AWS Security ChangesHomeSearch

AWS sap high security documentation change

Service: sap · 2026-07-04 · Security-related high

File: sap/latest/sap-AnyDB/ase-backint-preprequisites.md

Summary

Added note about AWS STS connectivity requirements for private subnets

Security assessment

Documents critical security requirement for VPC endpoints/NAT gateways to maintain secure credential validation without internet exposure, preventing backup failures that could impact data integrity

Diff

diff --git a/sap/latest/sap-AnyDB/ase-backint-preprequisites.md b/sap/latest/sap-AnyDB/ase-backint-preprequisites.md
index 8c33d3ad2..9843db35b 100644
--- a//sap/latest/sap-AnyDB/ase-backint-preprequisites.md
+++ b//sap/latest/sap-AnyDB/ase-backint-preprequisites.md
@@ -70,0 +71,6 @@ For more information about managed and inline policies, see the [IAM User Guide]
+###### Note
+
+###### AWS STS connectivity requirement
+
+AWS Backint Agent for SAP ASE validates credentials by calling AWS Security Token Service (AWS STS) during initialization. If your SAP ASE instance runs in a private subnet without internet access, make sure that your instance can reach the AWS STS endpoint. Use an interface virtual private cloud (VPC) endpoint (service name: `com.amazonaws._< region>_.sts`) or a network address translation (NAT) gateway. For more information, see [Using AWS STS interface VPC endpoints](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts_vpce.html).
+