Creating a secure foundation for SAP on AWS - AWS Virtual Workshop
Creating a secure foundation for SAP on AWS - AWS Virtual Workshop
AWS allows you to strengthen the security posture of SAP workloads by providing comprehensive, industry-leading security and compliance controls. In this session, we will start by walking through AWS security essentials for SAP applications. Then, you will select an OS image from AWS Marketplace and put your learnings into practice to the harden the image in accordance with a CIS level 1 benchmark before deployment, including account level settings, encryption, security groups, router configuration, and more.
What you learn in Episode 1:
* AWS security fundamentals for SAP applications.
* Selecting an OS Image from AWS Marketplace to support your S/4HANA deployment.
* Hardening the image to meet AWS security best practices. Subscribe to AWS Online Tech Talks On AWS:
https://www.youtube.com/@AWSOnlineTec…
Follow Amazon Web Services:
Official Website: https://aws.amazon.com/what-is-aws
Twitch: https://twitch.tv/aws
Twitter: https://twitter.com/awsdevelopers
Facebook: https://facebook.com/amazonwebservices
Instagram: https://instagram.com/amazonwebservices
☁️ AWS Online Tech Talks cover a wide range of topics and expertise levels through technical deep dives, demos, customer examples, and live Q\u0026A with AWS experts. Builders can choose from bite-sized 15-minute sessions, insightful fireside chats, immersive virtual workshops, interactive office hours, or watch on-demand tech talks at your own pace. Join us to fuel your learning journey with AWS.
#AWS
Content
3.07 -> [Music]
9.599 -> thank you so much and hello everyone
11.92 -> good afternoon
13.28 -> my name is rajpath and i will be leading
15.44 -> the first session of today's
16.96 -> presentation
18.24 -> along with me i also have sunil yado
20.72 -> who's going to share some best practices
23.039 -> around how to harden the emi before you
27.279 -> deploy an s4hana solution
29.76 -> this is actually a three-day event today
32.239 -> we are going to talk about how you can
33.84 -> secure the aws foundation to get your
37.36 -> saps for hana workload ready for the
39.6 -> migration
40.719 -> tomorrow my friend and my colleague
43.84 -> is going to demonstrate how you can
45.6 -> architect and deploy an s4hana system on
48.64 -> aws using a tool called aws launch
52.32 -> wizard
53.52 -> and on the episode 3
57.44 -> we will be sharing how you can migrate
59.68 -> and optimize ses for hana workload on
62.16 -> aws
63.52 -> um by following some best practices and
66 -> recommendations uh from from again from
69.04 -> italy yeah
73.76 -> so what we are going to learn today
75.84 -> uh before we start building the s4hana
78.96 -> solutions on aws we would like to cover
82.159 -> some aws security fundamentals right and
85.36 -> how you can utilize an out of the box
88.08 -> aws solutions to provide an ability to
91.68 -> control
92.72 -> those secure requirement um
94.799 -> automatically right
96.479 -> and
97.68 -> after that sunil is going to demonstrate
100.479 -> how you can select an operating system
102.799 -> from the aws marketplace and then harden
106 -> it according to the cis standards and
108.88 -> sunil is also going to share uh some
111.6 -> best practices and recommendations
113.84 -> around how you can utilize aws services
116.56 -> like ssm
118.24 -> to further uh
120.719 -> operate your sap workloads more securely
126.399 -> so with aws you control where you your
129.36 -> data is stored and who can access it and
132.319 -> what resources your organization is
135.04 -> consuming at any given moment
137.36 -> uh fine grain auditing and uh identity
140.4 -> and access controls combined with
142.64 -> continuous monitoring for near real-time
145.52 -> security information ensures that
148.56 -> the right resources have the right
150.64 -> access at all times
152.56 -> whenever your information wherever your
154.8 -> information is stored and you do have an
157.36 -> ability to automatically secure tasks on
160.319 -> aws and that enables you to be more
163.519 -> secure by reducing humor configuration
166.319 -> errors
167.2 -> and giving your team more time to focus
169.519 -> on other work critical that are critical
172.319 -> to your business
174.48 -> selecting from a wide variety of deeply
177.599 -> integrated solutions that can be
179.76 -> combined to automate tasks in normal
182.48 -> ways making it easier for your security
185.44 -> team to work closely
187.519 -> with developer and operations team to
190.159 -> create and deploy code faster and more
192.64 -> securely
193.92 -> now we do govern uh the aws platform by
198.72 -> providing a higher standard for privacy
201.12 -> and data security and we are all in
204.64 -> vigilant about your privacy now with aws
208.56 -> you can build on the most secure global
211.28 -> infrastructure
212.48 -> knowing you always own your data
214.72 -> including the ability to encrypt it move
217.28 -> it and manage retention
219.84 -> all data flowing across the aws global
222.959 -> network that interconnects our data
226.08 -> centers
227.28 -> and
228.319 -> and
229.04 -> regions
230.08 -> is automatically encrypted at the
232.159 -> physical layer before it leaves our
234.879 -> secure facilities
236.72 -> and with that said let me move to the
238.64 -> next slide
245.76 -> one of the way that
247.28 -> we actually help our customers
249.92 -> is to follow a roadmap right so sap
253.599 -> journey to aws is not a one-team
256.079 -> responsibility now implementing security
258.72 -> controls at aws infrastructure operating
261.68 -> system database and at sap application
264.96 -> has usually been part of any sap
267.36 -> products whether it's a fresh sap
269.919 -> implementation a data center exit a
272.639 -> transformation project or even a lift
274.96 -> and ship migration projects
276.88 -> understanding your organization's
278.88 -> security controls and aligning it to uh
282.639 -> design and development practice should
285.6 -> be included in the project plan
288.08 -> and here is an example on how aws assist
291.759 -> sap customers to implement security
294.4 -> controls as part of the sap projects
297.759 -> a general understanding of implementing
300.32 -> security is not only to configure
303.039 -> monitoring tools but also implement
305.68 -> tools like
307.52 -> implement controls like dr strategies
310.4 -> change control incident problem
312.32 -> management backup recovery solutions and
315.199 -> also build the run books to prepare for
317.44 -> the worst
318.479 -> now identifying the gaps in the security
320.8 -> controls and understanding the risk for
323.52 -> those gaps to your business should be at
326.4 -> the top priority list to prepare your
328.4 -> enterprise against a security
331.44 -> vulnerabilities and threats like
333.44 -> ransomware
334.8 -> software vulnerabilities or even
336.8 -> distributed denier of service attacks
339.68 -> applying the abol engagement model
342.479 -> has helped several sap on aws customers
346 -> to build their sap on aws
348.88 -> security best practices and by
351.039 -> implementing the controls by design
353.759 -> now for next one hour myself and sunil
356.8 -> is going to provide demos and how to how
360.319 -> to tutorials uh to tackle few of the
362.8 -> machine security controls by design and
365.36 -> leveraging the power of infrastructure
366.96 -> as a core at scale
375.36 -> all right so aws provides several
377.52 -> services to implement standards uh as
380.24 -> well as a
381.759 -> customer defined security control for
384.24 -> sap workloads now going from top to the
387.44 -> bottom of the screen aws cloud formation
390.96 -> service enables customers to write their
393.84 -> own infrastructure as a code in either
396.479 -> of json or yaml format language
399.52 -> and then aws cloudformation
402.08 -> also offers the ability to launch the
404.88 -> templates using api access
407.44 -> even to further uh innovate and
410.08 -> integrate the solutions based on your
412.08 -> organization needs now building sap
414.639 -> systems on aws
416.639 -> involves a lot of services right so if
419.599 -> you start from ec2 we have 96 type of
422.639 -> ec2 instances that you can select from
425.199 -> to launch your sap workload um to handle
427.919 -> the compute requirements right
430.4 -> and those workloads could be or the
432.56 -> compute power could be memory optimized
435.12 -> compute optimize or even a general
437.919 -> purpose cc2 instances along with that
440.88 -> you also have the ability to select five
443.199 -> different type of storages
445.52 -> from a service evs elastic block store
449.68 -> and also we have services like s3
452.8 -> who can actually retain your data based
454.56 -> on
455.44 -> the enterprise data retention
457.12 -> requirements
458.56 -> and
459.44 -> along with that you have vpc
461.599 -> subnets raw tables aws data provider
465.52 -> back-end tool elastic file systems and
468.639 -> many other services that customers can
471.039 -> leverage for building those secure
472.96 -> environment on aws
474.96 -> now going through this entire list of
477.199 -> services and automating those services
480.72 -> using services like aws cloud formation
483.44 -> could be a tedious task and we are
486.16 -> talking about a heavy time and
488.24 -> development effort not only doing the
490.72 -> initial software development lifecycle
493.44 -> part of it but also from the management
495.68 -> point of view and supporting those
498 -> infrastructures that are code could be
499.52 -> another challenge
500.96 -> so to simplify that requirement um and
505.199 -> based on our customer feedback we have
508.08 -> launched aws launch wizard for sap
510.8 -> service which enables the sap customers
513.919 -> to configure the required aws services
516.88 -> according to sap and aws best practices
520 -> and recommendation
521.44 -> and if customer would like aws launch
524.8 -> wizard also configures the operating
527.12 -> system and installs the sap application
530.399 -> in either standard distributed or high
533.519 -> levelability configuration
535.44 -> launch wizard supports deploying sap
538.08 -> netweaver and latest s4hana application
541.12 -> on either souza or red hat operating
543.6 -> system now with a single plane of
546.08 -> inserting all sap configuration
548.56 -> in aws console customers can store
552.48 -> common input values in the form of
554.88 -> configuration files and utilize that to
557.68 -> launch several sap systems in matter of
559.76 -> hours now my colleague bidwan and
562.16 -> rozelle are going to demo how sap on aws
565.44 -> customers are leveraging this service to
568.32 -> simply simplify their sap system build
570.959 -> process
572.08 -> at a scale which is covered tomorrow
581.279 -> now sap customer has access to this 45
584.399 -> services to tackle the most demanding
586.88 -> security requirements to run sap on aws
590.56 -> now based upon how you configure these
592.64 -> services it can help you to identify
596 -> protect detect respond and recover
599.2 -> security incidents automatically
601.68 -> now it could be even semi-automatically
604.399 -> or manually as well
606.16 -> for example you can utilize services
609.04 -> like identity and access management to
611.76 -> define fine-grained security controls at
614.72 -> aws resource level
616.88 -> and then you can create custom manage
619.279 -> key through a key management service
622.64 -> and which is right here
625.36 -> which has the ability to define who as a
628.399 -> user or as a service can manage the key
631.68 -> and decrypt encrypt and decrypt the data
634.32 -> not only within that aws environment or
636.959 -> account but also other aws accounts as
640 -> well
640.8 -> now you can also utilize aws web
643.6 -> application firewall service
647.279 -> that you can actually put it in front of
649.6 -> alb
650.72 -> which can protect sap web application
653.04 -> servers against common attacks like sql
656.32 -> injection or cross-site scripting even
659.36 -> before the request hits the alb
662.079 -> now a good starting point to understand
664.56 -> this entire services and how these
666.88 -> various services can help you or your
669.519 -> organization to meet the security
671.36 -> requirements would be to review the
673.76 -> frequently asked sessions uh uh sorry
676.399 -> frequently asked uh question sessions of
679.279 -> the individual aws services web pages
682.16 -> now today i'm going to cover
684.399 -> an interesting feature of how you can
686.72 -> utilize aws config service um and that
690.16 -> feature you may or may not be discovered
692.32 -> have discovered so far
697.12 -> so what is aws config service right so
700.16 -> first of all it's a native uh serverless
703.36 -> aws service which is actually available
706 -> through the console right and aws config
709.36 -> service enables you to access audit and
713.279 -> evaluate the configuration of your aws
716 -> resources
717.2 -> now config continuously monitors and
720.639 -> records your aws resource configuration
723.6 -> and allows you to automate the
726.32 -> evaluation of recorded configuration
729.2 -> then it compares uh an event with what
732.88 -> you have configured and then provides
735.2 -> you a notification uh in the form of an
737.68 -> sns topic event right
739.92 -> so it's pretty easy service to be
742.72 -> that you can actually enable
744.399 -> uh to secure your most of the regulatory
748.48 -> requirements uh by design right
756.56 -> now there are several benefits that
758.24 -> customer have already realized by
760.56 -> enabling aws config service and the
763.279 -> first which is very interesting is
765.12 -> continuous monitoring you can
767.12 -> continuously monitor and record
769.6 -> configuration changes of aws resources
772.8 -> and third-party resources or even custom
775.36 -> resource type
776.72 -> such as on-premise service
778.88 -> now inventory the aws resources and
782.079 -> third-party resources and configuration
784.72 -> of aws resources
787.04 -> and you can also
789.2 -> monitor
790.24 -> a software configuration within the ec2
792.8 -> instance as well
795.12 -> through the continuous assessment you
797.36 -> can continuously audit and assess
800.639 -> overall compliance of your aws resource
803.12 -> configuration
804.399 -> um and if there is a deviation
806.639 -> you can trigger an sns notifications and
810.56 -> have a cloud wash event whenever a
813.2 -> resource configuration or any
815.12 -> configuration changes debates from the
817.6 -> rules
818.56 -> um in the change management piece you
820.8 -> can track relationship among the
823.6 -> resources and review resource
826 -> dependencies among them now there is
829.68 -> another advantage of using aws config
832.959 -> service is to have that central uh
835.519 -> monitoring capabilities through a
839.12 -> feature known as data aggregation so if
841.6 -> you have multiple aws accounts that are
844 -> deployed
845.12 -> and you have multiple regions where your
846.959 -> data is residing you can actually
848.959 -> utilize the data aggregation service and
851.44 -> you can view the compliance data across
853.6 -> the enterprise and identify the
855.839 -> non-compliant resources
860.079 -> and this is how aws config service works
862.959 -> so once you define your rules
866.079 -> config
867.44 -> will identify any change that is
870.32 -> actually
871.279 -> has been introduced to your aws account
874 -> and then aws config
876.24 -> will compare that change with how that
879.36 -> change should look like through
881.519 -> the rules that you have defined in aws
883.44 -> config service now if there are any
885.839 -> deviation
887.279 -> in terms of the change or change of the
889.519 -> resource um aws config service will
892.88 -> notify you through an s topic right as a
896.16 -> matter of fact that configuration
898.399 -> changes that are being identified by aws
901.839 -> config are normalized and the data are
905.12 -> actually put in a consistent format
907.839 -> either on amazon s3 as a service as well
911.6 -> and those events are also captured in
913.839 -> aws uh sorry amazon cloud watch
918.959 -> now one of the interesting topic about
920.8 -> this is like you may have
922.72 -> 50 or even 100 security controls
925.76 -> you can define your custom aws uh config
929.04 -> rules for
930.48 -> monitoring those controls but just like
933.279 -> how deploying an sap system without the
936 -> launch wizard is is going to be
937.839 -> cumbersome applying those security
939.92 -> controls would be also very tedious and
943.199 -> a more complex task to assist our
946 -> customers we have actually
948.88 -> enabled a service called conformance
951.36 -> packs which are actually part of aws
953.68 -> config service
955.04 -> that are bundled um
958 -> that are actually
959.44 -> offers you a bundled service of sorry
962.32 -> security rules that you can enable with
964.88 -> just few click within aws console so
968.24 -> what is confirm is pack
970.32 -> conference packs are collection of aws
973.36 -> config rules
974.72 -> and remediation and
976.88 -> remediation actions
979.04 -> as a single entity
981.36 -> uh for an example you have an um a
984.56 -> country rule which says that i want to
987.12 -> secure my security group making sure
989.759 -> that it's not um opened up
992.72 -> widely um a
996.959 -> those are not open up widely um and uh
1000.24 -> it only allows a certain ip address
1002.24 -> range to have access on the sap servers
1005.199 -> right
1006 -> so you can actually um
1008.72 -> create an aws config rule and then uh
1011.92 -> you can enable that in the aws console
1014.8 -> uh to have that restriction now there
1017.12 -> are multiple of other rules that you can
1019.68 -> actually configure and uh one of the way
1022.56 -> of course is to do that would be through
1024.72 -> conformance pack which which actually
1027.039 -> bundles all those secured uh config
1029.76 -> rules together
1031.199 -> uh following certain standards of
1033.919 -> certain industry standards like cis
1035.919 -> benchmark right and
1038.4 -> another benefit of using conformance
1040.48 -> packs um is that those are actually
1042.959 -> immutable so you cannot make any changes
1045.76 -> as a package once you deploy them right
1048.4 -> and if you have deployed those uh
1050.559 -> conformance packs using organization
1053.36 -> master account uh individual member of
1056.32 -> those master account cannot have will
1058.72 -> not have permission to modify them now
1061.12 -> again this is only a simple template
1064.48 -> on top of this you can actually define
1066.64 -> your own config rules and create custom
1069.52 -> conformance packs based on your security
1071.84 -> requirement
1073.84 -> so i'm going to walk you through a
1075.76 -> simple way of how you can actually
1078.32 -> enable confirmers pack please feel free
1081.039 -> to uh follow along with me if you
1083.76 -> already are on aws console
1086.16 -> so
1086.96 -> the service is actually available in aws
1089.76 -> config so within the console if you just
1092.88 -> type aws config and then click on this
1095.76 -> config service
1097.6 -> it will take you to this page
1100.799 -> and over here
1102.72 -> you click on confirmance packs
1105.84 -> and once you click on the confirm is
1107.84 -> back
1110.32 -> you will see
1113.28 -> this page
1115.12 -> but you will see a link
1118.559 -> excuse me
1120.4 -> which says deploy conformance back
1127.6 -> and then it will take you to this screen
1130.96 -> where you will see
1132.32 -> a
1133.12 -> list of all the example templates and in
1135.76 -> this case it's actually for the cis
1138.16 -> benchmark
1139.6 -> and in that one
1142.24 -> you will see
1144.72 -> all the cis benchmark or best practices
1149.6 -> that you can actually select
1153.76 -> and then you click on next button
1160.08 -> and here you will select a use sample
1162.88 -> template and then you will select the
1165.52 -> operation best practices template that
1167.679 -> we just
1168.72 -> reviewed in the previous screen
1174.799 -> you can name the conformance pack the
1176.72 -> way you want in this case i just named
1179.52 -> it as aws
1181.2 -> hyphen cis hyphen v1
1184.48 -> and then click next
1189.52 -> here is a summary of all the
1190.88 -> configuration that you have selected so
1194.08 -> in
1195.12 -> in this case we are deploying the
1197.039 -> operational best practices template
1200.32 -> which will configure this aws account
1203.28 -> according to the cis standards level one
1206.48 -> right
1207.28 -> now this conformance pack is only going
1209.84 -> to uh provide the best practices for the
1212.799 -> aws resources
1214.72 -> but my colleague sunil yado is going to
1218.159 -> demonstrate how you can implement the
1220.24 -> cis benchmark at the operating system
1222.88 -> level as well
1224.88 -> through
1225.84 -> the services like ec2 builder right they
1228.88 -> migrated
1231.36 -> now once you deploy the confirmance pack
1233.52 -> in your aws account
1237.28 -> you will see this screen where it will
1239.039 -> say that the deployment of that confirms
1241.76 -> pack is actually in progress
1246.32 -> and soon after a few minutes
1249.2 -> you will see
1250.48 -> that that confirms pax pack sorry is now
1253.84 -> deployed and you now have
1256.799 -> the uh some of your aws resources which
1260.48 -> are marked as non-compliant
1262.96 -> now this is again according to the cis
1266.08 -> label one benchmarks um you are enabling
1269.36 -> that that best practice for the aws
1272.08 -> resources that you have launched in this
1274.32 -> specific aws account
1279.12 -> now when you click on
1280.96 -> that
1282.96 -> confirmance pack to find out more
1284.96 -> details about which resources are not
1287.6 -> compliant
1290.08 -> you will come to this screen
1291.84 -> now here in the search
1294.64 -> button or search session
1297.039 -> you can actually provide additional
1299.039 -> filter criteria
1300.559 -> one of being
1302 -> want to list out all the non-compliant
1304.08 -> resources that are launched in this aws
1306.72 -> account
1307.6 -> so by this time compliance and clicking
1310.799 -> up clicking on non-compliant resource
1314.24 -> or
1315.28 -> our page
1316.4 -> you can actually now list which are all
1318.799 -> the resources that are not compliant
1320.799 -> right
1323.84 -> and
1324.88 -> if you want to filter down based on say
1327.52 -> awf services you can also just type the
1330.4 -> service name in case ec2 for an example
1333.84 -> um and one of the pre-configured
1335.76 -> compliant rule is to make sure that all
1338.48 -> the ebs volume that you have launched in
1340.88 -> that aws accounts are encrypted right so
1344.799 -> if you have launched an ebs volume uh
1347.84 -> without providing any default key or
1350.32 -> custom managed key then
1352.88 -> that resource will be marked as
1354.799 -> non-compliant and it will appear in the
1357.2 -> screen
1358.159 -> so
1358.88 -> of course there are a lot of other
1360.159 -> things that we can talk about whenever
1362.159 -> we talk about conformance pack um
1365.039 -> now security groups for example are
1367.44 -> another very good example that i
1368.96 -> provided earlier along with that you
1371.2 -> have s3 so if you want to restrict the
1374 -> s3 access making sure that only certain
1377.44 -> ip addresses have the access to the sd
1379.6 -> pocket you can actually define that in
1382.08 -> the aws config as well along with that
1384.96 -> you want to make sure that you have im
1386.88 -> rolls which are restricted as well so
1389.52 -> you can even create um additional custom
1392.559 -> config rule and utilize or utilize a
1395.44 -> standard best practices confirmance
1397.52 -> packs
1398.48 -> that can also provide you that ability
1401.52 -> now um i would not be going into more
1404.4 -> detail so let me switch a little uh
1407.28 -> switch the gear a little bit
1409.2 -> and talk about how this conformance
1411.039 -> packs can help you out in your sap
1413.84 -> journey right
1415.2 -> so i just provided a few conformance
1418.32 -> pack templates but we have almost 59 out
1421.279 -> there
1422.32 -> to satisfy various type of requirements
1425.36 -> so for example if you are in healthcare
1428.24 -> and life science industries
1430.72 -> you do need to follow the fda 21 cfr
1433.919 -> part 11 requirements we do have an
1436.559 -> operational best practices template that
1439.12 -> actually can enable those controls
1441.2 -> within your aws accounts if your
1444.559 -> workloads requires pci dss compliance
1448.64 -> you can leverage the operational best
1450.559 -> practices that are offered by pci dss
1453.6 -> tablet
1454.559 -> now again this is just a starting point
1457.36 -> to get you going
1459.36 -> i would strongly advise you to not
1461.44 -> enable that in your production account
1463.76 -> uh try to do that in a non-production or
1466.08 -> a qc account because some of these
1468.72 -> config packs sorry confirmance pack
1471.76 -> will have the ability to even perform
1474.96 -> the remediation actions automatically as
1477.679 -> well
1478.48 -> which is actually sometimes really
1480.159 -> beneficial but not in a non-tested
1484 -> environment right
1485.6 -> so in terms of sap workloads these are
1488.24 -> the list of aws services which may be
1491.679 -> able to get benefited by enabling the
1494.64 -> confirmation pack so for example you
1497.36 -> have an im policy that you have created
1500 -> for the sap
1501.36 -> ec2 instance you want to make sure that
1504.08 -> that im policy doesn't have elevated
1506.4 -> actions a very simple example is you
1510 -> might have an im role you have created
1512.72 -> an instance profile role out of it and
1515.679 -> you might have given a terminating c2
1517.919 -> instance to that specific im role so if
1521.279 -> you attach that im role to any of the
1523.279 -> ec2 instance you may be
1525.919 -> allowing any operating system user to
1527.919 -> terminate these c2 instances
1530.88 -> that specific example you can actually
1533.679 -> control that through the conformance
1535.44 -> pack or creating your own aws config
1538.799 -> rule so if you end up having that i am
1541.12 -> policy even before creating that kind of
1543.84 -> policies
1545.36 -> the aws conflict will not allow
1548.159 -> and
1549.52 -> simply terminate or delete that specific
1552.159 -> i am role
1553.36 -> now another example is a subnets so
1557.279 -> uh you may want to create an aws country
1559.52 -> group to not allow the end users to
1562.72 -> launch an ec2 instance in a public
1564.96 -> subnet right so if somebody goes ahead
1567.919 -> and launches any instance then aws
1570.559 -> config service will be will get the
1572.559 -> notification it will check that event
1575.36 -> with what you have configured and it can
1577.919 -> even stop or even terminate that easy
1580.159 -> for instance um the other example is of
1582.88 -> course an uh iami right so you want to
1586.159 -> make sure that whenever an sap
1590.159 -> user or a platform team launches an ec2
1593.919 -> instance they're only allowed to launch
1596.32 -> through a specific ami id right not a
1599.44 -> direct emi that is available through
1601.6 -> marketplace which are not hardened right
1604.64 -> so you can create an aws config rule
1607.12 -> that will allow you to select that
1609.76 -> specific ami id and if somebody launches
1613.52 -> an am launches an ec2 uh with a
1616.72 -> different emi id then
1618.799 -> aws config will
1620.559 -> not allow it or at least terminate that
1622.32 -> async for instance right
1624.48 -> of course on the storage side you want
1625.919 -> to make sure you're encrypting your ebs
1628.159 -> s3 and efs service right so uh
1631.44 -> confirmance packs will enable that
1633.2 -> configuration by default so these are a
1636 -> few of the examples on how you can use
1639.2 -> the conformance packs to implement those
1641.679 -> security controls by design
1647.039 -> now
1647.76 -> of course we put this all things
1649.36 -> together and
1651.2 -> once we have enabled it we want to see
1653.52 -> what is the final product right so let's
1656.88 -> think about a hypothetical scenario
1659.44 -> where you have actually received an sns
1662 -> notification from aws config service
1664.88 -> um alerting you on something happen on
1667.6 -> pc2 instance right
1669.6 -> so let's walk through that scenario and
1672.159 -> uh understand how confirmance packs and
1674.96 -> abs config service can help you to
1677.84 -> triage that specific device and
1679.84 -> understand what went wrong what action
1682.32 -> aws config service might can do
1685.12 -> to remediate that security incident
1688.72 -> so with that said
1690.799 -> again please follow me if you can
1694.159 -> the session that we are trying to cover
1696.24 -> here is what how you can actually
1698.96 -> identify
1700.159 -> a resource that went from a compliant
1702.88 -> member to a non-compliant member and
1705.36 -> again to the compliance member right and
1707.679 -> you're looking for a resource timeline
1710.24 -> which provides you
1711.679 -> more auditing and analytic capabilities
1714.559 -> to understand that entire incident right
1718.159 -> so
1719.2 -> um within the aws config service
1721.919 -> you can click on resources and in the
1724.88 -> resources you can filter by an ec2
1727.84 -> instance right
1729.679 -> and then
1730.799 -> once you do that you will see all the
1732.96 -> resource identifiers that are
1736 -> that satisfies this filter criteria
1739.039 -> right
1739.84 -> so in here when you filter it by the
1742.799 -> amazon or sorry awscc2 instance
1746.32 -> here you will see all the instance ids
1748.72 -> and one of the instance id is actually
1750.88 -> marked as non-compliant
1753.039 -> so let's click on that ec2 instance to
1755.84 -> find out what went wrong
1758.799 -> now once you click on that you can see
1761.52 -> that sorry you can see more details
1763.76 -> about that ec2 instance you can see the
1766.08 -> instance id you can also see which
1768.96 -> availability zone it belongs to what
1770.88 -> type of ec2 instance it is
1773.679 -> and then with more details you can also
1777.36 -> find out what happened to that ec2
1779.6 -> instance through resource timeline
1788.72 -> once you click on the resource timeline
1791.12 -> you will see
1792.399 -> that till 12 10 42 that resource was
1795.919 -> actually compliant
1797.44 -> and at 12 11 03
1800.32 -> something happened that caused that
1802.24 -> resource to be non-compliant
1804.399 -> now you can actually expand this
1806.64 -> specific event and see what happened
1809.44 -> which caused that resource to become
1811.6 -> non-compliant
