Prerequisites #

To create a new account, access the Linke Console and “Sign up” by following the steps describes in the Account Creation Section.

2. Check Supported Operating Systems #

Check in the following list the supported versions for your SAP Database platform.

3. Prepare your AWS Account #

Ensure Best Performance. To obtain the best performance of your backups it is highly recommended to set up S3 Private Endpoints on the VPC where your EC2 instance is running (There is no additional charge for using gateway endpoint). To ensure that you are using endpoint, see S3 Endpoints.

Before you can start performing your backups using Emory, ensure that the following resources exist in your EC2 instance.

• S3 Bucket

  Ensure that the bucket where your backups will be stored already exists.

  Amazon S3 Bucket. If you don’t have a S3 Bucket yet, follow the guidelines described in the following guide to create one.

• IAM Policy

  Create or modify and IAM Policy to meet Emory requirements.

  Amazon IAM Policies. If you need additional information, follow the guidelines described in the following guide to create/modify one.

  Permission List

  AWS Service	AWS Permission	Description	Resource
  EC2	ec2:DescribeRegions	List all available AWS Regions from the Configuration Wizard	*
  EC2	ec2:DescribeInstances	Retrieve EC2 Instance tags to be sent to LinkeIT Console (Optional)	*
  S3	s3:ListAllMyBuckets	List all Buckets in AWS Account from the Configuration Wizard	*
  S3	s3:HeadBucket	List all CloudFront distributions.	*
  S3	s3:*	Allow all operations in the bucket	“arn:aws:s3:::<bucket_name>”, “arn:aws:s3:::<bucket_name>/*”
  KMS	kms:ListKeys	List all load balancers.	*
  KMS	kms:ListAliases	Get the name of the S3 bucket containing ELB access logs.	*
  KMS	“kms:GetPublicKey” “kms:GenerateDataKey” “kms:Decrypt” “kms:Encrypt” “kms:GetKeyPolicy”	Encrypt and decrypt your backups	<kms_key_arn>
  SNS	sns:Publish	Inform about failed backups via AWS Simple Notification Service	<sns_topic_arn>
  STS	sts:AssumeRole	Assume a Role from other AWS account	<role_arn>

• IAM Policies templates #

  EC2 Policy

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "VisualEditor0",
              "Effect": "Allow",
              "Action": [
                  "ec2:DescribeInstances",
                  "ec2:DescribeRegions"
              ],
              "Resource": "*"
          }
      ]
  }
  

  S3 Policy

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "VisualEditor0",
              "Effect": "Allow",
              "Action": [
                  "s3:ListAllMyBuckets",
                  "s3:HeadBucket"
              ],
              "Resource": "*"
          },
          {
              "Sid": "VisualEditor1",
              "Effect": "Allow",
              "Action": "s3:*",
              "Resource": [
                  "arn:aws:s3:::<YOUR_BUCKET_NAME>/*",
                  "arn:aws:s3:::<YOUR_BUCKET_NAME>"
              ]
          }
      ]
  }
  

  KMS Policy

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "VisualEditor0",
              "Effect": "Allow",
              "Action": [
                  "kms:GetPublicKey",
                  "kms:Decrypt",
                  "kms:Encrypt",
                  "kms:GenerateDataKey",
                  "kms:DescribeKey",
                  "kms:Verify"
              ],
              "Resource": [
                  "arn:aws:kms:eu-west-1:${AWS::AccountId}:key/<KEY_NAME>",
                  "arn:aws:kms:eu-west-1:${AWS::AccountId}:alias/<ALIAS_NAME>"
              ]
          },
          {
              "Sid": "VisualEditor1",
              "Effect": "Allow",
              "Action": [
                  "kms:ListKeys",
                  "kms:GenerateRandom",
                  "kms:ListAliases"
              ],
              "Resource": "*"
          }
      ]
  }
  

  SNS Policy

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "VisualEditor0",
              "Effect": "Allow",
              "Action": "sns:Publish",
              "Resource": "arn:aws:sns:eu-west-1:${AWS::AccountId}:Emory-Topic-Name"
          }
      ]
  }
  
  

  AssumeRole Policy

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "AssumeCrossAccountRole",
              "Effect": "Allow",
              "Action": "sts:AssumeRole",
              "Resource": "arn:aws:iam::<REMOTE_AWS_ACCOUNT_ID>:role/<RemoteRole>"
          }
      ]
  }
  
  

  • Attach Policy to EC2

    Ensure that the IAM Policies have been added to the EC2 instance profile of your SAP Database server.

    Additional Information. Follow the guidelines described in the following guide to do it.

• Remote Role Trusted Settings #

  If you want to access to other AWS Account Resources (S3 & KMS or SNS Topic), after generating the IAM policies on remote account, you have to attach them to a Role that will be accessed from your EC2 Instances via STS:AssumeRole.

  The role to be used on remote account must have a Trust Relationship that allow the resources to be accesed from remote Role, the one that you attach to your Database EC2 Instances.

  Trust RelationShip entity

  {
  "Version": "2012-10-17",
  "Statement": [
      {
      "Sid": "TrustingPolicy",
      "Effect": "Allow",
      "Principal": {
          "AWS": "arn:aws:iam::<DATABASE_SERVER_AWS_ACCOUNT>:role/<EC2InstanceRole>"
      },
      "Action": "sts:AssumeRole"
      }
  ]
  }