本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Control Tower 中的生命周期事件
AWS Control Tower 记录的某些事件是*生命周期事件*。生命周期事件的目的是标记某些更改资源状态的 AWS Control Tower 操作的*完成*。生命周期事件适用于 AWS Control Tower 创建或管理的资源,例如与组织单元(OU)或账户相关的登录区、基准或控件。
**AWS Control Tower 生命周期事件的功能**
+ 对于每个生命周期事件,事件日志均显示发端 Control Tower 操作是成功完成,还是失败。
+ AWS CloudTrail 自动将每个生命周期事件记录为*非 API AWS 服务事件*。有关更多信息,请参阅[《 AWS CloudTrail 用户指南》。](https://docs.aws.amazon.com//awscloudtrail/latest/userguide/non-api-aws-service-events.html)
+ 每个生命周期事件还会发送到亚马逊 EventBridge 和亚马逊 CloudWatch 活动服务。**注意:**要在中接收生命周期事件 EventBridge,您必须有一个启用了日志记录的活动 AWS CloudTrail 跟踪。有关通过交付的 AWS 服务事件的更多信息 AWS CloudTrail,请参阅亚马逊 EventBridge 用户指南 CloudTrail中的[通过 AWS 交付的 AWS 服务事件](https://docs.aws.amazon.com//eventbridge/latest/userguide/eb-service-event-cloudtrail.html)。
**AWS Control Tower 中的生命周期事件有两项主要优势:**
+ 由于生命周期事件记录了 AWS Control Tower 操作的完成,因此您可以根据生命周期 CloudWatch 事件的状态创建可触发自动化工作流程后续步骤的 Amazon EventBridge 规则或 Amazon Events 规则。
+ 日志提供了其他详细信息,以帮助管理员和审核员查看组织中的某些类型的活动。
**生命周期事件的工作原理**
AWS Control Tower 依赖多项服务来实施其操作。因此,只有在一系列操作完成后,才会记录每个生命周期事件。例如,当您对某个 OU 启用控件时,AWS Control Tower 会启动一系列子步骤以实施该请求。整个子步骤系列的最终结果将作为生命周期事件的状态记录在日志中。
+ 如果每个基础子步骤都成功完成,则生命周期事件状态将记录为 **Succeeded (已成功)**。
+ 如有任何基础子步骤未成功完成,则生命周期事件状态将记录为 **Failed (已失败)**。
每个生命周期事件都包含一个记录的时间戳,显示 AWS Control Tower 操作的启动时间,以及另一个时间戳,显示生命周期事件的完成时间,同时标记成功或失败。
**在 Control Tower 中查看生命周期事件**
您可以从 AWS Control Tower 控制面板的**活动**页面查看生命周期事件。
+ 要导航到 **Activities (活动)** 页面,请从左侧导航窗格中选择 **Activities (活动)**。
+ 要获取有关特定事件的更多详细信息,请选择该事件,然后选择右上角的 **View details (查看详细信息)** 按钮。
有关如何将 AWS Control Tower 生命周期事件集成到工作流中的更多信息,请参阅博客文章[使用生命周期事件跟踪 AWS Control Tower 操作并触发自动化工作流](https://aws.amazon.com//blogs/mt/using-lifecycle-events-to-track-aws-control-tower-actions-and-trigger-automated-workflows/)。
** CreateManagedAccount 和 UpdateManagedAccount生命周期事件的预期行为**
当您在 AWS Control Tower 中创建账户或注册账户时,这两项操作会调用相同的内部 API。如果在此过程中出现错误,则通常发生在账户创建但尚未完全预置之后。当您在错误发生后重新尝试创建账户或尝试更新预置产品时,AWS Control Tower 会发现账户已经存在。
由于账户存在,AWS Control Tower 会在重试请求结束时记录 `UpdateManagedAccount` 生命周期事件,而不是 `CreateManagedAccount` 生命周期事件。由于该错误,您可能希望看到另一个 `CreateManagedAccount` 事件。但是,`UpdateManagedAccount` 生命周期事件是预期和期望的行为。
如果您计划使用自动方法在 AWS Control Tower 中创建账户或将账户注册到 AWS Control Tower,请编程 Lambda 函数以查找**UpdateManagedAccount**生命周期事件和**CreateManagedAccount**生命周期事件。
**生命周期事件名称**
每个生命周期事件的命名使其与最初的 AWS Control Tower 操作相对应,该操作也由 AWS 记录 CloudTrail。因此,例如,由 AWS Control Tower 事件发起的生命周期`CreateManagedAccount` CloudTrail 事件被命名为`CreateManagedAccount`。