1814.48 -> so when you click when you expand that
1816.399 -> specific event
1818.08 -> you notice that
1820.159 -> somebody actually attached a public ip
1822.559 -> address to that ec2 instance and that
1825.44 -> public ip address is actually also
1827.44 -> available here right
1829.84 -> and what aws config then noticed that
1833.12 -> okay
1834.08 -> then we removed that specific public ip
1836.72 -> address and the eso2 instance was
1839.679 -> actually stopped right
1846.88 -> so that's one example of
1849.12 -> finding out what went wrong
1851.36 -> when that specific event occurred what
1853.919 -> actions were performed to bring that
1856.399 -> specific resource in a compliant manner
1859.44 -> so again this is just an example you can
1862.08 -> think about many other examples where
1864.559 -> the aws config service can help you to
1866.799 -> implement the security controls
1869.039 -> based on your
1870.88 -> enterprise level security requirements
1874.32 -> so let's
1875.84 -> dive deep into
1878 -> another feature of the aws config
1880.159 -> service which is advanced queries
1883.2 -> so
1883.919 -> one of the i would say benefit of
1886.48 -> combining most of the
1888.72 -> repeated events
1890.72 -> would be writing your own query right so
1894.24 -> you can actually write your own query to
1897.2 -> identify any deviation
1899.44 -> or to find out like list of aws
1902.32 -> resources that are repeatedly being
1904.88 -> queried right so this is just an example
1908.559 -> for an example you are looking for how
1910.559 -> many ebs volumes that are unused and
1913.76 -> that are not attached to any ec2
1915.519 -> instances
1916.64 -> so you can actually write that specific
1918.96 -> query save it in the advanced queries
1922.399 -> and then utilize it for generating the
1924.96 -> reports so let me show you how
1927.919 -> you can actually utilize a simple ec2
1930.96 -> instance query right so you can in the
1933.36 -> query editor you write this uh
1936.24 -> simple query uh selecting the resource
1938.799 -> id resource name uh what tags are
1941.6 -> availability zone and then you can put
1944.399 -> aware condition to identify what type of
1946.64 -> resource you're looking for
1948.799 -> and you're looking for the state as well
1951.36 -> um so in this case we are looking for
1953.44 -> all these c2 instances that have a
1955.36 -> status of running right and once you
1958.399 -> execute that query you will have all the
1960.96 -> list of ec2 instances that are running
1964.159 -> in that um aws account so this is again
1967.6 -> just an example uh to get you started so
1971.2 -> uh i would encourage you to look into
1973.36 -> the aws config rules and create your own
1976.64 -> custom rule
1978 -> by
1979.279 -> identifying your own security
1980.96 -> requirements and then
1983.2 -> of course we have played here in just
1985.36 -> one aws account but most of the time
1988.559 -> this controls
1990.32 -> the audit requirements and most of the
1992.48 -> compliance requirements are usually
1994.799 -> governed in the central account right or
1997.519 -> central security account
1999.279 -> now we can always talk about so many
2001.76 -> things
2003.12 -> but this all topics around a landing
2006.159 -> zone and building a secure vpc requires
2010.08 -> its own time
2011.36 -> and uh
2012.799 -> at this moment actually i would like to
2015.44 -> hand it over to sunil to carry this
2018.32 -> presentation uh with providing more
2020.96 -> details around how customer can use ec2
2024.24 -> instance builder or sorry easy to image
2027.2 -> builder
2028.24 -> to harden the amis
2030.159 -> so
2030.96 -> i would like to hand it over to sunil
2032.72 -> now and thanks for joining today's
2034.399 -> presentation so hello everyone i'm sunil
2037.279 -> yadav uh i'm sp principal consultant at
2039.76 -> aws professional services and uh part of
2042.96 -> our sap global specialty practice team
2046.159 -> and uh for our last five years i had the
2048.56 -> opportunity to work with the multiple
2050.32 -> customers in their exciting journey to
2053.04 -> aws and today i'll be specifically
2055.44 -> talking about two of the services they
2057.44 -> use uh one is the easy to image builder
2060.159 -> and the second one is the session
2061.599 -> manager so let's get started
2068.159 -> okay
2068.96 -> so uh about easy to image builder uh
2071.76 -> this this service is a managed service
2074.079 -> and
2075.04 -> it it automatically lets you create
2077.839 -> your images
2079.28 -> and basically it automates the pipeline
2081.359 -> for you without you writing any code for
2083.919 -> the automation
2085.2 -> however you can write some code to
2087.04 -> customize as you're going to see in the
2088.8 -> demo following that
2090.32 -> but it significantly reduces your effort
2092.079 -> required to create and maintain any
2094.079 -> golden images uh without writing or
2096.079 -> maintaining any automation so if you're
2097.839 -> using image builder you can create these
2100.64 -> pipelines through a wizard in aws
2102.56 -> console
2103.599 -> and when any software updates become
2105.599 -> available or a new image available or if
2107.76 -> your source images changes
2109.92 -> you can trigger this pipeline again
2112.24 -> which is gonna repeat this whole process
2113.839 -> automatically for you
2115.599 -> but you still have the control if you
2117.2 -> don't want to run it automatically you
2118.64 -> can still do it manually
2120.88 -> or you can have some other you know like
2124 -> like scheduling like for example every
2125.76 -> month every quarter or when some other
2128 -> image available as i mentioned before
2131.04 -> so with this
2132.16 -> ec2 image builder
2133.76 -> it also comes with a lot of built-in
2136.4 -> automation for validation
2138.56 -> which which basically
2140.16 -> you know make sure that you can deploy
2142.4 -> some very high quality images to your
2145.2 -> production and and those validations
2148.16 -> include our standard uh standard
2150.72 -> components and you can also add your own
2153.04 -> specific validation that's in case you
2155.04 -> are adding your own
2156.4 -> custom software there
2159.359 -> um so the the approach we are taking
2161.68 -> there like with all these automations
2163.28 -> and consistency uh this also allows you
2166.079 -> to make sure that you're maintaining a
2167.92 -> consistent security and uh to throw
2170.8 -> throughout this build process
2172.4 -> and in case uh you know you have to meet
2174.48 -> your internal security criteria and
2176.48 -> document and make the logs available for
2178.56 -> auditing uh it provides that uh
2180.48 -> functionality as well
2182.24 -> so
2183.28 -> you can actually you know connect to
2184.8 -> multiple other services while you're
2186.96 -> building uh these images you can
2189.04 -> leverage let's say some files from s3 or
2191.599 -> you can put the logs out back
2194.32 -> um and if you are especially looking for
2196.96 -> some predefined security standards like
2199.2 -> you know security technical
2200.4 -> implementation guide stig very common
2202.88 -> with the uh like department of defense
2205.52 -> what they are using if you only leverage
2207.28 -> those standards uh they're all coming
2209.359 -> out of the box and we're gonna see like
2210.96 -> you know how you can select those as
2212.48 -> well
2213.359 -> um
2215.44 -> then the next part is the uh that it
2218.56 -> also simplifies sharing of your images
2220.72 -> across aws accounts and not just
2222.56 -> accounts like you can actually specify
2224.24 -> which region and which accounts you want
2225.92 -> to distribute so like when you start
2228.8 -> your journey you might think of uh
2230.8 -> having like a simple account structure
2233.44 -> but normally uh for the enhanced
2235.52 -> security if you are going through our
2237.44 -> landing zone service or control tower
2239.2 -> service that gives you a structured
2241.44 -> layer of different accounts and normally
2243.92 -> you deploy this easy to image builder in
2245.92 -> your like shared services account or
2247.52 -> some other account dedicated for your ci
2249.76 -> cd pipelines or automations so from
2252.48 -> there once these images are built
2254.96 -> you can decide where you want to
2256.88 -> distribute so let's say from here there
2258.64 -> you can distribute it to your uh other
2260.8 -> accounts like dev qa production sap
2262.88 -> accounts and then you can also control
2264.8 -> who's allowed to launch these
2267.28 -> amis
2269.04 -> and finally uh you know the same
2271.04 -> workflow and the same approach uh it it
2273.359 -> works for both the virtual machine
2275.28 -> images and also for container images so
2277.52 -> in case you are using containers uh for
2279.839 -> some other say non-sap applications you
2282.64 -> can use a very similar approach where
2284.8 -> you go and build your very baseline
2286.96 -> image which could be for sap and known
2288.88 -> sap both and then on top of it you can
2292.32 -> you know execute some additional steps
2293.92 -> which are more sap specific
2299.68 -> okay
2303.04 -> so uh this is the flow uh we we just uh
2306.16 -> talked about briefly but normally uh in
2308.48 -> ec2 manager uh easy to image builder
2310.8 -> you're going to start with a source
2312.16 -> image and so one key requirement for
2314.72 -> this source image is that uh it it must
2317.04 -> have an
2318.079 -> systems manager uh ssm agent installed
2321.119 -> so we're gonna talk about systems
2322.32 -> manager in a little bit after this one
2324.4 -> but this is also our managed service
2326.16 -> which allows you know you to automate a
2328.24 -> lot of things on your operations backups
2330.72 -> and uh you know anything you want to run
2332.48 -> on the operating system side
2334.32 -> so
2335.04 -> but the key requirement there is the ssm
2336.64 -> agent has to be
2338 -> there as part of that image and we're
2339.599 -> gonna i'm gonna show you how you can
2341.44 -> overcome that limitation because uh like
2343.599 -> let's say if you're using a red hat for
2345.359 -> sap
2346.4 -> uh image from the marketplace it doesn't
2348.56 -> come pre-installed it comes with bare
2350.48 -> minimal uh you know things you need so
2353.2 -> you can actually add that agent as a
