Vendors Mentioned

Key Topics
Modern glass office building against a blue sky, representing AWS IAM risk, cloud security, and SAP-connected infrastructure.

Meet the Authors

Key Takeaways What you need to know

  1. Orca Security now surfaces AWS IAM Access Analyzer findings directly inside its platform, linking IAM risks to affected cloud assets.

  2. SAP on AWS programs can accumulate unused roles, service accounts, and trust relationships after migrations, system copies, and integration projects.

  3. For SAP security teams, IAM Access Analyzer identifies access issues, while Orca adds asset context for triage and remediation.

SAP migrations and AWS integrations leave behind IAM roles, service accounts, and trust relationships that no longer belong to any active project. They sit outside any SAP authorization object and outside any review process — because SAP’s native authorization framework was never designed to see that layer.

Orca Security has integrated AWS IAM Access Analyzer directly into its platform to address that gap. The integration surfaces all 500-plus IAM Access Analyzer findings inside Orca’s Discovery interface. Each finding is then linked to the affected asset in inventory. Each appears alongside full asset context — data classification, ownership, and resource connections — so security teams can assess severity at triage.

How SAP Modernization Expands the Identity Attack Surface

At SAP Sapphire 2026, AWS announced expanded integration pathways for SAP environments: RISE with SAP, SAP Business Data Cloud Connect for Amazon Athena, Amazon Bedrock, and MCP-based agent connectivity.

Explore related questions
Ask SAPi
what is this?

Every integration pathway generates new IAM roles and service accounts. Migration projects — lift-and-shift, system copy, integration buildout — leave behind identities scoped for a one-time job with no process to remove them.

The result is an accumulating layer of AWS IAM permissions governing access to ERP-connected data that SAP’s own Role and Profile administration has no visibility into.

Where AWS IAM Access Analyzer Reaches Its Limit

The AWS IAM Access Analyzer applies continuous automated reasoning to the identity layer — not periodic scans, not heuristic rules.

It surfaces three categories of findings: external access identifies resources reachable from outside a defined zone of trust; internal access maps trust paths and permissions within an AWS account or organization; and unused access flags roles, users, credentials, and permissions with no recorded activity in the past 90 days.

That third category is where SAP migration residue concentrates. Legacy roles tied to one-time data transfer jobs, service accounts provisioned for integrations since replaced, identities created for a system copy that completed two years ago.

IAM Access Analyzer tells you where an access problem exists. But it does not tell you what is behind the resource or how serious the exposure is.

What Orca Security Does for SAP-Connected AWS Environments

Orca surfaces all IAM Access Analyzer findings inside its Discovery interface, organized by type — external, internal, and unused — and linked directly to the affected asset. A single click opens the resource in the AWS Console for remediation.

Orca’s integration documentation illustrates this with a DynamoDB table carrying 160 findings: every trust path, unused permission, external exposure visible in one place.

Orca’s agentless SideScanning architecture is what makes that asset context possible. SideScanning reads cloud workload configuration and runtime block storage out-of-band. No agents are installed on SAP production hosts, where host-level changes carry change management overhead most Basis teams cannot absorb quickly.

IAM findings in Orca appear alongside vulnerability findings, misconfiguration findings, and lateral movement risks in a single unified view.

SAP security programs have always had to govern who can do what inside the application. On AWS, that question now extends to the infrastructure around it — and to the AI workloads operating within it. Orca’s integration with IAM Access Analyzer addresses the identity layer that SAP migration created. Its broader platform is built for what comes next.

What This Means for SAPinsiders

  • Migration velocity creates a compounding security debt. Every RISE with SAP adoption, system copy, or integration buildout adds to an IAM layer that organizations rarely audit retroactively. The longer that backlog grows without a structured review process, the larger the attack surface becomes relative to the security resources available to manage it.
  • AI agents create identity risk that access policies cannot see. Unused roles and misconfigured permissions are discoverable through policy review. AI workloads accessing SAP-connected data through Amazon Bedrock operate differently — their risk is behavioral and runtime, not captured by the same static analysis that IAM Access Analyzer provides.
  • SAP identity governance now requires two parallel disciplines. Inside the application, SAP teams manage authorization objects, roles, and SoD controls. Outside it, on AWS, a separate identity layer has formed that demands the same rigor — least privilege, continuous review, and documented ownership — applied to infrastructure rather than application access.

 

More Resources

See All Related Content
Map of Asia with colored pins marking locations across Southeast Asia, illustrating regional responses to frontier AI cybersecurity risk.
How Asia Is Responding to the Frontier AI Cybersecurity ThreatSingapore, India, Japan, Hong Kong, Australia, and South Korea each issued advisories, board-level deadlines, or binding directives in response to frontier AI cyber risk. This reference guide maps what each government required and what it signals for enterprise compliance across the region.
5 minute read
Singapore skyline representing critical infrastructure and cybersecurity compliance under the Cyber Trust Mark mandate
Singapore Makes Cyber Trust Mark Mandatory for Critical Infrastructure OwnersSingapore’s Cyber Trust Mark mandate sets new deadlines for critical infrastructure owners, auditors, and cybersecurity service providers, with implications for SAP environments, ERP estates, and supply chain risk management.
2 minute read
Man walking up an office staircase, representing secure access and identity controls in SAP environments.
How TrustBroker Brings Context-Aware Authentication to SAP EnvironmentsSecurityBridge TrustBroker extends existing identity and MFA tools into SAP environments, helping teams enforce stronger authentication when users access higher-risk systems or perform sensitive business actions.
3 minute read
U.S. Department of Commerce building, whose Office of Inspector General audited NIST’s management of the National Vulnerability Database.
Audit Finds NIST Mismanaged the NVD, Leaving SAP Security Teams ExposedA federal audit of NIST’s National Vulnerability Database confirms governance failures behind the NVD backlog, raising new questions for SAP security teams that rely on CVE enrichment to prioritize patching and vulnerability risk.
4 minute read

Become a Member

Unlimited access to thousands of resources for SAP-specific expertise that can only be found here.

Sign Up

Become a Partner

Access exclusive SAP insights, expert marketing strategies, and high-value services including research reports, webinars, and buyers' guides, all designed to boost your campaign ROI by up to 50% within the SAP ecosystem.

Sign Up

Events

29Oct
SAPinsider New Orleans SummitNew Orleans, Louisiana, United States
View All

Insider Newsletter

Always have access to the latest insights with articles, Q&As, whitepapers, webinars, and podcasts. Gain the inside edge. The SAPinsider Weekly helps you stay SAP savvy. Access exclusive bonus materials, discounts, and more.

Get the Newsletter