以下列表中的每个名称都是一条指向记录详细信息(`JSON` 格式)示例的链接。这些示例中显示的其他详细信息取自 Amazon CloudWatch 事件日志。
虽然 `JSON` 不支持注释,但为了便于解释,还是在示例中添加了一些注释。注释显示在示例的右侧,前面带有“//”。
在这些示例中,某些账户名称和组织名称被遮盖。`accountId` 始终是由 12 个数字组成的序列,在示例中已替换为“xxxxxxxxxxxx”。`organizationalUnitID` 是由字母和数字组成的唯一字符串。它的形式在示例中保留下来。
+ [`CreateManagedAccount`](#create-managed-account):该日志记录 AWS Control Tower 是否成功完成了使用 Account Factory 创建和预置新账户的每项操作。
+ [`UpdateManagedAccount`](#update-managed-account):该日志记录 AWS Control Tower 是否成功完成了更新与您之前使用 Account Factory 创建的账户相关联的预置产品的每项操作。
+ [`EnableGuardrail`](#enable-control):日志记录 AWS Control Tower 是否成功完成了在 OU 上启用控制的所有操作。
+ [`DisableGuardrail`](#disable-control):日志记录 AWS Control Tower 是否成功完成了禁用 OU 控件的所有操作。
+ [`SetupLandingZone`](#setup-landing-zone):该日志记录 AWS Control Tower 是否成功完成了设置登录区的每项操作。
+ [`UpdateLandingZone`](#update-landing-zone):该日志记录 AWS Control Tower 是否成功完成了更新现有登录区的每项操作。
+ [`RegisterOrganizationalUnit`](#register-organizational-unit):该日志记录 AWS Control Tower 是否成功完成了对 OU 启用其监管功能的每项操作。
+ [`DeregisterOrganizationalUnit`](#deregister-organizational-unit):该日志记录 AWS Control Tower 是否成功完成了对 OU 禁用其监管功能的每项操作。
+ [`PrecheckOrganizationalUnit`](#precheck-organizational-unit):该日志记录 AWS Control Tower 是否检测到了任何会阻止**扩展监管**操作成功完成的资源。
+ [`EnableBaseline`](#enable-baseline-lfc):该日志记录 AWS Control Tower 是否成功完成了在 OU 下目标成员账户上启用新基准的每一项操作。可以使用 `EnableBaseline` API 或控制台启动该启用操作。
+ [`ResetEnabledBaseline`](#reset-enabled-baseline-lfc):该日志记录 AWS Control Tower 是否成功完成了在 OU 下目标成员账户上重置现有已启用基准的每一项操作。可以使用 `ResetEnabledBaseline` API 或控制台启动该重置操作。
+ [`UpdateEnabledBaseline`](#update-enabled-baseline-lfc):该日志记录 AWS Control Tower 是否成功完成了在 OU 下目标成员账户上更新现有已启用基准的每一项操作。可以使用 `UpdateEnabledBaseline` API 或控制台启动该更新操作。
+ [`DisableBaseline`](#disable-baseline-lfc):该日志记录 AWS Control Tower 是否成功完成了在 OU 下目标成员账户上禁用现有已启用基准的每一项操作。可以使用 `DisableBaseline` API 或控制台启动该禁用操作。
以下各节提供了 AWS Control Tower 生命周期事件的列表,其中包含为各类生命周期事件记录的详细信息示例。
## `CreateManagedAccount`
此生命周期事件记录 AWS Control Tower 是否成功使用 Account Factory 创建和预置了新账户。此事件与 AWS Control Tower `CreateManagedAccount` CloudTrail 事件相对应。该生命周期事件日志包含新创建账户的 `accountName` 和 `accountId`,以及账户所在 OU 的 `organizationalUnitName` 和 `organizationalUnitId`。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX", // Management account ID.
"time": "2018-08-30T21:42:18Z", // Format: yyyy-MM-dd'T'hh:mm:ssZ
"region": "us-east-1", // AWS Control Tower home region.
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ.
"eventSource": "controltower.amazonaws.com",
"eventName": "CreateManagedAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"createManagedAccountStatus": {
"organizationalUnit":{
"organizationalUnitName":"Custom",
"organizationalUnitId":"ou-XXXX-l3zc8b3h"
},
"account":{
"accountName":"LifeCycle1",
"accountId":"XXXXXXXXXXXX"
},
"state":"SUCCEEDED",
"message":"AWS Control Tower successfully created a managed account.",
"requestedTimestamp":"2019-11-15T11:45:18+0000",
"completedTimestamp":"2019-11-16T12:09:32+0000"}
}
}
}
```
## `UpdateManagedAccount`
此生命周期事件记录 AWS Control Tower 是否成功更新了与之前使用 Account Factory 创建的账户相关联的预置产品。此事件与 AWS Control Tower `UpdateManagedAccount` CloudTrail 事件相对应。该生命周期事件日志包含关联账户的 `accountName` 和 `accountId`,以及更新账户所在 OU 的 `organizationalUnitName` 和 `organizationalUnitId`。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX", // AWS Control Tower organization management account.
"time": "2018-08-30T21:42:18Z", // Format: yyyy-MM-dd'T'hh:mm:ssZ
"region": "us-east-1", // AWS Control Tower home region.
"resources": [],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ.
"eventSource": "controltower.amazonaws.com",
"eventName": "UpdateManagedAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"updateManagedAccountStatus": {
"organizationalUnit":{
"organizationalUnitName":"Custom",
"organizationalUnitId":"ou-XXXX-l3zc8b3h"
},
"account":{
"accountName":"LifeCycle1",
"accountId":"XXXXXXXXXXXX"
},
"state":"SUCCEEDED",
"message":"AWS Control Tower successfully updated a managed account.",
"requestedTimestamp":"2019-11-15T11:45:18+0000",
"completedTimestamp":"2019-11-16T12:09:32+0000"}
}
}
}
```
## `EnableGuardrail`
此生命周期事件记录 AWS Control Tower 是否成功对正由 AWS Control Tower 托管的 OU 启用了控件。此事件与 AWS Control Tower `EnableGuardrail` CloudTrail 事件相对应。该生命周期事件日志包含控件的 `guardrailId` 和 `guardrailBehavior`,以及启用了控件的 OU 的 `organizationalUnitName` 和 `organizationalUnitId`。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX",
"time": "2018-08-30T21:42:18Z", // End-time of action. Format: yyyy-MM-dd'T'hh:mm:ssZ
"region": "us-east-1", // AWS Control Tower home region.
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "EnableGuardrail",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"enableGuardrailStatus": {
"organizationalUnits": [
{
"organizationalUnitName": "Custom",
"organizationalUnitId": "ou-vwxy-18vy4yro"
}
],
"guardrails": [
{
"guardrailId": "AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK",
"guardrailBehavior": "DETECTIVE"
}
],
"state": "SUCCEEDED",
"message": "AWS Control Tower successfully enabled a guardrail on an organizational unit.",
"requestTimestamp": "2019-11-12T09:01:07+0000",
"completedTimestamp": "2019-11-12T09:01:54+0000"
}
}
}
}
```
## `DisableGuardrail`
此生命周期事件记录 AWS Control Tower 是否成功对正由 AWS Control Tower 托管的 OU 禁用了控件。此事件与 AWS Control Tower `DisableGuardrail` CloudTrail 事件相对应。该生命周期事件记录包含控件的 `guardrailId` 和 `guardrailBehavior`,以及禁用了控件的 OU 的 `organizationalUnitName` 和 `organizationalUnitId`。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX",
"time": "2018-08-30T21:42:18Z",
"region": "us-east-1",
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "DisableGuardrail",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"disableGuardrailStatus": {
"organizationalUnits": [
{
"organizationalUnitName": "Custom",
"organizationalUnitId": "ou-vwxy-18vy4yro"
}
],
"guardrails": [
{
"guardrailId": "AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK",
"guardrailBehavior": "DETECTIVE"
}
],
"state": "SUCCEEDED",
"message": "AWS Control Tower successfully disabled a guardrail on an organizational unit.",
"requestTimestamp": "2019-11-12T09:01:07+0000",
"completedTimestamp": "2019-11-12T09:01:54+0000"
}
}
}
}
```
## `SetupLandingZone`
此生命周期事件记录 AWS Control Tower 是否成功设置了登录区。此事件与 AWS Control Tower `SetupLandingZone` CloudTrail 事件相对应。该生命周期事件日志包含 `rootOrganizationalId`,这是 AWS Control Tower 从管理账户创建的组织的 ID。日志条目还包括在 `organizationalUnitName` AWS Control Tower 设置着陆区时创建的每个账户的`accountName`和`accountId`,以及每个账户的和。`organizationalUnitId` OUs
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012", // Request ID.