2355.28 -> part of your build process
2357.359 -> so so basically the first step is to
2358.88 -> pick that image uh source image which
2360.88 -> you want to customize and the next step
2362.88 -> is you're gonna add your um
2365.359 -> like your customized software let's say
2367.2 -> if you have some security packages or
2369.359 -> any additional packages which are not
2371.119 -> part of the base image you can add those
2372.96 -> here
2374 -> and once you have that custom software
2376.32 -> added like those agents or
2379.359 -> you know your own packages you can go to
2381.44 -> the next step which is the the build uh
2384 -> build phase and actually just adding the
2385.76 -> package software is also part of the
2387.359 -> build phase and this is where you can
2389.839 -> use uh our custom temp your own custom
2392.64 -> templates or the temperature temperature
2395.44 -> provided by the aws so there are some
2398 -> standard as i mentioned about the stick
2399.44 -> component before those are available uh
2402.079 -> natively as part of this uh ec2 image
2404.72 -> builder so you can just pick it up from
2406.319 -> there and other things could be let's
2407.839 -> say if you want to install aws cli so
2410 -> you can just go and pick that component
2411.52 -> you don't have to write any code or you
2413.44 -> know customize that one because that's a
2415.2 -> very predefined um
2417.52 -> predefined setup there
2419.52 -> then once you're done with your grid
2420.96 -> phase you go to the test phase and and
2423.76 -> of course you want to make sure that
2424.8 -> whatever you're building it's um
2426.88 -> it's uh it's validated and it's
2428.64 -> compliant because as things change in
2430.72 -> future like new uh new images coming so
2433.52 -> the same thing may not work so you don't
2435.2 -> want to distribute any images which
2437.28 -> which are not validated so you go and
2439.2 -> validate those images and the last part
2442.319 -> is to distribute so this is where you
2444 -> can select which other regions which
2446.079 -> accounts it can go
2448 -> and if if it is like you know if you
2449.839 -> need the same images in the same account
2451.599 -> then you you don't have to do anything
2452.88 -> you just pick the default setting and it
2454.8 -> just makes the image available in that
2456.24 -> same account
2459.28 -> now uh so raj explain about like you
2461.359 -> know the cis level one benchmarks and
2463.52 -> how you can achieve it using the aws
2466.4 -> config and conformance packs for the aws
2468.72 -> infrastructure and services uh but uh
2471.2 -> the one part we did not cover there was
2473.599 -> like how you make sure that the same cs
2476.16 -> level one benchmark and met for your
2477.68 -> operating system as well so so that part
2480.4 -> uh we're gonna and with this example i'm
2482.88 -> gonna show you how you can actually
2484.56 -> automate that
2485.92 -> and of course you can you know this is a
2487.68 -> predefined standard so you can get most
2489.44 -> of these scripts ready uh and you know
2492.56 -> it's
2493.28 -> available publicly as well in some git
2495.44 -> repositories or you can write your own
2497.68 -> uh but
2498.8 -> you can also go and you know add and
2500.56 -> customize that you know if you want if
2502.16 -> you don't want specif
2504 -> items which don't work with your
2505.359 -> application you can disable those so in
2507.44 -> this case we're going to use a custom
2508.88 -> script and just to give an example of
2511.119 -> how
2512.56 -> how this you know cis level 1 benchmark
2515.599 -> all this looks like on the left hand
2516.88 -> side you can see here
2518.48 -> i have these different numbers like 1.1
2521.76 -> section for file system configuration
2524.079 -> and then you go further deep into that
2525.92 -> 1.1.1
2527.76 -> and so they basically define what is
2529.76 -> that particular check or compliance is
2532.4 -> and then this is like a big list of
2535.68 -> items it goes all the way up like six
2537.52 -> point two point twenty so i'm just
2539.28 -> showing you the end page of it so it is
2541.839 -> pretty pretty long and this guide itself
2544 -> from where i took this snapshot you can
2545.52 -> see it's like more than 400 pages uh but
2548 -> i'm gonna give you like a little bit
2549.119 -> taste of what it looks like so let's
2550.88 -> pull up the very first control so you
2552.88 -> can see right so it shows uh right at
2554.88 -> the top the um
2557.44 -> like you know which which control we are
2559.2 -> referring to and then the important part
2561.04 -> is the profile adaptability so it says
2563.119 -> cis level one so it means that if you
2565.28 -> are trying to meet um
2567.359 -> the uh the level one benchmark you must
2570.24 -> implement that it is a requirement right
2572.72 -> so uh similarly in the right hand side
2574.64 -> you can see like one point one point one
2576.4 -> two it says uh level two so if you are
2579.359 -> implementing only up to a level one this
2581.2 -> is optional you can skip that one but if
2583.119 -> you are doing level two then you must
2584.72 -> meet one and two both
2587.2 -> um
2588.079 -> so
2589.119 -> the first thing is like the audit part
2590.56 -> or eight part is basically how do you
2592.56 -> check whether your system meets that
2594.079 -> requirement or not so let's say you
2596 -> build the automation and then you you
2598.319 -> still want to validate that okay is it
2600.4 -> meeting existing images meeting the
2602.24 -> requirement or not existing servers
2604.079 -> whatever you are running are they still
2605.28 -> meet the requirement you're going to use
2606.64 -> the commands from the audit
2608.72 -> and uh these commands tell you they
2611.28 -> don't change anything they just tell you
2612.72 -> the current status and then what is the
2614.48 -> expected outcome right and then on the
2616.88 -> right hand side you can see there's a
2618.079 -> remediation part so this is like if you
2620.4 -> put some flag saying that okay i don't
2622 -> want to just check but i also want to
2624.079 -> fix it if something is found then you
2625.68 -> can use the code for the remediation as
2627.52 -> well
2629.119 -> and this is all uh documented in cis if
2631.599 -> you go to the cis benchmarks you can
2633.28 -> find all that information
2635.28 -> uh this is an example of how the same
2638.24 -> controls we just saw on the on the
2639.92 -> previous slide how they are implemented
2641.52 -> and this is a very simple bash script so
2644 -> you can see uh it's very well documented
2646.319 -> just to
2647.44 -> for a new you know anyone who's coming
2649.28 -> across this one for them to know what we
2651.2 -> are checking how we are checking which
2652.96 -> control it is referring to so the
2654.319 -> numbers match exactly to what was in the
2656.4 -> definition of those controls and then
2658.96 -> again uh
2660.319 -> i'm just showing the start and end of
2661.839 -> the script so again it's like more than
2663.599 -> 600 lines of code there
2665.599 -> uh so it's it's pretty small compared to
2667.68 -> that we have kind of implemented all the
2670.64 -> level one
2671.76 -> uh going through those uh 400 pages of
2674.48 -> that guide okay now we're gonna dive a
2677.76 -> bit deeper into uh like how to work
2680.72 -> through the ec2 image builder so you can
2683.44 -> go to our uh you know console search for
2686.24 -> ec2 image builder and then you come
2688.24 -> across this particular screen here now
2690.96 -> in this one the right one left left hand
2693.119 -> side at the top you can see um you know
2695.28 -> like image pipelines so if you click on
2697.52 -> that it's gonna start a wizard but in
2699.04 -> the wizard uh you know it's gonna say
2701.28 -> okay basically you're customizing it
2703.44 -> right so for your requirements so it
2706.079 -> might say okay you know if you're just
2707.599 -> selecting all aws provided components
2709.68 -> you can just start the wizard select
2711.28 -> whatever you need and you can just
2712.64 -> finish nothing additional required but
2714.72 -> let's say if you want to add your own
2716.079 -> custom
2717.2 -> custom checks or or you know custom
2719.839 -> built components like what we're going
2721.359 -> to do here in the cis level 1 benchmark
2724.319 -> you're going to add your own component
2725.839 -> there so for that we need to create that
2727.52 -> component first so we're going to create
2730.079 -> this component and it's very simple you
2732.64 -> can just you know go through this uh
2734.319 -> like this template and it says okay
2736.319 -> we're gonna it's for the build face uh
2738.8 -> so that's the very first thing we do the
2740.4 -> name and the um the build phase and then
2744.24 -> uh you can see the name and you can pick
2746.319 -> any name there which uh
2748.079 -> meets this
2750.079 -> requirement and then the action so we
2752.56 -> are saying it's an execute bash so
2754.24 -> that's why it's a bash script we are
2755.92 -> trying to execute now where is that
2757.599 -> script so we don't want to hardcore the
2759.52 -> script in the image because then you
2762 -> can't modify without launching an
2763.68 -> instance and you don't want to do that
2764.88 -> again and again so it could be at your
2766.48 -> center repository it could be in your
2768 -> gate or some other place
2770.079 -> and for our
2771.359 -> purposes we just use a very simple
2773.359 -> mechanism where it's we're just pulling
2775.2 -> a script from the s3 bucket so in future
2777.2 -> if you want to make uh you know comment
2778.96 -> out something or delete something or
2780.56 -> make changes you can directly go and do
2783.04 -> it there as well
2784.48 -> so in this case we are downloading an s3
2786.96 -> file from an s3 and then we are just
2788.319 -> executing it so that's our component for
2790.48 -> cs level benchmark the same script we
2792.24 -> just saw
2794.64 -> okay now
2796.079 -> uh the other question the wizard is
2798.079 -> going to ask you so we're kind of
2799.52 -> answering some of the questions which
2800.88 -> might be in the business it's going to
2802.16 -> ask you okay where you want to execute
2804.319 -> this pipeline so there's a very simple
2806.96 -> option there it says use default
2808.48 -> settings which is just going to execute
2809.92 -> in your default vpc and you know pick up
2812.319 -> any uh like you all the defaults but if
2815.119 -> you want to customize that then you can
2816.56 -> create your infrastructure configuration
2818.64 -> so that's what we have created so this
2820.4 -> infrastructure configuration you can go
2822.56 -> and you can see what what we have
2823.839 -> selected so we have selected an uh like
2826.16 -> a vpc so all these orange ones so vpc we
2830.16 -> selected a security group we selected a
2832.24 -> key pair you're gonna use uh for that
2834.319 -> instant this is an easy to keep here uh
2836.319 -> you can also define which instance type
2838.319 -> you wanna use so
2840.16 -> like again you don't wanna use like a t2
2842.319 -> micro or something if you want your
2844.48 -> images to be fast and and it also varies
2846.8 -> depending upon how much work is being
2848.559 -> done during the image build process
2850.16 -> right so if you if there's something uh
2852.559 -> you know like
2853.68 -> um i'll say
2855.44 -> more cpu intensive uh kind of stuff then
2858 -> you can add and higher level instance
2860.319 -> like c5 large or something in between
2863.359 -> right so you can pick an instance type
2865.28 -> that's the point here
2866.72 -> and then uh you can also select your vpc
2869.04 -> subnet that we already talked so let's
2871.04 -> go to the next one so that that is
2872.88 -> pretty much defining your
2874.96 -> um
2877.68 -> like your uh
2880.8 -> the infrastructure
2882.8 -> the other thing which is here is um oh
2885.76 -> sorry actually you know this is oh i'm
2888.319 -> sorry this is actually the recipe uh
2890.559 -> we're gonna talk about that this
2891.92 -> comforts again but this is actually the
2893.359 -> recipe uh so in the recipe uh this is
2896.079 -> what executes at the start
2898.839 -> so uh well at the start means like when
2901.2 -> the ec2 instance launches and then um
2904.64 -> then it's going to execute this part so
2906.24 -> the first part is the user data part
2907.92 -> here so the user data you can like as i
2910.319 -> mentioned right the ssm agent we are
2912.319 -> talking about so this image doesn't have
2914.72 -> the ssm agent so what i have in the user
2916.8 -> data code is the actual uh code to
2919.68 -> install uh
2921.599 -> ssm agent right at the start
2924.16 -> and then
2926.079 -> it will be installed before any other
2927.599 -> steps are executed
2929.359 -> and then uh when you go in the recipe
2931.599 -> like where you can select the components
2933.68 -> um so you can select some existing
2935.44 -> components you can see the screen at the
2937.44 -> bottom that there are some two
2938.88 -> components like aws cli and then there's
2942.48 -> another one like simple boot test for
2944.48 -> linux so the first component is for our
2946.48 -> build phase provided by amazon and then
2948.64 -> we added our custom component this is
2950.319 -> the component we built uh in previous uh
2952.72 -> you know just before starting this
2954.079 -> recipe we created a component right for
2956.24 -> our um
2958.24 -> the one we were downloading the s3 file
2959.92 -> so that particular component so you can
2962 -> have just pre-select that component
2963.839 -> which is already there and the third one
2965.599 -> we added to have the uh build uh the
2968.16 -> testing keys and we're gonna see this in
2970.079 -> a bit more detail
2973.68 -> okay so
2975.52 -> here again you can you know see uh
2978.16 -> like when you when you choose uh start
2980.4 -> the pipeline you can choose your uh
2982.319 -> recipe like which recipe we have created
2984.96 -> and in that you can see like the same
2987.28 -> thing is popping up here again uh the
2989.28 -> recipe we just created
2990.96 -> and then here you can see in the
2992.4 -> component section so there are two build
2994 -> components down here
2995.92 -> so it um it basically let me turn on the
3000.16 -> pointer it will be much easier
3004.8 -> okay so this is the part i'm referring
3006.64 -> to the component so there are two build
3008.24 -> components aw cli we're gonna install
3010.319 -> that and then the cis level one
3012.16 -> benchmark which we just created using
3014.319 -> that uh bash script and then for the
3016.48 -> testing we're providing another
3017.599 -> component simple boot test so this could
3019.839 -> be a many like more complicated tests
3022 -> where you're actually running the same
3023.68 -> cs level benchmark script but in a like
3026.16 -> a audit mode where you're actually
3028.319 -> seeing if all those are in place or not
3031.28 -> um but at a minimum you want to make
3033.28 -> sure that whatever image you're building
3034.64 -> it's bootable that the server comes up
3037.119 -> or not so we did this one here and then
3040.079 -> other things um you know
3043.119 -> i mean you can go to the like you know
3044.88 -> next one so i'll show you that
3049.68 -> yeah so
3064.48 -> yeah so this is the infrastructure
3066.319 -> screen which comes
3067.68 -> comes later on this so we already
3069.52 -> created an infrastructure where we
3070.8 -> define the vpc um so you can select that
3073.76 -> existing configuration as a pcis
3076 -> infrastructure configuration and then
3078.8 -> or you can you know if you want to like
3081.44 -> create your own then you can even select
3083.359 -> this create distribution or settings
3085.2 -> using default that is for the next phase
3086.8 -> the after the infrastructure you can
3088.64 -> select the distribution settings in this
3090.16 -> case we're just distributing to a
3091.44 -> specific region uh is one and then it
3094.559 -> won't be shared with any other account
3096 -> it will be available only in that
3097.28 -> particular account
3102.559 -> okay
3103.599 -> um
3104.96 -> now that our image has created uh you
3107.359 -> have um so when you're creating this
3109.599 -> pipeline so not the image when you're
3111.04 -> creating the pipeline it's gonna ask you
3112.559 -> about uh you wanna execute it
3114.8 -> automatically uh at a predefined
3116.96 -> schedule or through some you can even
3119.28 -> execute it through some other uh you
3121.119 -> know some other events or you can
3123.44 -> actually have it manually run or so this
3126.8 -> manual option will always be there so
3128.72 -> let's say if you want to build some ad
3130.559 -> hoc image like right now for example you
3132.559 -> can select that pipeline go to actions
3135.04 -> and click on run pipeline
3139.68 -> so once this pipeline starts running
3142.079 -> like after few minutes normally uh it
3144.24 -> will come to the status so you can see
3145.68 -> the status as building so once it is
3147.359 -> reaching to this build status so behind
3149.52 -> the scenes it's leveraging the systems
3151.52 -> manager
3152.64 -> and that's why like there was a
3153.76 -> requirement to have the ssm agent
3156.16 -> running
3157.359 -> on that particular image part of that
3159.44 -> image and this basically kicks off and
3162.319 -> whole ssm automation
3165.119 -> so after if you want to see like you
3166.88 -> know what's happening inside that if
3168.24 -> you're still curious then you know you
3169.839 -> can
3170.72 -> go to the systems manager
3173.28 -> and then
3174.48 -> you can go and click on this uh image
3177.92 -> here so sorry this execution id here and
3181.119 -> then this will actually take you to
3182.319 -> further details so you can see like
3183.839 -> there are multiple steps being executed
3185.68 -> and it shows you the overall status and
3187.76 -> how many steps have been executed or how
3189.599 -> many have succeeded
3191.04 -> and once this completes
3195.04 -> um it's gonna run for like i mean this
3196.96 -> particular one had like about 26 steps
3199.28 -> total it could have many more steps
3201.119 -> which may be skipped but what you need
3202.88 -> to look for is this overall status as
3204.4 -> success so once this is done then this
3207.44 -> build one is completed and you can see
3209.28 -> the step 21 right create image so it
3210.96 -> creates the image verifies and then it
3213.28 -> it it completes that one but now then
3215.359 -> it's going to kick off another one this
3216.88 -> is for the testing phase so you can see
3219.2 -> the builder image test image document
3220.88 -> this was the build image document so now
3222.559 -> the same thing you can go and check the
3223.92 -> details of that and look for the overall
3225.839 -> status to be successful
3227.52 -> which will tell that okay this has
3228.96 -> completed
3231.2 -> and then finally you can come back to
3232.64 -> your pipeline and you can see the status
3234.319 -> is now available on the output images
3236.559 -> section here
3237.839 -> and then if you go further
3239.839 -> into that images you can actually see
3241.599 -> the image id which it has created
3243.28 -> through this pipeline and then if you
3245.04 -> can go through these other types like
3246.16 -> distribution configuration distribution
3247.92 -> settings which is the same thing which
3249.44 -> we looked earlier and if you go back to
3252.559 -> our ec2 image images in your ec2 service
3255.599 -> there also you can see this newly
3257.119 -> created image now and now from this part
3259.599 -> you can actually like you know launch
3262.72 -> launch another ec2 instance or leverage
3264.96 -> it through easy to launch wizard that's
3266.8 -> what you're going to see tomorrow that
3269.28 -> how we can use launch user not to just
3271.44 -> you know pick up some standard images
3273.2 -> from marketplace but also uh you know
3276.079 -> your own custom images and this is how
3278.4 -> many of the customers do they don't just
3280.559 -> you know use unless like it is a kind of
3282.559 -> a very poc or test uh normally they
3285.599 -> harden those images before they use it
3287.2 -> for production environment
3290.079 -> so now we'll talk a little bit about
3291.76 -> systems manager um and then we'll go to
3293.839 -> the session manager which is again a
3295.359 -> specific feature inside systems manager
3298.96 -> so
3299.76 -> systems manager actually provides you
3301.28 -> the uh it's a managed service and it
3302.88 -> provides you out of the box support for
