Simplify Operations for AWS Launch Wizard for SAP deployments using AWS Systems Manager for SAP


AWS Launch Wizard for SAP allows customers to automate the deployment of SAP applications such as SAP S/4HANA. It also provides customers the ability to personalize their SAP systems with the help of pre/post configuration scripts. Pre-deployment configuration scripts run right after the instances are launched and baseline Launch Wizard configuration activities – such as deploying AWS CLI, Amazon CloudWatch, and AWS Systems Manager agents – are completed. Post-deployment configuration scripts run when Launch Wizard completes configuration activities specific to the SAP application on all of the instances in a deployment.

Building on these capabilities, we are happy to introduce a new GitHub Repository awslabs/aws-sap-automation, our one-stop shop for automation and personalization scripts tailored to Launch Wizard! These scripts have been tested to work with Launch Wizard when deploying SAP workloads, and can be leveraged as is or adjusted to meet your individual needs.

AWS Systems Manager (SSM) allows customers to manage, update, and patch servers and virtual machines (VMs) across AWS, on premises, and on other clouds from a single console at scale. Earlier this year, we announced the general availability of AWS Systems Manager for SAP (SSM for SAP), building the foundation for helping customers to manage and operate their SAP applications on AWS more efficiently. Just recently, in addition to access via command line interface (CLI), we introduced support for SAP applications as part of SSM Application Manager in the AWS Console. SSM Application Manager specifically enables you to understand and discover your SAP landscape topology for SAP NetWeaver ABAP application servers and SAP HANA databases, and their interdependencies. And the best part: This is available to you at no additional cost.

Let’s now look into how you can automate the registration of SAP systems deployed through Launch Wizard with SSM for SAP using post-deployment configuration scripts for new deployments and SSM documents for existing deployments.


To get started, ensure that you complete the following prerequisites for setup (one-time activity per AWS Account):

  • In the AWS IAM console, attach the AWSSystemsManagerForSAPFullAccess AWS managed policy to role AmazonEC2RoleForLaunchWizard
  • In AWS Launch Wizard for SAP, make sure you either have an existing SAP deployment or plan for a new deployment stack. Note: Currently SSM for SAP only supports SAP HANA 2.0 single-node, SAP HANA 2.0 HA, SAP NetWeaver on SAP ABAP 7.50 or higher single-node environments!

Option 1: Automate Registration

Note: Instead of manually registering your Launch Wizard system, we will be using a script, available on GitHub. If you prefer to register your SAP system(s) manually, follow “Option 2” instead!

To get started, navigate to the AWS IAM console and, again, create and attach the provided IAM Policy to role AmazonEC2RoleForLaunchWizard (one-time activity per AWS Account).

New Launch Wizard Deployments: Use Post-deployment configuration scripts

In AWS Launch Wizard for SAP, proceed to Configure deployment model. In section Post-deployment configuration script, choose the following Amazon S3 URL as script location:

Launch Wizard

Click next to finish the wizard. During, and post-deployment, make sure to check the respective Amazon CloudWatch Log stream called */postDeploymentConfiguration:

CloudWatch Log

Once deployment has completed, you may proceed to section “Verify your registration”.

Existing Launch Wizard Deployments: Use SSM Document

Navigate to AWS Systems Manager → Documents and hit Create document. Choose a name and copy and paste the following Content as YAML.

description: ''
schemaVersion: '2.2'
- action: aws:runShellScript
  name: 'RunSSMforSAPRegistration'
    - aws s3 cp s3://aws-sap-automation/ssm_sap/ ./ --region eu-central-1
    - chmod +x
    - ./

To save, press Create document.

SSM Document

Next, locate your document and press Run command. Select your target EC2 instances and press Run.

SSM Run Command

Once the command has completed successfully, you may proceed to section “Verify your registration”. In case the command failed, check the command output/error directly for more information!

Option 2: Manual Registration

Follow along the following steps to manually register your SAP system, as also specified in the AWS Docs:

Step 1: Collect your SAP system parameters

Collect and note the following parameters from your Launch Wizard deployment, as for example shown in AWS CloudFormation → LaunchWizard-<STACK_NAME>:

Param CloudFormation Tab Key
EC2_INSTANCE_ID Stack Resources “SapSingleInstance” / “HanaSingleInstance”
SAP_HANA_INSTANCE_NR Stack Parameters “SAPInstanceNum“
SAP_HANA_SID Stack Parameters “HANASID”
SAP_SID Stack Parameters ”SAPSID“ (if applicable)
CF Parameter
CF Parameter

If required, you can also get the MASTER_PASSWORD from AWS Secrets Manager → Stack Parameters “HANAMasterPassKey” as Secret ARN.