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX", // Management account ID.
"time": "2018-08-30T21:42:18Z", // Event time from CloudTrail.
"region": "us-east-1", // Management account CloudTrail region.
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX", // Management-account ID.
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ.
"eventSource": "controltower.amazonaws.com",
"eventName": "SetupLandingZone",
"awsRegion": "us-east-1", // AWS Control Tower home region.
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "CloudTrail_event_ID", // This value is generated by CloudTrail.
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"setupLandingZoneStatus": {
"state": "SUCCEEDED", // Status of entire lifecycle operation.
"message": "AWS Control Tower successfully set up a new landing zone.",
"rootOrganizationalId" : "r-1234",
"organizationalUnits" : [ // Use a list.
{
"organizationalUnitName": "Security", // Security OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Security OU ID.
},
{
"organizationalUnitName": "Custom", // Custom OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Custom OU ID.
},
],
"accounts": [ // All created accounts are here. Use a list of "account" objects.
{
"accountName": "Audit",
"accountId": "XXXXXXXXXXXX"
},
{
"accountName": "Log archive",
"accountId": "XXXXXXXXXXXX"
}
],
"requestedTimestamp": "2018-08-30T21:42:18Z",
"completedTimestamp": "2018-08-30T21:42:18Z"
}
}
}
}
```
## `UpdateLandingZone`
此生命周期事件记录 AWS Control Tower 是否成功更新了您的现有登录区。此事件与 AWS Control Tower `UpdateLandingZone` CloudTrail 事件相对应。该生命周期事件日志包含 `rootOrganizationalId`,这是由 AWS Control Tower 监管的(已更新)组织的 ID。日志条目还包括之前在 `organizationalUnitName` AWS Control Tower 最初设置着陆区时创建的每个账户的`accountName`和`accountId`,以及每个账户的和。`organizationalUnitId` OUs
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012", // Request ID.
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX", // Management account ID.
"time": "2018-08-30T21:42:18Z", // Event time from CloudTrail.
"region": "us-east-1", // Management account CloudTrail region.
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX", // Management account ID.
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ.
"eventSource": "controltower.amazonaws.com",
"eventName": "UpdateLandingZone",
"awsRegion": "us-east-1", // AWS Control Tower home region.
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "CloudTrail_event_ID", // This value is generated by CloudTrail.
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"updateLandingZoneStatus": {
"state": "SUCCEEDED", // Status of entire operation.
"message": "AWS Control Tower successfully updated a landing zone.",
"rootOrganizationalId" : "r-1234",
"organizationalUnits" : [ // Use a list.
{
"organizationalUnitName": "Security", // Security OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Security OU ID.
},
{
"organizationalUnitName": "Custom", // Custom OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Custom OU ID.
},
],
"accounts": [ // All created accounts are here. Use a list of "account" objects.
{
"accountName": "Audit",
"accountId": "XXXXXXXXXXXX"
},
{
"accountName": "Log archive",
"accountId": "XXXXXXXXXX"
}
],
"requestedTimestamp": "2018-08-30T21:42:18Z",
"completedTimestamp": "2018-08-30T21:42:18Z"
}
}
}
}
```
## `RegisterOrganizationalUnit`
此生命周期事件记录 AWS Control Tower 是否成功对 OU 启用了其监管功能。此事件与 AWS Control Tower `RegisterOrganizationalUnit` CloudTrail 事件相对应。该生命周期事件日志包含 AWS Control Tower 已纳入其监管之下的 OU 的 `organizationalUnitName` 和 `organizationalUnitId`。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "123456789012",
"time": "2018-08-30T21:42:18Z",
"region": "us-east-1",
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "RegisterOrganizationalUnit",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"registerOrganizationalUnitStatus": {
"state": "SUCCEEDED",
"message": "AWS Control Tower successfully registered an organizational unit.",
"organizationalUnit" :
{
"organizationalUnitName": "Test",
"organizationalUnitId": "ou-adpf-302pk332"
}
"requestedTimestamp": "2018-08-30T21:42:18Z",
"completedTimestamp": "2018-08-30T21:42:18Z"
}
}
}
}
```
## `DeregisterOrganizationalUnit`
此生命周期事件记录 AWS Control Tower 是否成功对 OU 禁用了其监管功能。此事件与 AWS Control Tower `DeregisterOrganizationalUnit` CloudTrail 事件相对应。该生命周期事件日志包含 AWS Control Tower 已禁用其监管功能的 OU 的 `organizationalUnitName` 和 `organizationalUnitId`。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX",
"time": "2018-08-30T21:42:18Z",
"region": "us-east-1",
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "DeregisterOrganizationalUnit",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"deregisterOrganizationalUnitStatus": {
"state": "SUCCEEDED",
"message": "AWS Control Tower successfully deregistered an organizational unit, and enabled mandatory guardrails on the new organizational unit.",
"organizationalUnit" :
{
"organizationalUnitName": "Test", // Foundational OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Foundational OU ID.
