Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
Sumber daya yang dibuat di akun bersama
Bagian ini menunjukkan sumber daya yang dibuat AWS Control Tower di akun bersama, saat Anda menyiapkan landing zone.
Untuk informasi tentang sumber daya akun anggota, lihatPertimbangan Sumber Daya untuk Account Factory.
Sumber daya akun manajemen
Saat Anda mengatur landing zone, AWS sumber daya berikut akan dibuat dalam akun manajemen Anda.
| AWSlayanan | Tipe sumber daya | Nama sumber daya |
|---|---|---|
| AWS Organizations | Akun | audit log archive |
| AWS Organizations | OUs | Security Sandbox |
| AWS Organizations | Kebijakan Kontrol Layanan | aws-guardrails-* |
| AWS CloudFormation | Tumpukan | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER AWSControlTowerBP-BASELINE-CONFIG-MASTER(dalam versi 2.6 dan yang lebih baru) |
| AWS CloudFormation | StackSets |
AWSControlTowerBP-BASELINE-CLOUDTRAIL(Tidak diterapkan di 3.0 dan yang lebih baru) AWSControlTowerBP_BASELINE_SERVICE_LINKED_ROLE (Deployed in 3.2 and later) AWSControlTowerBP-BASELINE-CLOUDWATCH AWSControlTowerBP-BASELINE-CONFIG AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-SECURITY-TOPICS AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED AWSControlTowerLoggingResources AWSControlTowerSecurityResources AWSControlTowerExecutionRole |
| AWS Service Catalog | Produk | AWSControl Tower Account Factory |
| AWS Config | Agregator | aws-controltower-ConfigAggregatorForOrganizations |
| AWS CloudTrail | Trail | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Log | aws-controltower/CloudTrailLogs |
| AWS Identity and Access Management | Peran | AWSControlTowerAdmin AWSControlTowerStackSetRole AWSControlTowerCloudTrailRolePolicy |
| AWS Identity and Access Management | Kebijakan | AWSControlTowerServiceRolePolicy AWSControlTowerAdminPolicy AWSControlTowerCloudTrailRolePolicy AWSControlTowerStackSetRolePolicy |
| AWS IAM Identity Center | Grup direktori | AWSAccountFactory AWSAuditAccountAdmins AWSControlTowerAdmins AWSLogArchiveAdmins AWSLogArchiveViewers AWSSecurityAuditors AWSSecurityAuditPowerUsers AWSServiceCatalogAdmins |
| AWS IAM Identity Center | Set Izin | AWSAdministratorAccess AWSPowerUserAccess AWSServiceCatalogAdminFullAccess AWSServiceCatalogEndUserAccess AWSReadOnlyAccess AWSOrganizationsFullAccess |
catatan
AWS CloudFormation StackSet BP_BASELINE_CLOUDTRAILIni tidak digunakan di landing zone versi 3.0 atau yang lebih baru. Namun, itu terus ada di versi sebelumnya dari landing zone, sampai Anda memperbarui landing zone Anda.
Sumber daya akun arsip log
Saat Anda mengatur landing zone, AWS sumber daya berikut akan dibuat dalam akun arsip log Anda.
| AWSlayanan | Tipe sumber daya | Nama Sumber Daya |
|---|---|---|
| AWS CloudFormation | Tumpukan | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerLoggingResources- |
| AWS Config | Aturan AWS Config | AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBIT |
| AWS CloudTrail | Jalan setapak | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Aturan Acara | aws-controltower-ConfigComplianceChangeEventRule |
| Amazon CloudWatch | CloudWatch Log | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | Peran | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole AWSControlTowerExecution |
| AWS Identity and Access Management | Kebijakan | AWSControlTowerServiceRolePolicy |
| Amazon Simple Notification Service | Topik | aws-controltower-SecurityNotifications |
| AWS Lambda | Aplikasi | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-* |
| AWS Lambda | Fungsi | aws-controltower-NotificationForwarder |
| Amazon Simple Storage Service | Bucket | aws-controltower-logs-* aws-controltower-s3-access-logs-* |
Sumber daya akun audit
Saat menyiapkan landing zone, AWS sumber daya berikut akan dibuat dalam akun audit Anda.
| AWSlayanan | Tipe sumber daya | Nama sumber daya |
|---|---|---|
| AWS CloudFormation | Tumpukan | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED- StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-SECURITY-TOPICS- StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerSecurityResources-* |
| AWS Config | Agregator | aws-controltower-GuardrailsComplianceAggregator |
| AWS Config | Aturan AWS Config | AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED |
| AWS CloudTrail | Trail | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Aturan Acara | aws-controltower-ConfigComplianceChangeEventRule |
| Amazon CloudWatch | CloudWatch Log | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | Peran | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole aws-controltower-AuditAdministratorRole aws-controltower-AuditReadOnlyRole AWSControlTowerExecution |
| AWS Identity and Access Management | Kebijakan | AWSControlTowerServiceRolePolicy |
| Amazon Simple Notification Service | Topik | aws-controltower-AggregateSecurityNotifications aws-controltower-AllConfigNotifications aws-controltower-SecurityNotifications |
| AWS Lambda | Fungsi | aws-controltower-NotificationForwarder |
