriting. (Recommended approach but can be kept as disabled if needed).
    6. Add Tags as per your tagging policy.
    7. In the Default Encryption section, select Server-side encryption with AWS Key Management Service keys (SSE-KMS) and search for the previously created key. Ensure that Bucket Key is enabled. AWS S3 key selection
    8. Leave other options as default and select Create bucket.
  4. Back to the Buckets section, search for the newly created bucket and note down its arn for later operations AWS S3 bucket details

Grant permission with IAM policy

To grant access to the created S3 bucket to the SAP Server, you will need to create an IAM policy that grants the proper permissions.

IAM best practices

The following examples are a basic but functional implementation of a secure IAM Policy for s3 bucket access permissions. You may need to adapt it depending to meet your company requirements. You will need to ensure that the created policy grants access to the SAP server to store, read and delete existing files in the proper bucket.

Follow this steps to create the bucket where you will store the generated objects:

  1. Go to the IAM Console: https://console.aws.amazon.com/iam/

  2. In the navigation pane, choose Policies then click Create policy.

  3. In the visual editor, go the JSON tab and copy the following contents:

    Change Bucket and Key ARNs

    If you plan to use the below example, remember to change the <<kms_key_arn>> and <<s3_bucket_arn>> fields for the values previously obtained.


    _55
    {
    _55
    "Version": "2012-10-17",
    _55
    "Statement": [
    _55
    {
    _55
    "Effect": "Allow",
    _55
    "Action": [
    _55
    "s3:ListAllMyBuckets",
    _55
    "kms:ListKeys",
    _55
    "kms:ListAliases"
    _55
    ],
    _55
    "Resource": "*"
    _55
    },
    _55
    {
    _55
    "Action": [
    _55
    "s3:DeleteObject",
    _55
    "s3:GetAccessPoint",
    _55
    "s3:GetBucketLocation",
    _55
    "s3:GetEncryptionConfiguration",
    _55
    "s3:GetIntelligentTieringConfiguration",
    _55
    "s3:GetLifecycleConfiguration",
    _55
    "s3:GetObject",
    _55
    "s3:GetObjectLegalHold",
    _55
    "s3:GetBucketObjectLockConfiguration",
    _55
    "s3:GetObjectRetention",
    _55
    "s3:ListAccessPoints",
    _55
    "s3:ListBucket",
    _55
    "s3:PutBucketObjectLockConfiguration",
    _55
    "s3:PutBucketTagging",
    _55
    "s3:PutEncryptionConfiguration",
    _55
    "s3:PutIntelligentTieringConfiguration",
    _55
    "s3:PutLifecycleConfiguration",
    _55
    "s3:PutObject",
    _55
    "s3:PutObjectLegalHold",
    _55
    "s3:PutObjectRetention",
    _55
    "s3:PutObjectTagging"
    _55
    ],
    _55
    "Effect": "Allow",
    _55
    "Resource": [
    _55
    "<<s3_bucket_arn>>",
    _55
    "<<s3_bucket_arn>>/*"
    _55
    ]
    _55
    },
    _55
    {
    _55
    "Action": [
    _55
    "kms:Decrypt",
    _55
    "kms:Encrypt",
    _55
    "kms:GenerateDataKey"
    _55
    ],
    _55
    "Effect": "Allow",
    _55
    "Resource": [
    _55
    "<<kms_key_arn>>"
    _55
    ]
    _55
    }
    _55
    ]
    _55
    }

  4. Review the policy and name it, then click Create policy.

    AWS Documentation

    For additional details, check the official IAM documentation: Creating IAM policies (console).

Resources and Permissions for Datalakes

To start working with Cxlink Suite for Datalakes you just need to provision a storage location for the data output, a data stream in Kinesis for real time replication (optional) and the proper permissions for the stream, location and the encryption key if you decide to encrypt your documents with a custom key.

Create an encryption key

AWS Documentation

Find more details in hwo to create KMS keys in Creating keys - AWS Key Management Service

Follow this steps to create an encyption key:

  1. In the AWS Console, select KMS
  2. Navigate to Customer-managed keys and select Create key Create key
  3. In the Configure key section, leave default values and select Next.
  4. In the Add labels section, define a Alias for the key and a Description that helps you identify the key in later operations.
  5. Add additional Tags if needed and select Next
  6. In the Define key administrative permissions, select who within your organization will be responsible for this key and press Next.
  7. In the Define key usage permissions, select who within your organization will be able to use the key for encrypt/decrypt operations. For this process, leave all user/roles unselected and press Next.
  8. In the Review section, ensure that all parameters are correct and press Finish to create the key.
  9. Back in the Customer-managed keys, search for the newly created key and open its properties. AWS KMS Key List
  10. In the key General configuration note down its ARN for later operations. AWS KMS Key properties

Create an storage bucket

AWS Documentation

Find more information in how to create buckets in Creating a bucket - Amazon documentation

Follow this steps to create an Amazon S3 bucket:

  1. In the AWS Console, select S3 service.
  2. Navigate the Buckets and select Create bucket. Create bucket
  3. In the Create bucket section:
    1. Select a Bucket name for the documents/archiving storage. Remember that the bucket name must be unique.
    2. Select the AWS Region where you want to store the documents/archiving objets.
    3. Leave ACL disabled as recommended.
    4. Leave Block all public access by default to ensure your documents are not publicly available.
    5. Enable Bucket versioning to avoid documents overwriting. (Recommended approach but can be kept as disabled if needed).
    6. Add Tags as per your tagging policy.
    7. In the Default Encryption section, select Server-side encryption with AWS Key Management Service keys (SSE-KMS) and search for the previously created key. Ensure that Bucket Key is enabled. AWS S3 key selection
    8. Leave other options as default and select Create bucket.
  4. Back to the Buckets section, search for the newly created bucket and note down its arn for later operations AWS S3 bucket details

Create an Amazon Kinesis Data Stream

AWS Documentation

Find more information in how to create buckets in Creating a Stream via the AWS Management Console

Follow this steps to create an Amazon Kinesis Data Stream:

  1. In the AWS Console, select S3 service.
  2. Navigate the Data streams and select Create data stream. Create data stream
  3. Define a Data Stream Name and select Create data stream. Leave all other options by default.
  4. Once created, you will need to define the consumer of this data stream.
  5. In the data stream properties, note down the data stream ARN for later purposes. Data stream props

Grant permission with IAM policy

To grant access to the created S3 bucket to the SAP Server, you will need to create an IAM policy that grants the proper permissions.

IAM best practices

The following examples are a basic but functional implementation of a secure IAM Policy for kinesis bucket access permissions. You may need to adapt it depending to meet your company requirements. You will need to ensure that the created policy grants access to the SAP server to populate data into the Kinesis Data Stream.

Follow this steps to create the bucket where you will store the generated objects:

  1. Go to the IAM Console: https://console.aws.amazon.com/iam/

  2. In the navigation pane, choose Policies then click Create policy.

  3. In the visual editor, go the JSON tab and copy the following contents:

    Change Data Steream Arns

    If you plan to use the below example, remember to change the <<kinesis_data_stream_arn>> field for the values previously obtained.


    _40
    {
    _40
    "Version": "2012-10-17",
    _40
    "Statement": [
    _40
    {
    _40
    "Sid" : "AllowListBucketsStreams",
    _40
    "Effect": "Allow",
    _40
    "Action": [
    _40
    "s3:ListAllMyBuckets",
    _40
    "kinesis:ListStreams"
    _40
    ],
    _40
    "Resource": "*"
    _40
    },
    _40
    {
    _40
    "Sid": "Allow put objects in bucket",
    _40
    "Effect": "Allow",
    _40
    "Action": "s3:PutObject",
    _40
    "Resource": "arn:aws:s3:::<bucket_name>/*"
    _40
    },
    _40
    {
    _40
    "Sid": "Allow encrypt/decrypt data at rest",
    _40
    "Action": [
    _40
    "kms:GenerateDataKey",
    _40
    "kms:Decrypt",
    _40
    "kms:Encrypt"
    _40
    ],
    _40
    "Effect": "Allow",
    _40
    "Resource": "arn:aws:kms:eu-west-1:012345678901:key/<key_id>"
    _40
    },
    _40
    {
    _40
    "Sid": "Allow adding records to Kinesis data Stream",
    _40
    "Effect": "Allow",
    _40
    "Action": [
    _40
    "kinesis:DescribeStream",
    _40
    "kinesis:PutRecord",
    _40
    "kinesis:PutRecords"
    _40
    ],
    _40
    "Resource": "arn:aws:kinesis:eu-west-1:012345678901:stream/<data_stream>"
    _40
    }
    _40
    ]
    _40
    }

  4. Review the policy and name it, then click Create policy.

    AWS Documentation

    For additional details, check the official IAM documentation: Creating IAM policies (console).

Attach policy to an IAM entity

Attach the policy to an IAM role for Amazon EC2

To attach the policy to the IAM role for Amazon EC2:

  1. Go to the IAM Console: https://console.aws.amazon.com/iam/.
  2. In the Roles (1) section, select the desired role (2).
  3. In the Permissions (3) tab, open the Add permissions drop down and select Attach policy (4). AWS IAM Role add permissions
  4. On the Attach policy to ... page, on the Other permissions policies, search for the previously created IAM policy (1), ensure that the policy is checked (2) and select Add permissions. AWS IAM Role select policy
  5. You are now ready to go. Ensure again that the IAM role for EC2 (instance profile) is attached to all SAP application servers where the Cxlink addon will run.

Attach the policy to an IAM User

Max IAM User name lenght

Maximum IAM User length must be 27 characters

Prerequisites

You will need to access the IAM console and select the user to whom the policy will be attached. If you don't have an IAM user for Cxlink Suite:

To add the policy to the IAM User:

  1. Go to the IAM Console: https://console.aws.amazon.com/iam/.
  2. In the Users (1) section, select the desired user (2).
  3. In the Permissions (3) tab, open the Add permissions drop down and select Add permissions (4). AWS IAM User add permissions
  4. On the Add permissions page, select Attach policies directly (1), search for the previously created IAM policy (2), ensure that the policy is checked (3) and select Next. AWS IAM User select policy
  5. In the Review panel, check that all parameters are valid and select Add Permissions.