Before installing the Agent

Prerequisites #

Before you can start using Emory as your backup solution you will need to ensure that you have a Linke Console account with an active contract or trial, and also that your AWS Account and the EC2 instance where your SAP Database is running are prepared to be used as storage provider.


1. Create your Linke Console Account #

To create a new account, access the Linke Console and “Sign up” by following the steps describes in the Account Creation Section.
Linke Console's Auth Sections

Create account in the Linke Console.


2. Check Supported Operating Systems #

Check in the following list the supported versions for your SAP Database platform.


3. Prepare your AWS Account #

Ensure Best Performance. To obtain the best performance of your backups it is highly recommended to set up S3 Private Endpoints on the VPC where your EC2 instance is running (There is no additional charge for using gateway endpoint). To ensure that you are using endpoint, see S3 Endpoints.

Before you can start performing your backups using Emory, ensure that the following resources exist in your EC2 instance.

  • S3 Bucket

    Ensure that the bucket where your backups will be stored already exists.

    Amazon S3 Bucket. If you don’t have a S3 Bucket yet, follow the guidelines described in the following guide to create one.

  • IAM Policy

    Create or modify and IAM Policy to meet Emory requirements.

    Amazon IAM Policies. If you need additional information, follow the guidelines described in the following guide to create/modify one.

    Permission List

    AWS Service AWS Permission Description Resource
    EC2 ec2:DescribeRegions List all available AWS Regions from the Configuration Wizard *
    EC2 ec2:DescribeInstances Retrieve EC2 Instance tags to be sent to LinkeIT Console (Optional) *
    S3 s3:ListAllMyBuckets List all Buckets in AWS Account from the Configuration Wizard *
    S3 s3:HeadBucket List all CloudFront distributions. *
    S3 s3:* Allow all operations in the bucket “arn:aws:s3:::<bucket_name>”, “arn:aws:s3:::<bucket_name>/*”
    KMS kms:ListKeys List all load balancers. *
    KMS kms:ListAliases Get the name of the S3 bucket containing ELB access logs. *
    KMS “kms:GetPublicKey” “kms:GenerateDataKey” “kms:Decrypt” “kms:Encrypt” “kms:GetKeyPolicy” Encrypt and decrypt your backups <kms_key_arn>
    SNS sns:Publish Inform about failed backups via AWS Simple Notification Service  <sns_topic_arn>
    STS sts:AssumeRole Assume a Role from other AWS account  <role_arn>

  • IAM Policies templates #

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeInstances",
                    "ec2:DescribeRegions"
                ],
                "Resource": "*"
            }
        ]
    }
    
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "s3:ListAllMyBuckets",
                    "s3:HeadBucket"
                ],
                "Resource": "*"
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": "s3:*",
                "Resource": [
                    "arn:aws:s3:::<YOUR_BUCKET_NAME>/*",
                    "arn:aws:s3:::<YOUR_BUCKET_NAME>"
                ]
            }
        ]
    }
    
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "kms:GetPublicKey",
                    "kms:Decrypt",
                    "kms:Encrypt",
                    "kms:GenerateDataKey",
                    "kms:DescribeKey",
                    "kms:Verify"
                ],
                "Resource": [
                    "arn:aws:kms:eu-west-1:${AWS::AccountId}:key/<KEY_NAME>",
                    "arn:aws:kms:eu-west-1:${AWS::AccountId}:alias/<ALIAS_NAME>"
                ]
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": [
                    "kms:ListKeys",
                    "kms:GenerateRandom",
                    "kms:ListAliases"
                ],
                "Resource": "*"
            }
        ]
    }
    
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": "sns:Publish",
                "Resource": "arn:aws:sns:eu-west-1:${AWS::AccountId}:Emory-Topic-Name"
            }
        ]
    }
    
    
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AssumeCrossAccountRole",
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Resource": "arn:aws:iam::<REMOTE_AWS_ACCOUNT_ID>:role/<RemoteRole>"
            }
        ]
    }
    
    
    • Attach Policy to EC2

      Ensure that the IAM Policies have been added to the EC2 instance profile of your SAP Database server.

      Additional Information. Follow the guidelines described in the following guide to do it.
  • Remote Role Trusted Settings #

    If you want to access to other AWS Account Resources (S3 & KMS or SNS Topic), after generating the IAM policies on remote account, you have to attach them to a Role that will be accessed from your EC2 Instances via STS:AssumeRole.

    The role to be used on remote account must have a Trust Relationship that allow the resources to be accesed from remote Role, the one that you attach to your Database EC2 Instances.

    Trust RelationShip entity
    {
    "Version": "2012-10-17",
    "Statement": [
        {
        "Sid": "TrustingPolicy",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::<DATABASE_SERVER_AWS_ACCOUNT>:role/<EC2InstanceRole>"
        },
        "Action": "sts:AssumeRole"
        }
    ]
    }