SAP Password Rotation with AWS Secrets Manager

Introduction

Password rotation is a commonly accepted security best practice. In fact, password rotation is enforced in many organizations to reduce the risk of password-based attacks or exploits. Password policies encourage users to use strong passwords by enforcing a set of rules like password length and use of special characters. However, manually rotating passwords under stringent password policies can quickly turn into password fatigue, which may actually increase the risk of an exploit.

SAP ABAP systems support user name and password as basic authentication credentials. Typically, humans interacting with the SAP system are required to change or rotate their corresponding account password with certain frequency. Usually this is handled interactively during the login phase.

It is common that SAP ABAP systems use basic authentication credentials for administrative purposes. Consider the case of background job scheduling. Typically, user accounts configured for background jobs are set to a non-interactive type, remain unlocked and the lifespan of the corresponding password is long. This is a common finding during security audits.

Interfaces with the SAP ABAP system, whether it is for system monitoring or data processing purposes, are another common example of system login with basic authentication credentials. A good example of this is described in one of our previous blogs: A serverless approach using Amazon CloudWatch.

Automatic rotation of SAP ABAP user’s password typically relies on tools such as SAP extended Computer Aided Test Tool (eCATT), custom ABAP code or database client applications. However, these tools alone provide limited levels of security, scalability, governance and observability.

Best practices described in the Identity Management section of the Security Pillar in the AWS Well-Architected Framework recommend to audit and rotate credentials periodically and store and use secrets securely, using AWS Secrets Manager. In fact, more specifically, rotation of security keys is a common recommendation in the SAP Lens for the AWS Well-Architected Framework

In this blog we will show you how AWS Secrets Manager can be used to align your SAP systems with the best practices described in the AWS Well-Architected Framework. AWS Secrets Manager provides a secure, scalable, auditable and accessible store for secrets. In this case the secret rotation capability of AWS Secrets Manager is extended to rotate SAP user credential passwords through an AWS Lambda function.

Architecture

The architecture of this solution is in figure 1. SAP user passwords are stored as secrets in AWS Secrets Manager. These secrets are configured to rotate according to the schedule you set up. To rotate a secret, AWS Secrets Manager calls an AWS Lambda function. Upon successful rotation of the secret, the AWS Lambda function uses PyRFC and the SAP NetWeaver RFC SDK to establish an RFC connection to SAP and call a standard SAP ABAP function to change the user’s password.

Figure 1: Solution architecture

Note that the AWS Identity and Access Management (IAM) role assigned to the AWS Lambda function provides the necessary permissions to create an Elastic Network Interface (ENI). This ENI is used to establish network communication from the AWS Lambda function to the Amazon Virtual Private Cloud (Amazon VPC) where SAP systems reside. The security group assigned to this ENI has egress rules only. Additionally, the AWS Lambda function needs permissions to use an AWS Key Management Service (KMS) key to decrypt and encrypt secrets. An IAM role and security group are created automatically during the deployment described in the following sections.

Prerequisites

• SAP NetWeaver ABAP (for example, SAP ECC, SAP S/4HANA, SAP BW/4HANA).
• An SAP ABAP service user with authorizations to change/update passwords. We will call this the SAP password administrator.
• A regular SAP ABAP user for testing purposes, we will call this SAP user.
• Amazon VPC security group allowing inbound network traffic to your SAP NetWeaver systems.
• An AWS Key Management Service (KMS) customer managed key.
• Create two AWS Lambda layers as described in AWS Lambda Layer for PyRFC and
• AWS Lambda Layer for SAP NetWeaver RFC SDK.

Set up

1. Open the AWS Management Console and navigate to AWS Secrets Manager.

2. Store the SAP password administrator credentials in an AWS Secrets Manager secret. In addition to the actual password, the secret must include SAP connection information. The connection information must be provided in the form of key/value pairs as follows:

• SID: SAP systems ID.
• ASHOST: SAP application server host name or IP address.
• SYSNR: SAP instance number.
• MSHOST: SAP message server host name or IP address.
• MSSERV: SAP message server port number.
• LGROUP: SAP ABAP logon group name.
• CLIENT: SAP ABAP client number.
• USER: SAP user name.
• PASSWORD: SAP user password.

In our example the SAP password administrator corresponds to an SAP ABAP user called PWDAUTOCHNGR.

For better identification we used the following naming nomenclature for our secrets: <SID>CLNT<ABAP client>/<ABAP user ID>.

Figure 2 shows the value stored in a secret corresponding to user PWDAUTOCHNGR in client 001 of SAP system ECD. The secret name is ECDCLNT001/PWDAUTOCHNGR:

Figure 2: Secret with direct SAP AS connection.

3. Store the credential you wish to rotate (those of the SAP user) in another AWS Secrets Manager secret, in our example it is called ECDCLNT001/LAMBDAUSR006.

Connections from the AWS Lambda function to SAP systems support SAP Logon Load Balance. Store the SAP message server host, port number and logon group information in the secret in order to use the SAP Logon Load Balance feature.

Figure 3 shows the value stored in a secret corresponding to user LAMBDAUSR006 in client 001 for SAP system ECD. The connection to SAP will be done using SAP logon group PUBLIC because the SAP message server and port are specified in the secret:

Figure 3: Secret with SAP logon group connection.

4. Create the AWS Lambda function to handle the secret rotation. This is done by deploying an application from the AWS Serverless Application Repository.
5. In the AWS Management Console open the AWS Serverless Application Repository. Search for SAP-ABAP-secret-rotation. Make sure to select the option to Show apps that create custom IAM roles or resource policies.

Figure 4: SAP secret rotation serverless application

6. Choose SAP-ABAP-secret-rotation.
7. Provide the corresponding parameters and Deploy the application:

Figure 5: Application settings

Serverless Application Repository (SAR) application settings: Application name: This string will be used to name resources deployed by the corresponding AWS CloudFormation stack. VPCId: The VPC identifier for the security group assigned to AWS Lambda ENI(s). PasswordAdministratorSecret: Name of the secret in AWS Secrets Manager with the SAP password administrator credentials. PyRFCLayerVer: The Lambda layer version for PyRFC, typically 1. SAPRFCLayerVer: The Lambda layer version for SAP NetWeaver RFC SDK, typically 1. Subnets: VPC subnet IDs this AWS Lambda function has access to, separated by comma.

After a few minutes the AWS Lambda, Applications overview screen will show up. The deployed resources will be shown at the bottom of the screen (see example in figure 6). Note the AWS Lambda function name (Physical ID).

Figure 6: Resources deployed by SAR

8. Open the AWS Secrets Manager secret corresponding to the SAP user and choose Edit rotation.
9. Toggle the Automatic rotation option.
10. Provide a Rotation schedule (Figure 7). For testing purposes check the option to rotate the secret immediately.
11. The Lambda rotation function corresponds to the AWS Lambda function installed by AWS Serverless Application Repository.
12. Save your changes.

Figure 7: Secret rotation schedule

13. To check the results, Open AWS Lambda in the AWS Management Console.
14. Open the corresponding function and select Monitor, Logs (see example in Figure 8).
15. To look at the details of the function call open the most recent LogStream.

Figure 8: AWS Lambda Function logs

Once rotated, the password can be obtained from the corresponding secret in AWS Secrets Manager using the AWS Management Console, AWS Command Line Interface (AWS CLI) or a call to the AWS Secrets Manager API.

The following example shows the AWS CLI command to get the secret value for secret ECDCLNT001/LAMBDAUSR005 (see the output in Figure 9):

aws  secretsmanager get-secret-value --secret-id ECDCLNT001/LAMBDAUSR005

Figure 9: Retrieve secret using AWS CLI

Cleanup

1. Open the AWS Management Console and go to AWS CloudFormation.
2. Select the stack called serverless-SAP-secret-rotation.
3. Choose Delete.

Cost

In this example we assume there are 20 different SAP ABAP systems each one with a monitoring user. The user credentials are stored in AWS Secrets Manager. The user password is retrieved every 5 minutes by an application. Credentials are changed once every month.

Cost dimension:

• 20 SAP ABAP systems.
• 2 secrets per SAP system.
• SAP User credentials retrieved every 5 minutes.
• Rotate user passwords once every 30 days.

Monthly Cost

Conclusion

This blog post shows you how to rotate SAP user passwords automatically using AWS Secrets Manager and AWS Lambda functions. AWS Secrets Manager enables you to easily rotate, manage, and retrieve credentials for several AWS services. These features can be extended to implement password rotation for SAP users through API calls from an AWS Lambda function.

To find more customer-proven design principles and best practices to ensure your SAP workloads on AWS are well-architected check the SAP Lens for the AWS Well-Architected Framework. The SAP Lens is based on insights that AWS has gathered from customers, AWS Partners, and our SAP specialist community.