Step 2: Tag the EC2 Instance

In the EC2 console, locate your EC2_INSTANCE_ID and add the following tag to enable AWS Systems Manager for SAP to access your instance:

Key: SSMForSAPManaged
Value: True


Step 3: Register credentials in AWS Secrets Manager

On the AWS Secrets Manager page, select Store a new secret. For Secret type, select Other type of secret and create the following key-value pairs username = SYSTEM and password = <MASTER_PASSWORD>. Select Next and enter a secret name e.g. LaunchWizard-<STACK_NAME>-SSMSAP. In the Resource permissions container, choose Edit permissions, and paste the following policy – adjust your Amazon Resource Name (ARN) for the Amazon EC2 instance role, and replace the <AWS_ACCOUNT_ID> and <EC2_INSTANCE_ID> placeholders with the respective details. Select Next and then, select Store.

"Version" : "2012-10-17",   
"Statement" : [{     
  "Effect" : "Allow",     
  "Principal" : {       
    "AWS" : "arn:aws:sts::<AWS_ACCOUNT_ID>:assumed-role/AmazonEC2RoleForLaunchWizard/<EC2_INSTANCE_ID>"
  "Action" : "secretsmanager:GetSecretValue",     
  "Resource" : "*"   

The result should look as follows:

Secrets Manager

Check also the corresponding AWS Docs for more info. Make sure to note down your secret name e.g. LaunchWizard-<STACK_NAME>-SSMSAP, in the following referred to as HANA_SECRET_ID_SSM.

Step 4: Register SAP HANA

Start an AWS CloudShell instance (or CLI/terminal) and execute the following command. Make sure to replace the variables with your specific config. Note: The application-id must not contain any special characters:

aws ssm-sap register-application \
--application-id <STACK_NAME><SAP_HANA_SID> \
--application-type "HANA" \
--instances <EC2_INSTANCE_ID> \
--sap-instance-number <SAP_HANA_INSTANCE_NR> \
--sid <SAP_HANA_SID> \
--credentials '[{"DatabaseName":"'<SAP_HANA_SID>'/'<SAP_HANA_SID>'","CredentialType":"ADMIN","SecretId":"'<HANA_SECRET_ID_SSM>'"},{"DatabaseName":"'<SAP_HANA_SID>'/SYSTEMDB","CredentialType":"ADMIN","SecretId":"'<HANA_SECRET_ID_SSM>'"}]'

This might take a few minutes to complete.

Bash Command

You may check the registration status as follows:

aws ssm-sap get-application --application-id <STACK_NAME><SAP_HANA_SID>
Bash Command

Note: Instead of the CLI/programmatic approach, you can also register through the AWS console → AWS Systems ManagerApplication Manager and click on Create Application and select Enterprise Workload, as shown below.

SSM Application Manager

Check also the related step-by-step guide.

Step 5: Register SAP Application Server ABAP (if applicable)

Run the following command to get the HANA database ARN (Tenant DB), and replace the <STACK_NAME> and <SAP_HANA_SID> placeholders with the respective details.

DB_ARN=$(aws ssm-sap list-databases --application-id <STACK_NAME><SAP_HANA_SID> --query "Databases[?DatabaseType=='TENANT'].Arn" --output text)

Next, register the SAP ABAP application server. Again, don’t forget to replace the placeholders with their respective values:

aws ssm-sap register-application \ 
--application-id <STACK_NAME><SAP_SID> \ 
--application-type "SAP_ABAP" \ 
--instances <EC2_INSTANCE_ID> \ 
--sid <SAP_SID> \ 
--database-arn $DB_ARN

The output might look similar as follows. The registration might take a few minutes to complete!

Bash Command

Verify your registration

Finally, check the registration status in AWS SSM → Application Manager:

SSM Application Manager

The SAP HANA registration, for example, should look as follows:

SSM Application Manager

You can also verify your registration from the command line:

First, fetch the desired Application Id:

aws ssm-sap list-applications

Next, query the component information:

MYCOMP=$(aws ssm-sap get-application --application-id <APP_ID> --output text --query "*.Components[0]") 
aws ssm-sap get-component --application-id <APP_ID> --component-id $MYCOMP

The output should look similar as follows:

Bash Command


In case of the registration failing, make sure to check the AWS Systems Manager → Run Command history. Locate the AWSSystemsManagerSAP-Discovery document and click View details to find out more on the potential cause of the error.

Run Command

To repeat/redo a registration, simply deregister as follows.

Get the desired Application Id:

aws ssm-sap list-applications

Next, run the following line to deregister the application:

aws ssm-sap deregister-application --application-id <APP_ID>

Once successfully cleaned up, you now can start the registration process all over again.

Next Steps

We have shown you how to register your Launch Wizard deployments with AWS Systems Manager for SAP. You may now for example leverage the AWS Backup integration for automatic backup and restore operations of SAP HANA databases. Stay tuned for more updates in this space!

Check also the following resources to learn more: