AWS sap high security documentation change
Summary
Added note about AWS STS connectivity requirements for private subnets
Security assessment
Documents critical security requirement for VPC endpoints/NAT gateways to maintain secure credential validation without internet exposure, preventing backup failures that could impact data integrity
Diff
diff --git a/sap/latest/sap-AnyDB/ase-backint-preprequisites.md b/sap/latest/sap-AnyDB/ase-backint-preprequisites.md index 8c33d3ad2..9843db35b 100644 --- a//sap/latest/sap-AnyDB/ase-backint-preprequisites.md +++ b//sap/latest/sap-AnyDB/ase-backint-preprequisites.md @@ -70,0 +71,6 @@ For more information about managed and inline policies, see the [IAM User Guide] +###### Note + +###### AWS STS connectivity requirement + +AWS Backint Agent for SAP ASE validates credentials by calling AWS Security Token Service (AWS STS) during initialization. If your SAP ASE instance runs in a private subnet without internet access, make sure that your instance can reach the AWS STS endpoint. Use an interface virtual private cloud (VPC) endpoint (service name: `com.amazonaws._< region>_.sts`) or a network address translation (NAT) gateway. For more information, see [Using AWS STS interface VPC endpoints](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts_vpce.html). +