3304.96 -> a lot of automation and monitoring
3307.44 -> for your uh infrastructure
3309.839 -> and operations
3311.2 -> and it it can i mean most of these
3313.599 -> things you can build on your own but
3315.359 -> then if you use this session manager it
3318.319 -> can uh significantly reduce that time
3321.92 -> and and like as i mentioned right so you
3323.52 -> you you can have we have many
3325.92 -> like more than 60 uh
3328.559 -> ssm documents uh which are predefined
3331.2 -> for you like for example you want to
3332.4 -> create an image if you want to delete a
3333.839 -> snapshot or if you want to install a
3336.96 -> backend agent on your hana instances all
3339.119 -> those documents are already available
3340.559 -> for you and you can combine those
3342.48 -> documents and add your own some custom
3344.559 -> documents and create like some
3345.92 -> interesting automations um the systems
3348.4 -> manager you can also use to
3350.88 -> manage your hybrid environment it's not
3352.88 -> just aws you can actually add some
3355.2 -> servers from your on-prem or even run
3357.76 -> commands and scripts over there so you
3359.44 -> can have like a very central view of all
3361.52 -> of your inventory
3363.359 -> and then it also helps you maintain your
3365.28 -> security and compliance because these
3368 -> automations
3369.52 -> can give things uh like standard
3373.359 -> okay um so here uh we're gonna see like
3376.559 -> a lot of uh features of systems manager
3379.599 -> uh and i'm gonna point out some other
3381.28 -> we're not gonna go through all of these
3383.04 -> uh you know this this topic has been
3384.88 -> covered like in very big much detail in
3386.799 -> previous reinvents and you can easily
3388.64 -> find most of this information
3390.64 -> in our previous recordings but
3393.2 -> i'm going to highlight few things from
3394.96 -> this particular group that
3397.76 -> you can
3398.88 -> leverage this parameter store and i see
3401.04 -> many customers using it frequently uh
3403.359 -> they can use it to store some sensitive
3405.28 -> information like you know let's say your
3406.88 -> automation you want to refer to the uh
3409.119 -> your some passwords to be used what's
3411.04 -> the master password for unite your
3412.319 -> installation you want to use it only for
3413.839 -> installation but you don't want to
3415.28 -> provide that password like every time
3417.119 -> you can store it here similarly if you
3419.2 -> have some other you know like sap
3421.2 -> specific configurations like your sap
3423.119 -> sys group which remains constant like
3425.359 -> throughout your sap installations
3427.68 -> similarly sap in sd group id so those
3429.92 -> things can be
3431.28 -> um you know managed from here
3434.319 -> and then you can look at the third
3436.48 -> section here the change management this
3438.079 -> is where you can define your change
3439.359 -> control maintenance windows so that in
3441.28 -> all the automations you're building like
3442.64 -> patching or
3444.16 -> you know like start start and stop of
3445.839 -> systems all that is done only during
3448.079 -> those specific uh
3449.839 -> maintenance windows and there's like a
3451.359 -> very complex workflow there if you want
3453.28 -> to you know integrate your approval
3454.88 -> mechanisms all that can be done
3457.04 -> and on the node management we have like
3459.68 -> again many features like inventory
3461.2 -> management run command is pretty useful
3463.839 -> uh using that you can execute some
3465.92 -> commands on multiple hosts at a time
3467.92 -> let's say if you have 50 servers you
3469.599 -> want to execute that okay let me check
3471.52 -> my kernel version
3473.2 -> of sap
3474.72 -> you can actually run a single command
3476.16 -> get the output from all at one click
3478.16 -> like one one run
3479.92 -> patch manager is there for patching
3482.4 -> um we're gonna talk more about the
3484.319 -> session manager in the coming slides so
3486.24 -> let's
3487.359 -> go there
3489.2 -> so
3490 -> one challenge we heard from many
3491.359 -> customers was that you know uh their ssh
3494.559 -> is it's required for most of the admin
3497.119 -> tasks like basically need to go to the
3498.64 -> server or even the infrastructure os
3500.559 -> team they need to manage some servers uh
3502.88 -> so they use uh
3504.72 -> like some kind of bastion hosts to get
3507.119 -> to that
3508.079 -> uh but with session manager it provides
3510.72 -> you like a one-click secure access to
3512.799 -> instances without the need to open any
3514.96 -> inbound port so you don't even have to
3516.24 -> open your port 22 which which is like
3519.2 -> crucial pressure if you are using you
3520.72 -> know your uh ssh you need to use like
3523.04 -> putty or some client and connect to port
3524.64 -> 22 but it has to be open but what if you
3526.64 -> don't want to even expose that one then
3528.4 -> you can use this one um and it also
3531.2 -> provides you like a centralized access
3533.04 -> to
3533.839 -> uh multiple instances through like a
3535.92 -> same mechanism so it's not that you have
3537.68 -> to keep going and adding multiple
3539.599 -> servers to your uh like clients and
3542.559 -> profiles every time those are built no
3544.559 -> you just get access to the aws console
3546.559 -> there you can define some permissions
3548.559 -> and then uh we can still control who can
3551.2 -> access what and with what user and to
3553.04 -> what level so although those general
3555.44 -> controls are still there we're gonna see
3557.04 -> some parameters for that but uh the
3559.599 -> point is it allows you to centrally
3561.52 -> manage all that access uh so only to
3563.92 -> care about is like how users
3565.52 -> authenticate to aws console and what
3568 -> permissions they have
3569.44 -> in the aws console and then finally it
3571.76 -> keeps track of all the commands your the
3573.68 -> users are executing so which makes the
3575.52 -> auditing like pretty easy you can run
3577.44 -> some queries using athena on top of that
3579.28 -> you can store in s3 bucket uh those logs
3581.839 -> and you can also store in the cloud
3583.28 -> watch
3585.04 -> so here's a like a quick um uh high
3587.68 -> level uh uh like workflow of how how
3590.24 -> session manager works so you you user
3593.04 -> normally gets authenticated first
3594.48 -> through your single sign on or some
3595.92 -> other mechanism to the aws console and
3597.839 -> then uh they they have the permissions
3600.319 -> defined by their i am roles
3602.24 -> and um
3604 -> and from there they connect to the
3605.52 -> session manager service now what's
3607.76 -> different here is that you don't
3608.88 -> directly connect to the ac2 instance uh
3611.28 -> instead you interact with the session
3612.64 -> manager service and it kind of
3614.64 -> emulates or you know simulates your ssh
3617.28 -> session so it will it will look and feel
3619.2 -> like an ss session but nothing is
3621.28 -> actually going into the server so the
3623.76 -> ssm agent which is running there it
3625.52 -> continuously pulls our systems manager
3627.68 -> service and let's say if you run a
3628.799 -> command okay df minus h right so
3632.24 -> now you're expecting that okay i want to
3633.76 -> see the file systems there so that
3635.359 -> command is there and then session this
3637.52 -> ssm agent pulls that command executes it
3639.52 -> whatever the output it does sends it
3640.96 -> back to the session manager and that's
3642.4 -> what you see on your screen
3643.92 -> and it's a very low latency process it's
3646.24 -> not that you're gonna you know wait for
3647.68 -> these things to happen so it's a very
3650.24 -> interactive i'll say and it happens
3652.799 -> mostly like in very close to real time
3655.119 -> so normally humans don't see that big
3657.28 -> lag uh even though it's going through
3660.16 -> multiple like you know hopes like the
3661.76 -> session manager systems manager and then
3663.839 -> to the os coming back so yeah the
3665.76 -> packets are traveling a bit
3668.079 -> more than what you would expect but it's
3669.599 -> still very seamless now this is an
3671.92 -> example you talked about right so
3673.52 -> without session manager if you want to
3675.44 -> like i mean like what's what's not a
3677.599 -> good practice is to just open your
3679.119 -> servers to your whole network like
3681.04 -> whether someone needs access or not you
3682.4 -> just open 22 to hold
3684.48 -> ten dot network or some other network
3685.92 -> you have uh instead many customers are
3688.079 -> already taking initial steps to control
3690.24 -> that access where um they
3693.2 -> they go through uh you know they set up
3694.96 -> some passion hosts and they only allow
3696.4 -> access from those bastion hosts
3701.119 -> so with session manager now you know you
3703.28 -> you just kind of cross out this whole
3705.68 -> block from here so from here you you
3708.16 -> know you just connect through session
3709.92 -> manager and then they connect directly
3711.52 -> to those servers so now you don't need
3713.68 -> to maintain that additional bastion also
3715.599 -> additional infrastructure if you have to
3716.96 -> keep secure and patch all those uh
3719.44 -> complexities are gone
3721.76 -> um now how we can just have some quick
3724.16 -> um you know you own like how it works um
3727.92 -> so you have an ssm agent running on the
3729.92 -> operating system and uh it runs on like
3733.28 -> so there's like a pseudor's access so it
3735.359 -> kind of assumes uh you can control it
3737.599 -> and you can put it like non-privileged
3739.2 -> user as well but by default it assumes
3741.359 -> and it could run as uh
3743.68 -> it could execute commands as root as
3745.839 -> well uh so that's why you need some
3748 -> permissions in sudos files in linux and
3750.88 -> uh it's that user ssm dash user is added
3753.44 -> to the administrators group in the
3754.96 -> windows site so this session manager
3756.96 -> works for both windows and linux and on
3759.2 -> the windows side it's not going to give
3760.72 -> you that gui you know which you
3762.64 -> typically see through windows you know
3764.96 -> in the desktop
3766.799 -> rdp session but it's going to connect
