AWS Security ChangesHomeSearch

AWS sap medium security documentation change

Service: sap · 2025-04-25 · Security-related medium

File: sap/latest/sap-hana/automated-patching.md

Summary

Multiple updates including IAM policy syntax corrections, added Secrets Manager sharing documentation link, formatting improvements, and procedure simplifications

Security assessment

The change replaces 'AWS' with '{aws}' in IAM policy examples, correcting a potential misconfiguration where the policy might have unintentionally referenced the root account. This ensures proper role-based access control. The added link to Secrets Manager cross-account sharing documentation directly enhances security guidance. These changes address security best practices for least privilege and secure secret management.

Diff

diff --git a/sap/latest/sap-hana/automated-patching.md b/sap/latest/sap-hana/automated-patching.md
index 8cf6c6bfc..bf3f96c19 100644
--- a//sap/latest/sap-hana/automated-patching.md
+++ b//sap/latest/sap-hana/automated-patching.md
@@ -5 +5 @@
-SAP referencesArchitecturePrerequisitesSSM automation documentAWS servicesPreparations to run the documentTroubleshootVersion reporting
+SAP referencesArchitecturePrerequisitesSSM automation documentAWS servicesPrepare to run the SSM automation documentTroubleshootSAP HANA version reporting
@@ -59 +59 @@ The automation account can be a production account running SAP workloads or a de
-![Diagram of an automation account connected to the child AWS accounts that host Amazon EC2 instances running SAP HANA workloads.](/images/sap/latest/sap-hana/images/automated-patching-architecture.jpg)
+![Diagram of an automation account connected to the child accounts that host Amazon EC2 instances running SAP HANA workloads.](/images/sap/latest/sap-hana/images/automated-patching-architecture.jpg)
@@ -80 +80,14 @@ The sample code interacts with the following AWS services to run the SSM automat
-Services
+###### Topics
+
+  * Amazon S3
+
+  * Amazon EC2
+
+  * AWS Identity and Access Management
+
+  * AWS Secrets Manager
+
+  * AWS Key Management Service
+
+
+
@@ -97 +110 @@ An Amazon S3 bucket can be used to store all the SAP HANA software media contain
-Store the SAP media in a compressed `.SAR` file. The SSM automation document extracts information from this file when you choose to download SAP HANA media from Amazon S3.
+Store the SAP media in a compressed `–0—SAR` file. The SSM automation document extracts information from this file when you choose to download SAP HANA media from Amazon S3.
@@ -101 +114 @@ The bucket can reside in a Shared Services account and can be shared with all AW
-**Software** | **Version** | **Revision** | **Patch** | **Amazon S3 path**  
+​ **Software** |  **Version** |  **Revision** |  **Patch** |  **Amazon S3 path**  
@@ -130 +143 @@ The following policy is an example Amazon S3 bucket policy that grants access to
-                    "AWS": "arn:aws:iam::{account_id}:role/service-role/{ec2_role}"
+                    "{aws}": "arn:aws:iam::{account_id}:role/service-role/{ec2_role}"
@@ -187 +198 @@ AWS Secrets Manager is used to store the parameters of the SAP HANA database tha
-Sharing the secrets across different accounts requires additional permissions. For more information, see [How do I share AWS Secrets Manager secrets between AWS accounts?]()
+Sharing the secrets across different accounts requires additional permissions. For more information, see [How do I share AWS Secrets Manager secrets between AWS accounts?](https://repost.aws/knowledge-center/secrets-manager-share-between-accounts)
@@ -191 +202 @@ The following table shows the example secrets created in the Shared Services acc
-**Secret name** | **Secret key** | **Secret value**  
+​ **Secret name** |  **Secret key** |  **Secret value**  
@@ -217 +228 @@ The following is an example policy that is assigned to a Secret, granting access
-          "AWS" : "arn:aws:iam::{sap_workloads_account_id}:role/service-role/{ec2_role}"
+          "{aws}" : "arn:aws:iam::{sap_workloads_account_id}:role/service-role/{ec2_role}"
@@ -252,3 +262 @@ Follow these steps to see the status of each SSM automation.
-  1. Open console.aws.amazon.com.
-
-  2. Go to AWS Systems Manager.
+  1. Open the [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager).
@@ -256 +264 @@ Follow these steps to see the status of each SSM automation.
-  3. On the left navigation pane, select **Automation**.
+  2. On the left navigation pane, select **Automation**.
@@ -258 +266 @@ Follow these steps to see the status of each SSM automation.
-  4. Select **Configure preferences** > **Executions**.
+  3. Select **Configure preferences** > **Executions**.
@@ -260 +268 @@ Follow these steps to see the status of each SSM automation.
-  5. You can see the status of your SSM automations in the **Automation executions** section.
+  4. You can see the status of your SSM automations in the **Automation executions** section.
@@ -288 +296 @@ You must set up IAM permissions for the Amazon S3 bucket. The following is a sam
-                    "AWS": "arn:aws:iam::{account_id}:role/service-role/{ec2_role}"
+                    "{aws}": "arn:aws:iam::{account_id}:role/service-role/{ec2_role}"