AWS Certified SAP on AWS – Specialty (PAS-C01) — Question 78

A company wants to migrate its SAP environments to AWS. The SAP environments include SAP ERP Central Component (SAP ECC). SAP Business Warehouse (SAP BW), and SAP Process Integration (SAP PI) systems. As part of the migration, the company wants to do a system transformation to SAP S/4HANA. The company wants to implement SAP Fiori by using an SAP Gateway hub deployment and an internet-facing SAP Web Dispatcher for this SAP S/4HANA system only.

Employees around the world will access the SAP Fiori launchpad. The company needs to allow access to only the URLs that are required for running SAP Fiori.

How should an SAP security engineer design the security architecture to meet these requirements?

Answer options

• A. Deploy the SAP Web Dispatcher in a public subnet. Allow access to only the IP addresses that employees use to access the SAP Fiori server.
• B. Deploy the SAP Web Dispatcher in a private subnet. Allow access to only the ports that are required for running SAP Fiori.
• C. Deploy the SAP Web Dispatcher in a public subnet. Allow access to only the paths that are required for running SAP Fiori.
• D. Deploy the SAP Web Dispatcher in a private subnet. Allow access to only the SAP S/4HANA system that serves as the SAP Fiori backend system for the SAP Gateway hub.

Correct answer: C

Explanation

The correct answer is C because deploying the SAP Web Dispatcher in a public subnet and limiting access to specific paths ensures that only the necessary components of SAP Fiori are accessible, enhancing security. Option A is incorrect as it focuses on IP addresses rather than URL paths, which may not cover all necessary access points. Option B is wrong because limiting access solely by ports does not address the specific URL requirements for SAP Fiori. Option D fails to consider that a public subnet is needed for internet-facing access.