Hello everyone,
In this article, I will discuss the new Systems Manager feature announced by AWS in early September, which verifies how well SAP configurations running on AWS comply with best practices, as well as the details of this feature. This new capability helps you compare your SAP HANA configurations against the AWS Well-Architected Framework (SAP Lens) and official AWS for SAP documentation. It automatically checks EC2 instance types, EBS storage setup, and Pacemaker HA configurations to ensure compliance with best practices.
Based on the AWS Well-Architected Framework’s SAP Lens documentation and official AWS-SAP guidelines, this tool automatically evaluates how well your systems are configured in terms of performance, security, and high availability.
The feature examines and evaluates the system under three main categories:
SAP HANA Pacemaker Configuration
– Checks whether the EC2 instances running SAP HANA are SAP-certified and whether the hardware settings are correctly configured.
SAP HANA EBS Storage Configuration
-Verifies whether the EBS disks’ file system and RAID configuration comply with AWS recommendations.
SAP EC2 Instance Type Selection
– Analyzes whether the Pacemaker cluster is correctly configured for HANA.
Each of these categories includes several subtests, and the results are clearly listed as “OKAY,” “WARNING,” or “ERROR.”
To use this feature, you must complete the following prerequisite steps on your instances:
The Amazon Systems Manager Agent (SSM Agent) must be installed on your servers, and the appropriate IAM role must be attached to the EC2 instance. To do this, simply attach the AWS Managed Policy “AmazonSSMManagedInstanceCore” to the role and create a Customer Managed Policy as shown below, then attach it to the same role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AwsSsmForSapPermissions",
"Effect": "Allow",
"Action": [
"ssm-sap:*"
],
"Resource": "arn:*:ssm-sap:*:*:*"
},
{
"Sid": "AwsSsmForSapServiceRoleCreationPermission",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/ssm-sap.amazonaws.com/AWSServiceRoleForAWSSSMForSAP"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "ssm-sap.amazonaws.com"
}
}
},
{
"Sid": "AllowGetSecretValue",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:YOUR_REGION:YOUR_AWS_ACCOUNT_ID:secret:YOUR_SAP_SECRETS_ID"
]
}
]
}– Configure the required TCP ports (typically 30013-30015 for SAP HANA).
– You need to add your SAP system as an application in AWS Systems Manager. For this, it is recommended to create a new user in your SAP environment rather than using an existing system user. The permissions for this user should be as follows (there is no need to grant FULL ADMIN privileges).
MONITORING role
PUBLIC role
System privilege for “RESOURCE ADMIN”
System privilege for “CATALOG READ”
These permissions provide sufficient access for configuration checks while maintaining security. You won’t need full administrative rights.
To proceed, go to AWS Systems Manager, and in the left-hand menu, select Application Manager. In the opened section, choose Create Application, then select Enterprise Workload.
In the section that appears, enter your application and database information. Grant access to all the databases you are using, including SYSTEMDB. In the next step, create a new secret in AWS Secrets Manager and add it here you should include it as username and password.
If you encounter an error, first check the database connectivity using the hdbsql client. If you experience other issues, please review the AWS troubleshooting page. Once your configuration is correct, Systems Manager will begin recognizing your environment.
As you can see in the image above, within this console you can perform various monitoring operations and compliance actions related to your defined SAP servers and databases, and you can also run Runbooks.
To summarize briefly:
The Overview section allows you to view the overall system status in a single console. Here, you can see the status of your servers, as well as any custom alarms and metrics you’ve defined. With Cost Allocation Tags, you can also view customized cost tracking in this section. At the bottom of the page, the Compliance section displays rules that can be quickly defined using AWS Config. You can create automation workflows with Runbooks for example, you can define RemoteRunShell commands such as restarting corosync.
With OpsItems, you can view centralized records and tracking items created for incidents or issues detected in AWS resources.
In short, you can manage all monitoring and automation operations related to your SAP environment from a single console.
Now, regarding the main topic -SAP configuration check status- as shown in the screenshot above, the analysis is presented under three main categories. You can hover over any number to view more details.
As mentioned earlier, the configuration is examined under three main categories. Below, I am sharing an example result from the analysis related to the Pacemaker configuration:
Now that the setup is complete, let’s move on to the pricing of this great feature and you might be surprised by some of the details. Since this feature is part of Systems Manager, you only pay for the functionalities you use. There are no minimum fees or commitments.
Here are the features available at no additional cost for this product:
Free features:
- SAP application registration and management
- Application-aware start and stop operations
- Basic application monitoring and insights
SAP Configuration Management pricing:
- Configuration check results are retained for 30 days
- $0.25 USD per configuration check run per application in all AWS regions
- Checks can be run on-demand or on a schedule
Example Pricing Scenario for Configuration Management:
If you run three configuration checks per week on two SAP HANA applications, your monthly cost would be $6.00 USD.
This is calculated as:
3 checks × 2 applications × 4 weeks × $0.25 = $6.00
There are no minimum fees or upfront commitments, and no charge for registering SAP applications.
It’s an excellent pricing model with these features, you can have a second pair of eyes evaluating how accurately your cluster is configured.
I hope these article help save you time.
References:
