Skip to main content
SAP Pentest Playbook
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. Other SAP Solutions
  4. /
  5. SAP Cloud Connector
  6. /
  7. SAP Cloud Connector exposed services
Edit page

SAP Cloud Connector exposed services

Description

The SAP Cloud Connector (SCC) is a key component for hybrid SAP landscapes. It acts as a secure tunnel between SAP Business Technology Platform (BTP) subaccounts and on-premise systems. SCC ensures that backend systems do not need to be directly exposed to the internet, but misconfiguration or weak security controls can inadvertently expose critical services.

Typical use cases:

  • Secure integration of SAP S/4HANA or SAP ECC with SAP BTP services
  • Access to internal REST/SOAP APIs, RFC destinations, or databases
  • Controlled exposure of on-premise resources without VPN

Risk

If SCC is misconfigured, services may be unintentionally exposed outside the intended trust boundary. Main risks include:

  • Unintended exposure of backend services (HTTP, RFC, databases) to networks or users that should not have access
  • Lateral movement if an attacker gains SCC access and pivots to backend systems
  • Weak authentication (default passwords, missing MFA) allows unauthorized administration
  • Insufficient isolation of SCC host increases attack surface

Impact:

  • Unauthorized data access or exfiltration
  • Service manipulation leading to availability issues
  • Compromise of sensitive SAP systems that are otherwise not reachable from the internet

Options

Security validation activities may include:

  • Network Scan: Identify SCC listening ports (default 8443, 443) and verify restricted access
  • Service Enumeration: Check which on-premise services are mapped and accessible via SCC
  • Authentication Review: Ensure that only strong authentication mechanisms (X.509, SAML, MFA) are in place
  • Configuration Review: Validate that “Principal Propagation” and access control lists (ACLs) are properly configured
  • Logging & Monitoring: Review SCC audit logs and integration with SIEM

Mitigation

  • Deploy SCC in a dedicated, isolated network segment (DMZ or secure zone)
  • Restrict inbound and outbound network traffic to only the required BTP endpoints
  • Enforce strong authentication (X.509 certificates, SAML, or MFA) for SCC administration and subaccount bindings
  • Use role-based access control (RBAC) and avoid shared admin accounts
  • Enable end-to-end encryption (TLS) for all connections
  • Regularly review SCC configuration, mappings, and system logs
  • Apply SAP security patches and monitor for relevant SAP Security Notes

References