Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
Risorse create negli account condivisi
Questa sezione mostra le risorse che AWS Control Tower crea negli account condivisi, quando configuri la landing zone.
Per informazioni sulle risorse degli account dei membri, consultaConsiderazioni sulle risorse per Account Factory.
Risorse dell'account di gestione
Quando configuri la landing zone, all'interno del tuo account di gestione vengono create le seguenti AWS risorse.
| AWSservizio | Tipo di risorsa | Nome risorsa |
|---|---|---|
| AWS Organizations | Account | audit log archive |
| AWS Organizations | OUs | Security Sandbox |
| AWS Organizations | Policy di controllo dei servizi | aws-guardrails-* |
| AWS CloudFormation | Stack | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER AWSControlTowerBP-BASELINE-CONFIG-MASTER(nella versione 2.6 e successive) |
| AWS CloudFormation | StackSets |
AWSControlTowerBP-BASELINE-CLOUDTRAIL(Non distribuito nella versione 3.0 e successive) AWSControlTowerBP_BASELINE_SERVICE_LINKED_ROLE (Deployed in 3.2 and later) AWSControlTowerBP-BASELINE-CLOUDWATCH AWSControlTowerBP-BASELINE-CONFIG AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-SECURITY-TOPICS AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED AWSControlTowerLoggingResources AWSControlTowerSecurityResources AWSControlTowerExecutionRole |
| AWS Service Catalog | Product | AWSAccount Factory Control Tower |
| AWS Config | Aggregatore | aws-controltower-ConfigAggregatorForOrganizations |
| AWS CloudTrail | Trail | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Registri | aws-controltower/CloudTrailLogs |
| AWS Identity and Access Management | Roles | AWSControlTowerAdmin AWSControlTowerStackSetRole AWSControlTowerCloudTrailRolePolicy |
| AWS Identity and Access Management | Policy | AWSControlTowerServiceRolePolicy AWSControlTowerAdminPolicy AWSControlTowerCloudTrailRolePolicy AWSControlTowerStackSetRolePolicy |
| AWS IAM Identity Center | Gruppi di directory | AWSAccountFactory AWSAuditAccountAdmins AWSControlTowerAdmins AWSLogArchiveAdmins AWSLogArchiveViewers AWSSecurityAuditors AWSSecurityAuditPowerUsers AWSServiceCatalogAdmins |
| AWS IAM Identity Center | Set di autorizzazioni | AWSAdministratorAccess AWSPowerUserAccess AWSServiceCatalogAdminFullAccess AWSServiceCatalogEndUserAccess AWSReadOnlyAccess AWSOrganizationsFullAccess |
Nota
Non AWS CloudFormation StackSet BP_BASELINE_CLOUDTRAIL è utilizzato nelle versioni 3.0 o successive delle landing zone. Tuttavia, continua a esistere nelle versioni precedenti della landing zone, fino a quando non aggiorni la landing zone.
Registra e archivia le risorse dell'account
Quando configuri la landing zone, le seguenti AWS risorse vengono create all'interno del tuo account di archivio dei log.
| AWSservizio | Tipo di risorsa | Nome risorsa |
|---|---|---|
| AWS CloudFormation | Stack | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerLoggingResources- |
| AWS Config | Regole di AWS Config | AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBIT |
| AWS CloudTrail | Trail | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Regole dell'evento | aws-controltower-ConfigComplianceChangeEventRule |
| Amazon CloudWatch | CloudWatch Registri | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | Roles | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole AWSControlTowerExecution |
| AWS Identity and Access Management | Policy | AWSControlTowerServiceRolePolicy |
| Amazon Simple Notification Service | Argomenti | aws-controltower-SecurityNotifications |
| AWS Lambda | Applicazioni | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-* |
| AWS Lambda | Funzioni | aws-controltower-NotificationForwarder |
| Amazon Simple Storage Service | Bucket | aws-controltower-logs-* aws-controltower-s3-access-logs-* |
Controlla le risorse dell'account
Quando configuri la landing zone, all'interno del tuo account di controllo vengono create le seguenti AWS risorse.
| AWSservizio | Tipo di risorsa | Nome risorsa |
|---|---|---|
| AWS CloudFormation | Stack | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED- StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-SECURITY-TOPICS- StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerSecurityResources-* |
| AWS Config | Aggregatore | aws-controltower-GuardrailsComplianceAggregator |
| AWS Config | Regole di AWS Config | AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED |
| AWS CloudTrail | Trail | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Regole dell'evento | aws-controltower-ConfigComplianceChangeEventRule |
| Amazon CloudWatch | CloudWatch Registri | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | Roles | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole aws-controltower-AuditAdministratorRole aws-controltower-AuditReadOnlyRole AWSControlTowerExecution |
| AWS Identity and Access Management | Policy | AWSControlTowerServiceRolePolicy |
| Amazon Simple Notification Service | Argomenti | aws-controltower-AggregateSecurityNotifications aws-controltower-AllConfigNotifications aws-controltower-SecurityNotifications |
| AWS Lambda | Funzioni | aws-controltower-NotificationForwarder |
