Welcome back to the architectural engine room! In previous posts, we extensively covered how to provision SAP systems via Infrastructure as Code (Launch Wizard). But what happens on "Day 2"? Daily life in large SAP landscapes (like at DB Systel or Adidas with hundreds of systems) is often characterized by manual patching, bastion hosts, and the dreaded "Configuration Drift."
By early 2026, the AWS Systems Manager (SSM) for SAP has established itself as the absolute de facto standard for cloud-native SAP operations. As an Enterprise Architect, today I will show you how we radically automate classic Basis tasks and why direct SSH access to database servers should finally be a thing of the past.
The Problem: Configuration Drift in Large Landscapes
An S/4HANA system is installed according to exact SAP Best Practices. But over the years, things change: An admin temporarily adjusts a Linux kernel parameter and forgets to reset it. An SAP Note is implemented in the QA environment but forgotten in production. The result is Configuration Drift β the systems diverge from each other, leading to catastrophic dumps during upgrades or HA failovers.
The AWS Systems Manager solves this problem architecturally through continuous configuration management.
The SSM Agent, running on every EC2 instance, permanently scans the operating system (SLES/RHEL) and the HANA database. It fully automatically compares the parameters (global.ini, sysctl.conf) with the official SAP certification guidelines. If a parameter deviates, the system raises an alarm in the AWS Security Hub or automatically triggers a remediation script (healing) that resets the parameter to the correct value.
Zero Trust Operations: The End of the Bastion Host
Previously, SAP Basis admins needed a VPN, a jump host (bastion), and private SSH keys to log onto the Linux machines. SSM fundamentally changes the security architecture through the AWS Systems Manager Session Manager.
Traffic no longer flows over the open Port 22 (SSH). Instead, the local SSM Agent establishes a secure outbound tunnel to the AWS backbone. Administrators log directly onto the SAP instance via the AWS Management Console (or the AWS CLI). The massive enterprise advantage:
-
No more inbound ports required in the Security Group (Zero Trust).
-
Every single command (e.g.,
sapcontrol -nr 00 -function GetProcessList) is logged in AWS CloudTrail and Amazon CloudWatch in a tamper-proof manner (an auditing dream for any CISO).
Operations as Code: SSM Automation Documents
The Systems Manager unleashes its true power in complex, error-prone processes. Take the classic SAP system restart. The sequence is sacred: First stop the application servers (PAS/AAS), then the Central Services (ASCS/ERS), then the HANA database. When starting, it's exactly the reverse.
With SSM Automation Documents (JSON/YAML-based runbooks), this process is defined as code. AWS Systems Manager for SAP understands the SAP topology. It knows which EC2 instance holds the database and which holds the ASCS. An admin (or a scheduled Lambda trigger for cost savings over the weekend) simply executes the "Stop-SAP-System" runbook. The SSM orchestrates the graceful shutdowns across all instances in the exact correct sequence.
π’ SAP & AWS ARCHITECTURE NEWS TICKER (As of: February 2026) ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ πΉ SSM meets SAP BTP: AWS has massively expanded the API integration for the Systems Manager. SSM can now consume events directly from the SAP BTP (e.g., via SAP Event Mesh). If the SAP system reports a critical storage bottleneck, an SSM runbook can fully automatically expand the EBS volumes of the HANA database on the fly (Elastic Volumes). πΉ AI-Driven Remediation: In combination with Amazon Bedrock, the Systems Manager now not only analyzes configuration drifts but also directly generates natural language solution proposals for the Basis team in the event of complex deviations (e.g., after a failed S/4 release upgrade).
Conclusion for Enterprise Architects
The AWS Systems Manager for SAP is the final nail in the coffin for manual script collections on dusty network drives. In 2026, we no longer manage SAP infrastructures as "pets" that we lovingly care for, but as highly automated fleets ("cattle").
For Basis administrators, the focus is definitively shifting: Anyone still manually typing stopsap into the console today is wasting valuable lifetime. Mastering SSM Runbooks, State Manager, and IAM Role assignment for secure system access is the absolute core competency for highly scalable, audit-proof SAP operations in the cloud.