Security & Compliance for SAP on AWS

What is AWS Config, and what are its proactive vs detective evaluation modes?

Into which three perimeter categories do AWS services fall, by their relationship to your VPC?

What is Amazon Macie, and how does it help protect SAP-related data privacy?

How can you query the compliance status of specific SAP resources beyond the AWS Config dashboard?

What are the native ways to encrypt SAP data at rest on AWS?

Which access protocols can serve as the identity federator (IdF) in SAP SSO, and with which products?

Why can't you secure customer-facing SAP applications with SGs/NACLs alone, and what do you use instead?

How does segregation of duties protect SAP backup assets on AWS?

How do you protect SAP data in transit on AWS, and which service manages the certificates?

How does the authorization model in AWS fundamentally differ from a conventional data center?

How does a multi-account strategy improve security for SAP workloads on AWS?

What is Amazon Inspector, and what does it scan for SAP workloads on AWS?

What is the difference between AWS Network Reachability Analyzer (NRA) and Network Access Analyzer (NAA)?

What protection does Amazon EBS encryption add beyond encrypting data, in terms of instance context?

What are the four entity roles in an SAP SSO configuration, and which one orchestrates trust?

How do you keep platform services (accessed via an ENI) and software services (public-endpoint) off the public internet?

What is an AWS Config conformance pack, and why use one for SAP governance?

What is AWS Security Hub, and against which standards does it assess your environment?

What are the two ways to set up SSO for SAP GUI, and what limitation applies to SAP Secure Login Service for GUI (SLSG)?

How is internet access controlled for infrastructure services (EC2/EBS) deployed in a VPC, and what decides whether a subnet is public?

What is the confused-deputy risk with service roles, and how does the PassRole action help on AWS?

How do AWS KMS key control policies add a second layer of protection for encrypted SAP data?

What is Amazon Detective, and what does it build to find the root cause of a security incident?

How can you make a delegated (AssumeRole) access automatically expire on AWS?

What is Amazon GuardDuty, and which data sources does it analyze for SAP-on-AWS threat detection?