},
"requestedTimestamp": "2018-08-30T21:42:18Z",
"completedTimestamp": "2018-08-30T21:42:18Z"
}
}
}
}
```
## `PrecheckOrganizationalUnit`
此生命周期事件记录 AWS Control Tower 是否成功对 OU 执行了预检查。此事件与 AWS Control Tower `PrecheckOrganizationalUnit` CloudTrail 事件相对应。该生命周期事件日志包含 `Id`、`Name` 和 `failedPrechecks` 值对应的字段,用于记录在 OU 注册过程中 AWS Control Tower 对其执行了预检查的每项资源。
该事件日志还包含有关对其执行预检查的嵌套账户的信息,包括 `accountName`、`accountId` 和 `failedPrechecks` 字段。
如果 `failedPrechecks` 值为空,则表示该资源的所有预检查均成功通过。
+ 只有当预检查失败时,才会触发该事件。
+ 如果注册的是空 OU,则不会触发此事件。
事件示例:
```
{
"eventVersion": "1.08",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2021-09-20T22:45:43Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "PrecheckOrganizationalUnit",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "b41a9d67-0da4-4dc5-a87a-25fa19dc5305",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"precheckOrganizationalUnitStatus": {
"organizationalUnit": {
"organizationalUnitName": "Ou-123",
"organizationalUnitId": "ou-abcd-123456",
"failedPrechecks": [
"SCP_CONFLICT"
]
},
"accounts": [
{
"accountName": "Child Account 1",
"accountId": "XXXXXXXXXXXX",
"failedPrechecks": [
"FAILED_TO_ASSUME_ROLE"
]
},
{
"accountName": "Child Account 2",
"accountId": "XXXXXXXXXXXX",
"failedPrechecks": [
"FAILED_TO_ASSUME_ROLE"
]
},
{
"accountName": "Management Account",
"accountId": "XXXXXXXXXXXX",
"failedPrechecks": [
"MISSING_PERMISSIONS_AF_PRODUCT"
]
},
{
"accountName": "Child Account 3",
"accountId": "XXXXXXXXXXXX",
"failedPrechecks": []
},
...
],
"state": "FAILED",
"message": "AWS Control Tower failed to register an organizational unit due to pre-check failures. Go to the OU details page to download a list of failed pre-checks for the OU and accounts within.",
"requestedTimestamp": "2021-09-20T22:44:02+0000",
"completedTimestamp": "2021-09-20T22:45:43+0000"
}
},
"eventCategory": "Management"
}
```
## `EnableBaseline`
此生命周期事件记录 AWS Control Tower 是否成功对 OU 下目标成员账户启用了基准。此事件与 AWS Control Tower `RegisterOrganizationalUnit` 或多个`EnableBaseline` CloudTrail 事件相对应。生命周期事件日志包括已启用的基准及其版本、启用基准的 `targetIdentifier`、在父 OU 上启用的基准的 `parentIdentifier` 和显示 SUCCEEDED 或 FAILED 状态的 `statusSummary`,以及操作的其他参数和时间戳。
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-02-10T17:14:57Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "EnableBaseline",
"awsRegion": "us-east-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "366911a2-4fa6-4e4a-ac2b-280f627e0027",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"enableBaselineStatus": {
"enabledBaselineDetails": {
"arn": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-ern76xmzvf/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-east-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "4.0",
"statusSummary": {
"lastOperationIdentifier": "37f5eb68-e5b9-4c70-ae76-4ca15f6b16de",
"status": "SUCCEEDED"
},
"parameters": [
{
"key": "IdentityCenterEnabledBaselineArn",
"value": {
"untyped": {
"object": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX" }
}
}
]
},
"requestedTimestamp": "2025-02-10T17:07:09+0000",
"completedTimestamp": "2025-02-10T17:14:57+0000"
}
},
"eventCategory": "Management"
}
```
## `ResetEnabledBaseline`
此生命周期事件记录 AWS Control Tower 是否成功对 OU 下目标成员账户重置了现有已启用的基准。此事件与 AWS Control Tower `RegisterOrganizationalUnit` 或多个`ResetEnabledBaseline` CloudTrail 事件相对应。生命周期事件日志包括已启用的基准及其版本、启用基准的 `targetIdentifier`、在父 OU 上启用的基准的 `parentIdentifier` 和显示 SUCCEEDED 或 FAILED 状态的 `statusSummary`,以及操作的其他参数和时间戳。