3768.64 -> you to a powershell so
3770.64 -> on linux it connects you to your shell
3772.4 -> and then on the windows powershell so
3773.92 -> you'll still be able to execute command
3775.599 -> commands in the windows server
3777.599 -> and then um
3779.28 -> there are some im users and roles which
3781.44 -> involve the session from the browser and
3783.76 -> then
3784.559 -> uh like
3786 -> the guest basically assumes that
3787.76 -> particular user which is defined of
3789.359 -> course you can change that one but all
3790.96 -> the commands are actually like when they
3792.88 -> reach to the operating system the ssn
3794.559 -> user is still there and then it executes
3796.559 -> on behalf of the user
3799.44 -> okay so this is just an example of the
3802.16 -> group membership
3805.039 -> on
3806.079 -> personal windows and now on linux
3808.559 -> now how you can restrict the access to
3810.4 -> this particular session so in windows
3812.4 -> it's pretty easy you can just go and
3814.16 -> change a different group membership if
3815.76 -> you are creating like a
3817.599 -> next image group then you can just add
3819.52 -> it there so that it won't execute
3821.44 -> anything as more privileged user on
3823.28 -> linux side you have two options and the
3825.839 -> first option is you can tag each item
3828.319 -> user or the role they are using to
3829.92 -> connect um to a specific os level user
3833.44 -> so let's say the basis team or your os
3835.68 -> team has their own users and that's what
3837.359 -> we recommend actually to have their own
3838.96 -> users at the operating system and then
3840.72 -> just map that user to that particular uh
3843.2 -> user through some use of our tags uh so
3846 -> that way when they connect to some
3847.839 -> session manager they're gonna see
3849.76 -> uh like they'll be connecting as only
3851.359 -> that user and from that point onwards
3853.039 -> you can have give them sudo access to
3854.88 -> switch to cdm user or the root or any
3857.52 -> other user uh the other option is let's
3860.319 -> see if you're running this uh ssn user
3862.4 -> as a non-privileged user and you have
3864.079 -> some other monitoring kind of you know
3866.16 -> users or who
3867.68 -> anyways you want to keep it like very
3869.52 -> simple and consistent you can actually
3871.2 -> set a different default device user for
3873.119 -> all item users as well that's optional
3876.88 -> um now this is like way where you
3878.64 -> actually set it so you go to the systems
3880.4 -> manager session manager and preferences
3882.24 -> and this is where you can set this
3883.44 -> setting the second setting like which is
3885.119 -> unable to run as a different user
3889.2 -> and then this is the first option so
3891.2 -> where you go and create a tag for each
3893.599 -> of those i am users or their specific
3896.16 -> roles on which user they can connect ads
3902.24 -> yeah so yeah so we again like a summary
3904.72 -> of the steps we did so you can register
3906.799 -> your instances with systems manager
3908.559 -> which is done by like installing the ssm
3910.319 -> agent there
3911.44 -> then you create like an imuser or role
3913.92 -> which has permissions for session
3915.359 -> manager which is the second step
3917.599 -> then you go and establish a session
3919.119 -> through a browser or through um you know
3922.48 -> the cli option is also available it
3924 -> requires like a plug-in but you can
3925.359 -> connect to both linux and windows
3926.88 -> through that
3928.079 -> um
3929.359 -> your session history which is again
3930.96 -> stored in session manager so you can
3933.119 -> review that like when you connect it to
3935.2 -> how you connect it there and then it
3937.039 -> also stores your output into s3 which
3939.44 -> you can also put in the cloud watch log
3941.2 -> groups as well
3942.799 -> then you have the alerting mechanisms
3944.4 -> using sns and you know you can have some
3946.72 -> metrics you can have some alerts and for
3948.88 -> example if someone is switching to root
3950.4 -> you can have some alerts and there
3952.24 -> um you can have that kind of
3953.839 -> functionality as well
3955.28 -> and then you can also see the full
3956.48 -> transcript of all the commands they have
3957.92 -> executed
3959.52 -> this is the option to connect through
3961.28 -> session manager in systems managers you
3963.28 -> go to systems manager service and then
3964.64 -> select session manager
3966.24 -> and then you start this session
3969.28 -> similarly if you want to connect through
3970.64 -> the ec2 console
3973.599 -> this is the session where you're
3974.48 -> starting
3975.44 -> but you want to start with the
3978.319 -> easy to console this is another option
3981.28 -> so you go to the ec2 instances select
3983.52 -> instances select the instance you want
3985.2 -> to connect and then you can just click
3986.48 -> on the connect part
3989.2 -> but the outcome is still the same um
3994.559 -> so
3995.599 -> you can also use like cli as i mentioned
3997.76 -> earlier from your local workstation it
3999.68 -> just requires an additional plugin so
4001.039 -> you already have awcni installed you can
4003.119 -> install the session when they plug in
4004.48 -> for that and then this is the command
4006.319 -> you can use start session target and put
4008.64 -> your instance id there it's gonna
4010.48 -> connect to that
4011.76 -> um we talked about like it works for
4013.76 -> both linux and windows and then you can
4016.16 -> have the full uh auditable reports
4018.4 -> available
4019.52 -> for later
4025.039 -> this is just the
4026.319 -> some of the same screenshots of you know
4028.64 -> how you can
4030.559 -> to see those
4031.839 -> sessions and logs and instances
4037.599 -> now this is the setting like we talked
4039.2 -> earlier about that you know where you
4041.039 -> could store your logs you can pick like
4043.2 -> you know the sc bucket name where you
4044.88 -> want to store those
4046.319 -> and
4047.2 -> it's going to store like a copy of logs
4048.88 -> there and then it could also be at the
4051.599 -> cloud watch so the second option you can
4053.44 -> see is for the cloud watch
4055.119 -> so you can specify which group they
4056.88 -> should go to
4058.079 -> and what we recommend is that you know
4059.68 -> you send all these logs to your central
4062.64 -> uh log repositories or like some other
4064.96 -> central logging account which is
4066.96 -> basically a read-only account where no
4068.799 -> one could make any changes and all these
4071.359 -> logs will be available otherwise it's
4073.119 -> very difficult to trust the logs if
4075.2 -> that's if you're putting the same
4076.48 -> account where the same person has access
4078.079 -> to even go and delete logs so normally
4080.4 -> that's not a good practice so you need
4082.4 -> to
4083.44 -> you can manage that as well
4091.119 -> so these are the same uh like what kind
4093.2 -> of logs you see right in the uh like
4095.2 -> when you look at the transcript it's
4096.56 -> gonna show you like to which instance
4098.4 -> you created
4099.6 -> and um
4101.6 -> all other details specific to that that
4103.92 -> session
4105.12 -> and then you can also put like a life
4106.64 -> cycle policy in s3 so let's see if your
4108.319 -> logs are accumulating and you want to
4110.08 -> keep it for for whatever requirement you
4112 -> know let's say you know keep it for 10
4113.839 -> years then instead of keeping it in s3
4116.239 -> for 10 years you can just after a month
4118.08 -> you can
4119.12 -> move it to glacier and then you can have
4121.199 -> another policy to you know have it
4123.6 -> deleted from there after 10 years
4126.96 -> and these are like very lightweight so
4128.48 -> they do not consume like a lot of space
4130.56 -> um
4133.679 -> now if you have your other like by
4136.159 -> default the session data which you are
4137.759 -> having this is encrypted with dls and
4140.319 -> then you can actually use kms as well
4142.48 -> for that
4143.52 -> so you can just go and select the same
4144.96 -> preferences which key you want to use
4148.719 -> now there are some use cases we came
4150.239 -> across where uh the session manager and
4152.56 -> the customer normally when when i say
4154.96 -> ssm agent is running it requires an http
4157.12 -> access to on port
4158.839 -> 4432 uh our
4161.279 -> systems manager service and we have the
4163.92 -> we made this public endpoints available
4165.6 -> but let's say if you don't want to have
4166.96 -> any even outbound internet access from
4168.799 -> your servers uh you can make it 100
4171.44 -> private through uh through our vpc
4174 -> endpoints so for that you need to enable
4176.159 -> like uh three three endpoints um ssm ec2
4179.359 -> messages and easy two and for especially
4181.199 -> for as uh session manager you also need
4183.44 -> to add an endpoint for
4185.52 -> ssm messages so once we have these
4187.44 -> endpoints available in that account then
4190 -> you can communicate to the service
4191.759 -> privately from within your vpc
4195.12 -> okay so that
4197.04 -> i mean that concludes our session
4199.36 -> manager and easy to
4201.44 -> manager topics now uh in the coming days
4204.96 -> uh we'll hang on episode two and three
4206.96 -> so tomorrow you're gonna learn more
4208.56 -> about the different architecture
4210.159 -> patterns for sap on aws um and and this
4213.84 -> will be followed by you know the various
4215.679 -> uh instance types you can use sizes you
4217.76 -> can use and how you can automate your
4219.76 -> whole configuration and deployment using
4221.44 -> launch wizard so very similar to what uh
4223.84 -> raj mentioned earlier and then uh on on
4226.719 -> wednesday we'll have another session
4228.56 -> where you to actually see how you can
4231.12 -> migrate and optimize s4hana on aws so so
4235.12 -> you'll actually see like
4236.8 -> you know the different patterns you'll
4238.56 -> have for
4239.76 -> migration and then how you plan for that
4242.48 -> migration and what tools you can use
4244.96 -> so that's all i wanted to share today
4247.6 -> and
4249.28 -> will be now open for any q a myself and
4252 -> raj
4252.88 -> so thank you everyone
Source: https://www.youtube.com/watch?v=Rp4Qo8RfE9w