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-02-10T21:17:55Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "ResetEnabledBaseline",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "c01a32e1-13ab-4b46-8f1b-00699ef6f989",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"resetEnabledBaselineStatus": {
"enabledBaselineDetails": {
"arn": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-0uh2kplf6d/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-west-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "1.0",
"statusSummary": {
"lastOperationIdentifier": "3e364c89-89fa-42b8-9776-9f7cc47ba1fa",
"status": "SUCCEEDED"
},
"parameters": []
},
"requestedTimestamp": "2025-02-10T21:14:24Z",
"completedTimestamp": "2025-02-10T21:17:54+0000"
}
},
"eventCategory": "Management"
}
```
## `UpdateEnabledBaseline`
此生命周期事件记录 AWS Control Tower 是否成功对 OU 下目标成员账户更新了现有已启用的基准。此事件与 AWS Control Tower `RegisterOrganizationalUnit` 或多个`UpdateEnabledBaseline` CloudTrail事件相对应。生命周期事件日志包括已启用的基准及其版本、启用基准的 `targetIdentifier`、在父 OU 上启用的基准的 `parentIdentifier` 和显示 SUCCEEDED 或 FAILED 状态的 `statusSummary`,以及操作的其他参数和时间戳。
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-02-10T19:45:28Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "UpdateEnabledBaseline",
"awsRegion": "us-east-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "514f2aff-1a99-4912-bda1-0d4d6662c96e",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"updateEnabledBaselineStatus": {
"enabledBaselineDetails": {
"arn": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-ern76xmzvf/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-east-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "4.0",
"statusSummary": {
"lastOperationIdentifier": "ba3de28f-83fb-4c9a-8a8c-a4e15fac2c41",
"status": "SUCCEEDED"
},
"parameters": [
{
"key": "IdentityCenterEnabledBaselineArn",
"value": {
"untyped": {
"object": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX" }
}
}
]
},
"requestedTimestamp": "2025-02-10T19:39:35+0000",
"completedTimestamp": "2025-02-10T19:45:28+0000"
}
},
"eventCategory": "Management"
}
```
## `DisableBaseline`
此生命周期事件记录 AWS Control Tower 是否成功对 OU 下目标成员账户禁用了现有已启用的基准。此事件与 AWS Control Tower `DisableBaseline` CloudTrail 事件相对应。生命周期事件日志包括已启用的基准及其版本、启用基准的 `targetIdentifier`、在父 OU 上启用的基准的 `parentIdentifier` 和显示 SUCCEEDED 或 FAILED 状态的 `statusSummary`,以及操作的其他参数和时间戳。
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-03-14T00:50:58Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "DisableBaseline",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "704794c4-a32e-4960-8386-c7efaa5a22a1",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"disableBaselineStatus": {
"enabledBaselineDetails": {
"arn": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-0uh2kplf6d/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-west-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "1.0",
"statusSummary": {
"lastOperationIdentifier": "7b895594-0edb-48bc-9f3d-d88c2ad618df",
"status": "SUCCEEDED"
},
"parameters": []
},
"baselineDetails": {
"arn": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-0uh2kplf6d/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-west-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "1.0",
"statusSummary": {
"lastOperationIdentifier": "7b895594-0edb-48bc-9f3d-d88c2ad618df",
"status": "SUCCEEDED"
},
"parameters": []
},
"requestedTimestamp": "2025-03-14T00:49:13Z",
"completedTimestamp": "2025-03-14T00:50:58+0000"
}
},
"eventCategory": "Management"
}
```